Lesson 5: Planning DNS Server Deployment | MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)

After you define the domain hierarchy for your organization's forests and name the domains, the final step in creating a domain plan is to plan DNS server deployment. This lesson explains how to plan DNS server deployment, which includes assessing the organization's current DNS server environment and determining the placement of its DNS servers.

After this lesson, you will be able to

Identify the factors in an organization's environment that impact its DNS server deployment
Plan additional zones
Determine the existing DNS services employed on the DNS servers
Determine the zone replication method
Analyze an organization's environment to plan its DNS server deployment

Estimated lesson time: 20 minutes

Understanding DNS Servers

A DNS server is a computer that resolves names to IP addresses and IP addresses to names for host devices contained within a portion of the namespace. When a client queries a DNS server for a name or IP address, the server performs one of the following actions: provides the name or IP address, refers the client to another DNS server, or indicates that it cannot fulfill the request. DNS servers are also known as DNS name servers.

NOTE
A detailed discussion of DNS is beyond the scope of this course. For a thorough discussion of DNS, refer to the Microsoft Windows 2000 Server TCP/IP Core Networking Guide volume of the Microsoft Windows 2000 Server Resource Kit.

DNS servers use information stored about zones to handle name resolution. Each DNS server can store information for no zones, one zone, or multiple zones. A zone is a contiguous portion of the DNS namespace that is administered separately by a DNS server. The DNS namespace represents the logical structure of your network resources, and DNS zones provide physical storage for these resources. Zones can encompass a single domain or a domain and subdomains. Each zone contains a zone database file, a text file containing resource records for the zone. Resource records are records that contain information used to process client queries. There are many different types of resource records. When a zone is created, DNS automatically adds two resource records: the Start of Authority (SOA) and the Name Server (NS) records. Table 4.1 describes these resource record types, along with the most frequently used resource records.

Table 4.1 Frequently Used Resource Record Types

Resource record type	Description
Host (A)	Lists the host name to IP address mappings for a forward lookup zone.
Alias (CNAME)	Creates an alias, or alternate name, for the specified host name. You can use a Canonical Name (CNAME) record to use more than one name to point to a single IP address. For example, you can host a File Transfer Protocol (FTP) server, such as ftp.microsoft.com, and a Web server, such as www.microsoft.com, on the same computer.
Host Information (HINFO)	Identifies the CPU and operating system used by the host. Use this record as a low-cost resource-tracking tool.
Mail Exchanger (MX)	Identifies which mail exchanger to contact for a specified domain and in what order to use each mail host.
Name Server (NS)	Lists the name servers that are assigned to a particular domain.
Pointer (PTR)	Points to another part of the domain namespace. For example, in a reverse lookup zone, it lists the IP-address-to-name mapping.
Service (SRV)	Identifies which servers are hosting specific services. For example, if a client needs to find a server to validate logon requests, the client can send a query to the DNS server to obtain a list of domain controllers and their associated IP addresses.
Start of Authority (SOA)	Identifies which name server is the authoritative source of information for data within this domain. The first record in the zone database file must be the SOA record.

Figure 4.17 shows the relationship of DNS servers, domains, zones, zone database files, and resource records.

click to view at full size

Figure 4.17 Relationship of DNS servers, domains, zones, zone database files, and resource records

Zone Replication

Zone replication is the synchronization of DNS data between DNS servers within a given zone. Replicating zones provides the following benefits:

Fault tolerance. If a DNS server fails, clients can still direct queries to other DNS servers.
Query load distribution. Query loads can be balanced among DNS servers.
WAN traffic reduction. DNS servers can be added in remote locations to eliminate the need for clients to send queries across slow links.

There are two methods for replicating zones: standard zone replication and Active Directory zone replication. The use of Active Directory zone replication is strongly recommended.

