Windows Server 2003 DNS 安裝設定與管理維護 林寶森

What Is a Domain Namespace? Root Domain Subdomains Second-Level Domain Top-Level Domain FQDN: server1.sales.south.nwtraders.com FQDN: server1.sales.south.nwtraders.com south nwtraders com sales west east org net Host: server1

Overview of the DNS Query Process Query Types Iterative Query The DNS server returns the best answer that it can provide without help from other servers Recursive Query The DNS server returns a complete answer to the query, not a pointer to another DNS server Lookup Types Forward Lookup Requires name-to-address resolution Reverse Lookup Requires address-to-name resolution

How Recursive Queries Work Computer1 Recursive query for mail1.nwtraders.com A recursive query is a query made to a DNS server, in which the DNS client asks the DNS server to provide a complete answer to the query DNS server checks the forward lookup zone and cache for an answer to the query Database Local DNS Server

How Iterative Queries Work An iterative query is a query made to a DNS server in which the DNS client requests the best answer that the DNS server can provide without seeking further help from other DNS servers. The result of an iterative query is often a referral to another DNS server lower in the DNS tree Computer1 Local DNS Server Local DNS Server nwtraders.com Root Hint (.).com Recursive query for mail1.nwtraders.com Iterative Query Ask.com Ask nwtraders.com Authoritative Response

How Root Hint Works Root hints are DNS resource records stored on a DNS server that list the IP addresses for the DNS root servers microsoft Corp. or ISP DNS Servers Corp. or ISP DNS Servers Root Hints Local DNS Server Local DNS Server InterNIC Root (.) Servers InterNIC Root (.) Servers com Computer1

How Forwarders Work A forwarder is a DNS server designated by other internal DNS servers to forward queries for resolving external or offsite DNS domain names Computer1 nwtraders.com Root Hint (.).com Iterative Query Ask.com Ask nwtraders.com Authoritative Response Local DNS Server Local DNS Server Forwarder Recursive query for mail1.nwtraders.com Recursive Query

What Is a DNS Zone? Nwtraders West South Support Sales Training North

What Are DNS Zone Types? ZonesDescription Primary Read/write copy of a DNS database Secondary Read-only copy of a DNS database Stub Copy of a zone containing limited records Read/Write Read-Only Copy of limited records

Selecting Zone Data Location Standard Zones Primary ZoneSecondary Zone Change Zone Transfer Active Directory Integrated Zones Change Zone Transfer

Configuring Standard Zones You can configure a DNS server to host standard primary zones, standard secondary zones, or any combination of zones You can designate a primary server or a secondary server as a master server for a standard secondary zone DNS Server A A DNS Server B B Secondary Zone (Master DNS Server = DNS Server A) C DNS Server C Secondary Zone (Master DNS Server = DNS Server A) Primary Zone Zone Information

What Are Resource Records and Record Types? Record typeDescription AResolves a host name to an IP address PTRResolves an IP address to a host name SOAThe first record in any zone file SRVResolves names of servers providing services NSIdentifies the DNS server for each zone MXThe mail server CNAMEResolves from a host name to a host name

Zone Transfer Process A Zone Transfer is Initiated When –A master DNS server sends notification of zone changes to the secondary server or servers –The secondary server queries a master DNS server for changes to the zone file DNS Server (Master) nwtraders training support Primary Zone Database File Secondary Zone Database File DNS Server Zone 1

Configuring Zone Transfers Zone Transfer Types –Full zone transfer (AXFR) –Incremental zone transfer (IXFR) Configuring Zone Transfer Properties Configuring DNS Notify Serial number: 2 Increment 15minutes 10minutes 1days Refresh interval: Retry interval: Expires after: 0 :1 :0 :0 Minimum (default) TTL:

Configuring Zone Transfers nwtraders.msft Properties WINSZone TransfersSecurity General Start of Authority (SOA) Name Servers Serial number: 28 Primary server: london.contoso.com Responsible person: admin.contoso.com Increment Browse… 15minutes 10minutes 1days 0 :1 :0 :0 OK Cancel Refresh interval: Retry interval: Expires after: Minimum [default] TTL: TTL for this record: Apply OKCancel Apply nwtraders.msft Properties GeneralStart of Authority (SOA)Name Servers WINS Zone Transfers Security Allow zone transfers To any server Only to servers listed on the Name Servers tab Only to the following servers IP address: To specify secondary servers to be notified of zone updates, click Notify. AddAddAddAdd AddAddAddAdd Remove Notify… A zone transfer sends a copy of the zone to requesting servers.

