Microsoft windows 2000 DNS manual Windows 2000 White Paper

Page 54

The following DNS configuration and name resolution scenarios are considered in detail with overlapping internal and external namespaces, since it is the most complicated case.

It is assumed that the namespaces of both companies consist only of names within a NSI assigned domain, that is, yyy.com. and zzz.com. It is also assumed that all computers in the YYY Corporation are proxy clients supporting Proxy AutoConfiguration File, while none of the computers in the ZZZ Corporation are proxy clients. The goal in this section is to demonstrate the appropriate configuration of the DNS servers, zones and clients to satisfy the following requirements:

Expose only a public portion of the namespace to the Internet,

Enable a company computer to resolve any (internal or external) names within its company,

Enable a company computer to resolve any name from the Internet.

Finally, assume that the two considered corporations have merged and now every computer from these two private namespaces should be able to resolve any (internal and external) name, not only within the namespace of its own company, but within a namespace of the merged company as well.

The following solution will satisfy all four of these requirements.

Two DNS servers exposed to the Internet are authoritative for two zones, yyy.com. and zzz.com., as shown on the figure below. (To simplify the example, one server and one zone per company have been chosen. In reality a company may choose to have more servers and zones such as first.yyy.com, second.yyy.com. and so forth.) These zones contain only records corresponding to external names and delegations of the YYY and ZZZ Corporations (or in other words, only those records which these two companies wish to expose to the external world). This is the only common solution for both companies. The rest of the design features are different.

First consider the private namespace design and the configuration of the DNS servers, zones and clients in case the company’s computers are not proxy clients, for example, in ZZZ Corporation.

A company must devote a set of DNS Servers that are not exposed to the Internet to maintain zones containing all names (both internal and external) from the company namespace. Every DNS client must send DNS queries to some of these DNS servers. Every DNS server must forward queries to a pre-assigned forwarder

(s). If a DNS server contains a top-level company namespace zone, that is, zzz.com., then its forwarder is a DNS server(s) exposed to the Internet. The communication between internal and external servers takes place through a firewall. Every other internal DNS server forwards unresolved queries to a DNS server(s) that contains the top-level company namespace zone.

To guarantee that a company client is able to resolve any hostname from the merged companies every DNS server containing a top-level company namespace

Windows 2000 White Paper

48

Image 54
Contents Windows 2000 DNS Microsoft Corporation. All rights reserved Contents Designing a DNS Namespace for the Active Directory Summary Page DNS Fundamentals Name Services in Windows Standards and Additional ReadingHistory of DNS Draft-skwan-gss-tsig-04.txt GSS Algorithm for Tsig GSS-TSIGStructure of DNS Hierarchy of DNS Domain NamesMit Mydomain Int/net/orgCom Edu Gov Mil Army Microsoft DNS and InternetTTL Distributing the Database Zone Files and DelegationReplicating the DNS database Microsoft My domain ftp NtserverNEW Features of the Windows 2000 DNS Querying the DatabaseName Server Resolver Root-server Gov Whitehouse.gov Updating the DNS Database Time to Live for Resource RecordsActive Directory Service Storage Model Active Directory Storage and Replication IntegrationWindows 2000 White Paper Controlling Access to Zones Replication ModelZone Type Conversions Incremental Zone Transfer Protocol DescriptionMaster DNS Server Dynamic UpdateZone Log File Slave DNS Server Ixfr and DS IntegrationUpdate Algorithm Dynamic Update of DNS RecordsMixed Environment Dhcp ClientRAS Client Statically Configured ClientSecure Dynamic Update Client ReregistrationEstablishing a security context by passing security tokens Secure Dynamic Update Policy DnsUpdateProxy Group Controlling Update Access to Zones and NamesDNS Admins Group Aging and ScavengingAging and Scavenging Parameters DefaultEnableScavenging Description Scavenging PeriodRecord Life Span Configuring Scavenging Parameters Scavenging AlgorithmUnicode Character Support Interoperability ConsiderationsDomain Locator Finish DNS Record Registration and Resolver Requirements IP/DNS Compatible LocatorLdap.tcp.dc.msdcs.DnsDomainName Kerberos.tcp.dc.msdcs.DnsDomainName IP/DNS DC Locator Algorithm Discovering Site specific DCs FinishCaching Resolver Name Resolution Fully-Qualified QueryUsing Global Suffix Search Order Unqualified Single-Label QueryUsing Primary and Per-adapter Domain Names Unqualified Multi-Label QueryName Resolution Scenarios Unqualified Single-Label Query ScenariosDNS Server List Management Fully-Qualified Query ScenariosMicrosoft Implementation of Negative Caching Negative CachingAdministrative Tools WMI Support for DNS Server AdministrationDNS Manager Interoperability Issues Using Wins and Winsr RecordsUsing UTF-8 Characters Format DNS Server Performance Receiving Non-RFC Compliant DataUtilization Server Capacity Planning Hardware components SizingInternet Access Considerations Choosing NamesWindows 2000 White Paper Windows 2000 White Paper Windows 2000 White Paper VPN Com Yyy.com Zzz.com Windows 2000 White Paper Primary Zone YYY corporation ZZZ corporation VPN Firewall Characters in Names Computer NamesFull computer name Per-Adapter NamingIntegrating ADS with Existing DNS Structure Domain name and sites. Active Directory domain name Migration to Windows 2000 DNS DNSDeploying DNS to Support Active Directory Partitioning, and Replication Choosing your ZonesUsing Automatic Configuration Wins ReferralIxfr For More Information IxfrWindows 2000 White Paper