Standard Zone Replication

In standard zone replication, primary and secondary zones and primary and secondary DNS servers handle zone replication. A primary zone is the master copy of a zone stored in a standard text file on a primary DNS server. A primary DNS server is the authoritative server for a primary zone; you must administer and maintain a primary zone on the primary DNS server for the zone. A secondary zone is a read-only replica of an existing standard primary zone stored in a standard text file on a secondary DNS server. A secondary DNS server is a backup DNS server that receives the zone database files from the primary server in a zone transfer. Zone transfer is the process by which DNS servers interact to maintain and synchronize authoritative name data. A zone can have multiple secondary servers, and a secondary server can serve more than one zone. Figure 4.18 shows the use of primary and secondary DNS servers.

click to view at full size

Figure 4.18 Use of primary and secondary DNS servers in zones

There are three types of zone transfers: full zone transfers, incremental zone transfers, and transfers that use the DNS Notify process. In a full zone transfer (AXFR query), the primary DNS server transmits the entire zone database file for the primary zone to the secondary DNS server. In an incremental zone transfer (IXFR query), the servers keep track of and transfer only incremental resource record changes between each version of the zone database file.

IMPORTANT
To perform incremental zone transfer, you must implement a DNS service that supports RFC 1995, which includes Windows 2000 Server. For earlier versions of DNS service, such as those running on Windows NT 4, incremental zone transfer is not supported and only full zone transfers can be used to replicate zones.

Figure 4.19 illustrates the full and incremental zone transfer processes.

click to view at full size

Figure 4.19 Full and incremental zone transfer processes

In the DNS Notify process, the primary server, rather than the secondary server, initiates the zone transfer. The following is a summary of the DNS Notify process:

The zone on a primary DNS server is updated, which updates the serial number on the SOA resource record in the primary zone.
The primary DNS server sends a notify message to the secondary DNS servers (specified by an administrator) as part of its notify set.
When the secondary DNS servers in the notify set receive the notify message, they initiate an AXFR or IXFR zone transfer.

Active Directory Zone Replication

In Active Directory zone replication, Active Directory—integrated zones and domain controllers handle zone replication. Each domain controller functions as a primary DNS server, using Active Directory to store and replicate primary zone files. Active Directory zone replication provides the following advantages over standard zone replication:

Replication planning is simplified. Because DNS resource records are part of Active Directory and are replicated to each domain controller, it is no longer necessary to maintain zone database files or use zone transfer.
Replication is multimaster. Updates to zones are allowed at every DNS server/domain controller, rather than just the primary DNS server.
Efficiency. Because Active Directory zone replication is processed at the property level, it generates less replication traffic than standard zone replication.
Detailed delegation of administration. Administration for directory-integrated zone data can be delegated for users for each resource record.

IMPORTANT
To replicate zones with Active Directory zone replication, you must implement the Windows 2000 DNS service.

DNS Server Requirements

Existing authoritative DNS servers must meet the following minimum requirements to support Active Directory:

They must support service (SRV) resource records, as described in RFC 2052.
They must support dynamic update, as described in RFC 2136.

It is recommended that organizations deploy the Windows 2000 DNS service provided with Windows 2000 Server. Windows 2000 DNS service meets the minimum requirements and provides two additional features:

Active Directory—integrated zones
Secure dynamic update

Servers that are not authoritative do not need to meet the DNS server requirements. These servers can usually answer SRV record queries even though they do not support that record type.

Design Step: Planning DNS Server Deployment

To plan DNS server deployment, you must complete the following tasks:

Assess the organization's current DNS server environment.
Determine the placement of the DNS servers.

Assessing the DNS Server Environment

To plan the DNS server deployment for your organization, you must first consult the following documents compiled earlier by your design team:

IT Management Organization Worksheet. Assess current IT management organization structure to determine whether it's necessary to delegate management of part of the DNS namespace to another department or location within the organization.
DNS Environment Worksheet. Assess the organization's current DNS server environment.

NOTE
Blank copies of the worksheets are located on the Supplemental Course Materials CD-ROM (\chapt02\worksheets). Completed examples of the worksheets are located in Chapter 2, "Introduction to Designing a Directory Services Infrastructure."

