Microsoft windows 2000 DNS manual DNS Admins Group, Aging and Scavenging

Page 28

DNS Admins Group

By default the DNS Admins group has full control of all zones and records in a Windows 2000 domain in which it is specified. In order for a user to be able to enumerate zones in a specific Windows 2000 domain, the user (or a group the user belongs to) must be enlisted in the DNS Admin group. At the same time it is possible that a domain administrator(s) may not want to grant such a high level of administration (full control) to all users listed in the DNS administrator group. The typical case would be if a domain administrator wanted to grant full control for a specific zone and read only control for other zones in the domain to a set of users.

Create the groups Zone1Admins, Zone2Admins, and so on for the zones 1,2, and so on respectively. Then the ACL for zone N will contain a group ZoneNAdmins with full control. At the same time all the groups Zone1Admins, Zone2Admins, and so forth will be included in the DNS Admins group. The DNS Admins group should have read permission only. Since a zone’s ACL always contains the DNS Admins group, all users enlisted in the Zone1Admins, Zone2Admins, and so forth will have read permission for all the zones in the Domain.

The DNS Admins group is configurable through the Active Directory Users and Computers manager.

Reserving Names

The default configuration, where any authenticated user may create a new name in a zone, may not be sufficient for some environments requiring a high level of security. In such cases, the default ACL can be changed to allow creation of objects in a zone only by certain groups or users. Per-namegranularity of ACLs provides another solution to this problem. An administrator may reserve a name in a zone leaving the rest of the zone open for creation of the new objects by all authenticated users. To do so an administrator needs to create a record for the reserved name and set the appropriate list of groups or users in the ACL. Then only the users listed in the ACL will be able to register another record under the reserved name.

Aging and Scavenging

With dynamic update, records are automatically added to the zone when computers and domain controllers are added. However, in some cases, they are not automatically deleted.

Having many stale resource records presents a few different problems. Stale resource records take up space on the server, and a server might use a stale resource record to answer a query. As a result, DNS server performance suffers.

To solve these problems, the Windows 2000 DNS server can scavenge stale records; that is, it can search the database for records that have aged and delete them. Administrators can control aging and scavenging by specifying the following:

Which servers can scavenge zones

Windows 2000 White Paper

22

Page 27 Page 29
Image 28
Page 27 Page 29
Contents Windows 2000 DNS Microsoft Corporation. All rights reserved Contents Designing a DNS Namespace for the Active Directory Summary Page DNS Fundamentals Name Services in Windows Standards and Additional ReadingHistory of DNS Draft-skwan-gss-tsig-04.txt GSS Algorithm for Tsig GSS-TSIGStructure of DNS Hierarchy of DNS Domain NamesInt/net/org Com Edu Gov Mil Army MicrosoftMit Mydomain DNS and InternetTTL Distributing the Database Zone Files and DelegationReplicating the DNS database Microsoft My domain ftp NtserverNEW Features of the Windows 2000 DNS Querying the DatabaseName Server Resolver Root-server Gov Whitehouse.gov Updating the DNS Database Time to Live for Resource RecordsActive Directory Service Storage Model Active Directory Storage and Replication IntegrationWindows 2000 White Paper Replication Model Controlling Access to ZonesZone Type Conversions Incremental Zone Transfer Protocol DescriptionDynamic Update Zone Log FileMaster DNS Server Slave DNS Server Ixfr and DS IntegrationUpdate Algorithm Dynamic Update of DNS RecordsMixed Environment Dhcp ClientStatically Configured Client Secure Dynamic UpdateRAS Client Client ReregistrationEstablishing a security context by passing security tokens Secure Dynamic Update Policy DnsUpdateProxy Group Controlling Update Access to Zones and NamesDNS Admins Group Aging and ScavengingAging and Scavenging Parameters DefaultEnableScavenging Description Scavenging PeriodRecord Life Span Configuring Scavenging Parameters Scavenging AlgorithmUnicode Character Support Interoperability ConsiderationsDomain Locator Finish DNS Record Registration and Resolver Requirements IP/DNS Compatible LocatorLdap.tcp.dc.msdcs.DnsDomainName Kerberos.tcp.dc.msdcs.DnsDomainName IP/DNS DC Locator Algorithm Discovering Site specific DCs FinishCaching Resolver Name Resolution Fully-Qualified QueryUsing Global Suffix Search Order Unqualified Single-Label QueryUsing Primary and Per-adapter Domain Names Unqualified Multi-Label QueryName Resolution Scenarios Unqualified Single-Label Query ScenariosFully-Qualified Query Scenarios Microsoft Implementation of Negative CachingDNS Server List Management Negative CachingWMI Support for DNS Server Administration Administrative ToolsDNS Manager Using Wins and Winsr Records Interoperability IssuesUsing UTF-8 Characters Format Receiving Non-RFC Compliant Data DNS Server PerformanceUtilization Server Capacity Planning Hardware components SizingInternet Access Considerations Choosing NamesWindows 2000 White Paper Windows 2000 White Paper Windows 2000 White Paper VPN Com Yyy.com Zzz.com Windows 2000 White Paper Primary Zone YYY corporation ZZZ corporation VPN Firewall Characters in Names Computer NamesFull computer name Per-Adapter NamingIntegrating ADS with Existing DNS Structure Domain name and sites. Active Directory domain name Migration to Windows 2000 DNS DNSDeploying DNS to Support Active Directory Partitioning, and Replication Choosing your ZonesUsing Automatic Configuration Wins ReferralIxfr For More Information IxfrWindows 2000 White Paper
Top Page Image Contents