How DNS Notify Works Secondary Server Primary and Master Server DNS notify Zone transfer A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur Source Server Destination Server Resource record is updated SOA serial number is updated

Configuring AD Integrated Zones Active Directory Integrated Zone Data Is –Stored as an Active Directory object –Replicated as part of domain replication Active Directory contoso.com DNS Server Active Directory Integrated Zone Active Directory Integrated Zone

What Are Directory Partitions? Active Directory Database Configurable replication Domain Forest Schema Configuration Definitions and rules for creating and manipulating objects and attributes Information about the Active Directory structure Information about domain- specific objects Information about applications Contains:

Selecting a Partition Forest Application Domain Partition Domain Application

Configuring Dynamic Updates DNS Dynamic Update Protocol –Allows clients to automatically update DNS servers –Can be used in conjunction with DHCP DNS Server Request for IP address 1 Assign IP address of Zone Database Computer DHCP Server Windows client updates forward resource record on DNS server Windows client updates forward resource record on DNS server DHCP updates reverse resource record for Windows 2000, XP and 2003 clients and both resource records for other clients DHCP updates reverse resource record for Windows 2000, XP and 2003 clients and both resource records for other clients

Securing Dynamic Updates nwtraders.msft. Properties WINS Zone TransfersSecurity GeneralStart of Authority (SOA)Name Servers Status: Type: Running Active Directory-integrated Pause Change… Data is stored in Active Directory. Allow dynamic updates? Aging… Only secure updates To set aging/scavenging properties, click Aging OKCancelApply Secure Dynamic Updates Active Directory Integrated Zone

Creating a Subdomain Create a Subdomain to Better Organize Your Namespace Delegate Authority of a Subdomain To –Delegate management of portions of the namespace –Delegate administrative tasks of maintaining one large DNS database org. com.com. edu. tw. “.” microsoft.com. training.microsoft.com. Subdomain Second-Level Domain Top-Level Domain Root

DNS Server Roles RoleSituation Caching-only servers A remote office has a limited amount of available bandwidth Non-recursive servers You have Internet-facing DNS that are authoritative for one or more zones Forward-only servers You want to manage the DNS traffic between your network and the Internet Conditional forwarders You want DNS clients in separate networks to resolve each others’ names without having to query the DNS server on the Internet

How the Time-to-Live Value Works The records in the zone are sent to other DNS servers and clients in response to queries 1 1 DNS servers and DNS clients that store the record in their cache hold the record for the TTL period supplied in the record 2 2 When the TTL expires, the record is removed from the cache 3 3 The Time-to-Live (TTL) value is a time-out value expressed in seconds that is included with DNS records that are returned in a DNS query Zone TTL set on the zone DNS Server1 DNS Client Authoritative DNS Server2 Authoritative DNS Server2 Cache Resource Record

Reducing Network Traffic by Using Caching-Only Servers Caching-Only Servers –Perform name resolution on behalf of client computers and cache the results –Can be used to reduce DNS-related traffic across a WAN Caching-Only DNS Server Client Remote Office DNS Server Corporate Headquarters Slow WAN Link

How Aging and Scavenging Works Jan 1Jan 15Jan 8 Scavenge No-Refresh interval No-Refresh interval Refresh interval Refresh interval Time stamped Time stamped Aging 7-days

What Is DNS Debug Logging? Primary DNS Server1 DNS debug logging is an optional logging tool for DNS that stores the DNS information that you select Secondary DNS Server2

Planning a DNS Implementation Small Companies –Can use ISP DNS servers for queries and to store company domain names Larger Companies –Maintain their own DNS servers Two DNS Servers Recommended –Primary name server –Secondary name server

DNS Namespace Options Same Namespace Same Namespace Delegated Namespace Delegated Namespace Unique Namespace Unique Namespace Existing DNS Namespace nwtraders.com nwtraders.local ad.nwtraders.comnwtraders.com Internal Namespace Internal Namespace Internal Namespace Internal Namespace Internal Namespace Internal Namespace

Connecting DNS to the Internet  Forwarding DNS Queries to Internet DNS Servers  Responding to DNS Queries from the Internet Internet DNS Server Firewall Internet Screened Subnet External DNS Server Internal DNS Server

Integrating DNS into Screened Subnets Zones Contain Records for Public Resources Configure Firewalls to Permit Appropriate DNS Traffic Place Only Secondary Zones Encrypt Replication Traffic with IPSec public.contoso.msft Firewall Internet Screened Subnet public.contoso.msft Primary DNS Zone Secondary DNS Zone Private Network