Microsoft windows 2000 DNS manual Windows 2000 White Paper

Page 53

strongly discouraged, since it may lead to the ambiguity in name resolution processes.

In this section the focus is on the design of the private namespaces and the configuration of the DNS servers and zones. The specifics of two different designs are presented by considering two companies using private namespaces of different structure. These two companies, YYY and ZZZ Corporations, have reserved the DNS domain name suffixes, yyy.com. and zzz.com. The general approach to DNS configuration is to have internal (those that are accessible from internal clients only) and external DNS servers. External DNS servers contain the records that are supposed to be exposed to the Internet. The internal DNS namespace may contain a private root, in which case all internal clients that are anticipated to require name resolution must support Name Exclusion List or Proxy Autoconfiguration File to distinguish whether to direct name resolution queries to the proxy server or internal DNS server. An alternative approach is to configure internal DNS server(s) to forward to the Internet unresolved queries. Depending on the type of the clients that require DNS name resolution, the DNS configuration may be quite different. Four types of clients are distinguished based on their software proxy capability:

proxy unaware,

supporting LAT (Local Address Table),

supporting Name Exclusion List, and

Supporting Proxy AutoConfiguration file.

If name resolution is required by proxy unaware clients, or clients supporting only LAT, then the private DNS namespace can’t have a private root and one or more internal DNS servers must forward to the Internet unresolved queries.

As recommended in the previous section, the desired internal namespaces would be corp.yyy.com. and corp.zzz.com.

If the internal and external namespaces overlap, the configuration becomes more complicated. The example of such overlap is external web server www.yyy.com. and internal computer host1.yyy.com. This approach introduces some complications to the internal DNS configuration:

to enable an internal computer to resolve the name of an external server and contact it, all clients must support Proxy AutoConfiguration File, unless external servers are cloned internally and external DNS records are copied internally (which increases the total cost of ownership due to required additional hardware and administration), or external DNS records are copied internally and the firewall is properly configured to enable internal clients to contact external servers,

if all clients support Proxy AutoConfiguration File, then the file must be configured appropriately to distinguish internal and external computers with the same suffixes (as in the example above, with www.yyy.com. and internal computer host1.yyy.com.).

Windows 2000 White Paper

47

Image 53
Contents Windows 2000 DNS Microsoft Corporation. All rights reserved Contents Designing a DNS Namespace for the Active Directory Summary Page DNS Fundamentals Standards and Additional Reading Name Services in WindowsDraft-skwan-gss-tsig-04.txt GSS Algorithm for Tsig GSS-TSIG History of DNSHierarchy of DNS Domain Names Structure of DNSCom Edu Gov Mil Army Microsoft Int/net/orgMit Mydomain DNS and InternetDistributing the Database Zone Files and Delegation TTLMicrosoft My domain ftp Ntserver Replicating the DNS databaseQuerying the Database NEW Features of the Windows 2000 DNSName Server Resolver Root-server Gov Whitehouse.gov Time to Live for Resource Records Updating the DNS DatabaseActive Directory Storage and Replication Integration Active Directory Service Storage ModelWindows 2000 White Paper Zone Type Conversions Controlling Access to ZonesReplication Model Protocol Description Incremental Zone TransferZone Log File Dynamic UpdateMaster DNS Server Slave DNS Server Ixfr and DS IntegrationDynamic Update of DNS Records Update AlgorithmDhcp Client Mixed EnvironmentSecure Dynamic Update Statically Configured ClientRAS Client Client ReregistrationEstablishing a security context by passing security tokens Secure Dynamic Update Policy Controlling Update Access to Zones and Names DnsUpdateProxy GroupAging and Scavenging DNS Admins GroupAging and Scavenging Parameters DefaultEnableScavenging Scavenging Period DescriptionRecord Life Span Scavenging Algorithm Configuring Scavenging ParametersInteroperability Considerations Unicode Character SupportDomain Locator Finish IP/DNS Compatible Locator DNS Record Registration and Resolver RequirementsLdap.tcp.dc.msdcs.DnsDomainName Kerberos.tcp.dc.msdcs.DnsDomainName IP/DNS DC Locator Algorithm Finish Discovering Site specific DCsCaching Resolver Fully-Qualified Query Name ResolutionUnqualified Single-Label Query Using Global Suffix Search OrderUnqualified Multi-Label Query Using Primary and Per-adapter Domain NamesUnqualified Single-Label Query Scenarios Name Resolution ScenariosMicrosoft Implementation of Negative Caching Fully-Qualified Query ScenariosDNS Server List Management Negative CachingDNS Manager Administrative ToolsWMI Support for DNS Server Administration Using UTF-8 Characters Format Interoperability IssuesUsing Wins and Winsr Records Utilization DNS Server PerformanceReceiving Non-RFC Compliant Data Hardware components Sizing Server Capacity PlanningChoosing Names Internet Access ConsiderationsWindows 2000 White Paper Windows 2000 White Paper Windows 2000 White Paper VPN Com Yyy.com Zzz.com Windows 2000 White Paper Primary Zone YYY corporation ZZZ corporation VPN Firewall Computer Names Characters in NamesPer-Adapter Naming Full computer nameIntegrating ADS with Existing DNS Structure Domain name and sites. Active Directory domain name DNS Migration to Windows 2000 DNSPartitioning, and Replication Choosing your Zones Deploying DNS to Support Active DirectoryWins Referral Using Automatic ConfigurationIxfr Ixfr For More InformationWindows 2000 White Paper