Exam Objectives Fast Track

Previous page
Table of content
Next page


Planning for Host Name Resolution

  • The design of your DNS namespace will have an effect on the security of your DNS infrastructure and the amount of effort required to administer it. At a minimum, the internal DNS namespace should either be registered or based on a registered name you own.

  • The internal DNS namespace mirrors the AD domain tree. However, DNS and AD are separate from one another.

  • The number of child domains or subdomains should be limited to five or fewer.

  • Secondary zones can increase fault tolerance and availability, but zone transfer traffic can consume unacceptable amounts of bandwidth in some circumstances.

  • Lame delegations are one of the most common sources of name resolution problems with a DNS infrastructure. As an alternative to using NS and glue address records to delegate authority, consider using stub zones or conditional forwarding.

  • Conditional forwarding can reduce the amount of DNS referral traffic on the network.

  • Conditional forwarding is a good alternative to using secondary or stub zones in many circumstances.

  • DNS servers used for internal name resolution should never be accessible to Internet clients.

  • Public DNS servers that are used to resolve name mappings for your Web and mail servers should not be able to perform recursion.

  • Primary DNS servers should be configured to replicate only with a configured list of IP address or servers listed on the Name Servers tab.

  • Cache pollution protection should be enabled on all DNS servers to protect against attacks.

  • Publicly available DNS servers should be placed behind firewalls that have access rules controlling acceptable source and destination ports and addresses.

  • Active Directory-integrated zones configured to accept authenticated updates only provide the highest level of security for dynamic updates.

Planning for NetBIOS Name Resolution

  • WINS servers are capable of handling large numbers of client registrations; Microsoft recommends that as few WINS servers as possible be deployed to provide a desired level of service.

  • To avoid problems with replication and name resolution, WINS servers should not be installed on multihomed computers.

  • The TCP/IP stack on a WINS server should be configured so that the WINS server registers with itself.

  • By default, WINS replication partnerships are set up as push/pull replication partnership. Limited partnerships (push-only and pull-only) are possible but should be avoided unless there is an overriding need to use them, such as extremely limited bandwidth.

  • Push replication is triggered by a configurable number of updates in the WINS database. Push replication is used in situations where there is ample bandwidth, such as on a LAN or high-speed WAN.

  • Pull replication is triggered by a configurable schedule. In general, pull replication is used in low-bandwidth situations where it is desirable to control the timing of replication traffic.

  • Convergence time is the amount of time it takes an updated record to propagate to every WINS server.

  • A hub-and-spoke topology is the most efficient for a replication environment involving multiple WINS servers.

  • Enabling burst handling can alert administrators to the presence of possible DoS attacks because the events appear in Event Viewer.

  • Static mappings should be avoided, unless they are used as a means to prevent redirection of name mappings of mission-critical servers.

Troubleshooting Name Resolution Issues

  • Troubleshooting name resolution issues is more effective if a systematic approach is used to isolate the components and processes that may be causing the problem. Generally, this means troubleshooting from the bottom of the OSI model to the top.

  • Client configurations are the most common source of name resolution issues and should be verified first.

  • Before troubleshooting name resolution problems on the client, it is a good idea to clear the appropriate cache (DNS or NetBIOS) to eliminate that as the source of the problem.

  • After the name resolution problem has been tracked down to the specific service—WINS or DNS—troubleshooting strategies appropriate to each can be employed.

  • Troubleshooting tools for DNS include Ipconfig, Netdiag, NSLookup, Dnscmd, and DNSLint.

  • Troubleshooting tools for WINS include Ipconfig, Netdiag, and the nbstat command.



Previous page
Table of content
Next page
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure. Exam 70-293 Study Guide and DVD Training System
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System
ISBN: 1931836930
EAN: 2147483647
Year: 2003
Pages: 173
Authors: Syngress, Syngress Publishing, Thomas W. Shinder, Debra Littlejohn Shinder
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Adobe After Effects 7.0 Studio Techniques
C++ How to Program (5th Edition)
Ruby Cookbook (Cookbooks (OReilly))
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy