Microsoft windows 2000 DNS manual Establishing a security context by passing security tokens

Page 25

algorithm defined in the Internet Draft “GSS Algorithm for TSIG (GSS-TSIG).” This algorithm is based on the Generic Security Service Application Program Interface (GSS-API) specified in RFC 2078. It provides security services independently of the underlying security mechanism, and separates the security services into the following processes:

Establishing a security context by passing security tokens.

Once a security context has been established, it has a finite lifetime during which it can be used to create and verify transaction signatures on messages between the two parties.

The sequence of events in the Secure Dynamic Update process is described below.

Find authoritative

Local name server

 

 

 

 

server

 

 

 

 

 

 

 

 

Result

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Client

Find authoritative

 

 

 

 

 

 

server

 

 

 

 

 

 

Result

 

 

 

 

 

 

Attempt non-secure

 

 

 

 

 

 

update

 

 

 

 

 

 

Refused

 

 

 

 

 

 

TKEY negotiation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TKEY negotiation

 

 

 

 

 

 

TKEY negotiation (Kerberos)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TKEY negotiation (Kerberos)

 

 

 

 

 

 

TKEY negotiation (Kerberos)

 

 

 

 

 

 

 

TKEY negotiation (Kerberos)

 

 

 

 

 

 

Update with TSIG

 

Reply (Success or

Failure) with TSIG

Server

Active Directory

 

Attempt to Update Active

Directory with LDAP

Reply (Success or

Failure) with LDAP

Windows 2000 White Paper

19

Page 24 Page 26
Image 25
Page 24 Page 26
Contents Windows 2000 DNS Microsoft Corporation. All rights reserved Contents Designing a DNS Namespace for the Active Directory Summary Page DNS Fundamentals Standards and Additional Reading Name Services in WindowsDraft-skwan-gss-tsig-04.txt GSS Algorithm for Tsig GSS-TSIG History of DNSHierarchy of DNS Domain Names Structure of DNSCom Edu Gov Mil Army Microsoft Int/net/orgMit Mydomain DNS and InternetDistributing the Database Zone Files and Delegation TTLMicrosoft My domain ftp Ntserver Replicating the DNS databaseQuerying the Database NEW Features of the Windows 2000 DNSName Server Resolver Root-server Gov Whitehouse.gov Time to Live for Resource Records Updating the DNS DatabaseActive Directory Storage and Replication Integration Active Directory Service Storage ModelWindows 2000 White Paper Replication Model Controlling Access to ZonesZone Type Conversions Protocol Description Incremental Zone TransferZone Log File Dynamic UpdateMaster DNS Server Slave DNS Server Ixfr and DS IntegrationDynamic Update of DNS Records Update AlgorithmDhcp Client Mixed EnvironmentSecure Dynamic Update Statically Configured ClientRAS Client Client ReregistrationEstablishing a security context by passing security tokens Secure Dynamic Update Policy Controlling Update Access to Zones and Names DnsUpdateProxy GroupAging and Scavenging DNS Admins GroupAging and Scavenging Parameters DefaultEnableScavenging Scavenging Period DescriptionRecord Life Span Scavenging Algorithm Configuring Scavenging ParametersInteroperability Considerations Unicode Character SupportDomain Locator Finish IP/DNS Compatible Locator DNS Record Registration and Resolver RequirementsLdap.tcp.dc.msdcs.DnsDomainName Kerberos.tcp.dc.msdcs.DnsDomainName IP/DNS DC Locator Algorithm Finish Discovering Site specific DCsCaching Resolver Fully-Qualified Query Name ResolutionUnqualified Single-Label Query Using Global Suffix Search OrderUnqualified Multi-Label Query Using Primary and Per-adapter Domain NamesUnqualified Single-Label Query Scenarios Name Resolution ScenariosMicrosoft Implementation of Negative Caching Fully-Qualified Query ScenariosDNS Server List Management Negative CachingWMI Support for DNS Server Administration Administrative ToolsDNS Manager Using Wins and Winsr Records Interoperability IssuesUsing UTF-8 Characters Format Receiving Non-RFC Compliant Data DNS Server PerformanceUtilization Hardware components Sizing Server Capacity PlanningChoosing Names Internet Access ConsiderationsWindows 2000 White Paper Windows 2000 White Paper Windows 2000 White Paper VPN Com Yyy.com Zzz.com Windows 2000 White Paper Primary Zone YYY corporation ZZZ corporation VPN Firewall Computer Names Characters in NamesPer-Adapter Naming Full computer nameIntegrating ADS with Existing DNS Structure Domain name and sites. Active Directory domain name DNS Migration to Windows 2000 DNSPartitioning, and Replication Choosing your Zones Deploying DNS to Support Active DirectoryWins Referral Using Automatic ConfigurationIxfr Ixfr For More InformationWindows 2000 White Paper
Top Page Image Contents