Manuals / Microsoft / Computer Equipment / Server

Microsoft windows 2000 DNS manual Establishing a security context by passing security tokens

Models: windows 2000 DNS

1 70

Download 70 pages 57.46 Kb

Page 25

•Establishing a security context by passing security tokens.

algorithm defined in the Internet Draft “GSS Algorithm for TSIG (GSS-TSIG).” This algorithm is based on the Generic Security Service Application Program Interface (GSS-API) specified in RFC 2078. It provides security services independently of the underlying security mechanism, and separates the security services into the following processes:

•Establishing a security context by passing security tokens.

•Once a security context has been established, it has a finite lifetime during which it can be used to create and verify transaction signatures on messages between the two parties.

The sequence of events in the Secure Dynamic Update process is described below.

Find authoritative					Local name server
Find authoritative
server
					Result


Client					Find authoritative
					server
					Result
					Attempt non-secure
					update
					Refused
					TKEY negotiation

					TKEY negotiation
					TKEY negotiation (Kerberos)

					TKEY negotiation (Kerberos)
					TKEY negotiation (Kerberos)
					TKEY negotiation (Kerberos)
					Update with TSIG

Reply (Success or

Failure) with TSIG

Server	Active Directory

Attempt to Update Active

Directory with LDAP

Reply (Success or

Failure) with LDAP

Windows 2000 White Paper

19

Image 25

Microsoft windows 2000 DNS manual Establishing a security context by passing security tokens

Contents

Abstract Operating SystemWindows 2000 DNS White Paper1999 Microsoft Corporation. All rights reserved CONTENTS CONTENTSWHITE PAPER INTRODUCTIONDESIGNING A DNS NAMESPACE FOR THE ACTIVE DIRECTORY DESIGNING A DNS NAMESPACE FOR THE ACTIVE DIRECTORYGLOSSARY SUMMARYSUMMARY GLOSSARYPage DNS FUNDAMENTALS Standards and Additional Reading Name Services in WindowsHistory of DNS The Hierarchy of DNS Domain Names The Structure of DNSType of Organization DNS Domain NameDNS Domain Name Type of OrganizationClass DescriptionType DataReplicating the DNS database Querying the Database NEW FEATURES OF THE WINDOWS 2000 DNSThe following figure shows an example of both types of queries Updating the DNS Database Active Directory Storage and Replication Integration User Group Organizational Unit DnsZone DnsNode The Replication Model Controlling Access to ZonesZone Type Conversions Incremental Zone Transfer Dynamic Update The update sequence consists of the following steps DHCP Server Considerations Mixed EnvironmentDHCP Client RAS Client Statically Configured ClientClient Reregistration Dealing with Name ConflictsEstablishing a security context by passing security tokens Secure Dynamic Update Policy DnsUpdateProxy Group Reserving Names DNS Admins GroupAging and Scavenging Which zones can be scavenged Aging and Scavenging Parameters for Zones Configuration ToolZone Parameter DefaultEnableScavengingServer Parameter Aging and Scavenging Parameters for ServersConfiguration Tool DescriptionThe Figure below shows the life span of a scavengeable record The EnableScavenging parameter is set to 1 on the server Interoperability Considerations Unicode Character SupportThe Domain Locator Finish Collect the following info DNS Domain Name Domain GUID Site NameName or Domain GUID? Call IP/DNS compatible LocatorDNS Record Registration and Resolver Requirements ldap.tcp.SiteName.sites.dc.msdcs.DnsDomainName ldap.tcp.dc.msdcs.DnsDomainNameldap.tcp.pdc.msdcs.DnsDomainName ldap.tcp.gc.msdcs.DnsForestNamekerberos.tcp.dc.msdcs.DnsDomainName IP/DNS DC Locator Algorithm Discovering Site specific DCs Caching Resolver Fully-Qualified Query Unqualified Single-Label Query Using Global Suffix Search OrderUnqualified Multi-Label Query Using Primary and Per-adapter Domain NamesVALUE CONFIGURATION PARAMETERThe Unqualified Single-Label Query Scenarios Microsoft Implementation of Negative Caching The Fully-Qualified Query ScenariosDNS Server List Management Negative CachingAdministrative Tools DESIGNING A DNS NAMESPACE FOR THE ACTIVE DIRECTORY Interoperability Issuesupdates/sec Server configurationDNS Server Performance Queries/secHardware components Server Capacity PlanningSizing Choosing Names proxy unaware supporting LAT Local Address Table Expose only a public portion of the namespace to the Internet zone, that is, zzz.com., must also contain the zones containing all internal and external names of the merged companies first.yyy.com Windows 2000 White Papercorporation yyy.comPage Windows 2000 White Paper Windows 2000 White Paper corporation The solution of company YYY requires maintenance of the PAC file NetBIOS name Type Character Restrictions Maximum Length Name ServiceFull computer name Per-Adapter NamingIntegrating ADS with Existing DNS Structure domain name and sites. Active Directory domain name Upgrade to Windows Migration to Windows 2000 DNSWill your ADS overlap your DNS name Deploying DNS to Support Active Directory SUMMARYGLOSSARY ADS Integration IXFR Dynamic Update and Secure Dynamic Update IXFR For More InformationUCS-2-Also known as Unicode is a character encoding protocol