In addition to assessing the information compiled in these worksheets, it is imperative that you also assess changes currently planned for DNS server environments to address growth, flexibility, and the ideal design specifications of the organization.

Determining Placement of DNS Servers

To determine the placement of your DNS servers, you must plan additional zones, determine the existing DNS services employed on your DNS servers, and determine the zone replication method to use.

Planning Additional Zones

To determine when to divide your DNS namespace into zones, consider if there is a need to

Delegate management of part of the DNS namespace to another department or location within the organization
Divide a large zone into smaller zones to distribute traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment
Extend the namespace by adding numerous subdomains at once, as in accommodating the opening of a new branch or site

If you can answer "yes" to any of these considerations, you may want to divide your namespace into additional zones.

Determining Existing DNS Services

If your organization is already using a DNS service other than Windows 2000 DNS, you will need to find out whether the service is compatible with Active Directory and how it is currently structured. The following DNS services meet the DNS server requirements to support Active Directory:

DNS BIND version 8.1.2 or later
Windows NT 4 DNS

Although these DNS services are compatible with Active Directory, only the Windows 2000 DNS service allows you to use Active Directory—integrated zones, incremental zone transfer, and secure dynamic updates. To take advantage of these features, you can upgrade DNS servers running compatible DNS services to Windows 2000 DNS.

It is important to note that the DNS BIND version 4.x does not meet the DNS server requirements to support Active Directory. To implement Windows 2000 in the DNS BIND 4.x environment, you will have to upgrade the BIND 4.x environment to BIND 8.1.2 or later. From that point you can upgrade your DNS servers to Windows 2000 DNS.

If you cannot upgrade your DNS servers to Windows 2000 DNS, the best solution is to create a delegated subdomain. A delegated subdomain is a separate Windows 2000 DNS subdomain set up in the established DNS namespace. The DNS server in the Windows 2000 DNS subdomain is authoritative for that subdomain. You can add child domains to the subdomains as needed.

Determining the Zone Replication Method

Once you've identified the existing DNS service and settled on the DNS service you will use for your Active Directory implementation, you can easily determine the replication method to use. If you are using Windows 2000 DNS service, you can use Active Directory—integrated zone replication. In this case, all of your domain controllers function as primary DNS servers. If you are using DNS BIND version 8.1.2 or later or Windows NT 4 DNS service, you must use standard zone replication. In this case, you must specify primary and secondary DNS servers and zones.

To plan DNS server deployment

Determine whether your organization needs additional zones.
Identify the existing DNS services employed on your DNS servers.
Determine whether to use standard or Active Directory—integrated zone replication.
If using standard zone replication, specify primary and secondary zones and DNS servers.

Design Step Example: Planning DNS Server Deployment

Pacific Musical Instruments would like to delegate management of part of the us.corp.pac-100times.com domain to the organization's Anchorage location. To do this, the design team plans to split the domain into two zones. Because Pacific Musical Instruments is committed to using Windows 2000 DNS, the company will be able to use Active Directory-integrated zone replication. Because all domain controllers function as primary DNS servers, it is not necessary to define the location of primary and secondary zones and DNS servers. The domain hierarchy diagram showing the planned zones is presented in Figure 4.20.

click to view at full size

Figure 4.20 Domain hierarchy diagram with planned zones for Pacific Musical Instruments

Lesson Summary

In this lesson you learned how to plan DNS server deployment by assessing the organization's current DNS server environment and determining the placement of its DNS servers. To determine the placement of your DNS servers, you learned how to plan additional zones, determine the existing DNS services employed on the DNS servers, and determine the zone replication method to use.

To plan additional zones, you learned the reasons for dividing your DNS name-space into zones. You also learned that the existing DNS services of DNS BIND version 8.1.2 or later and Windows NT 4 DNS are compatible with Active Directory. Only the Windows 2000 DNS service allows you to use Active Directory—integrated zones, incremental zone transfer, and secure dynamic updates. To take advantage of these features, you can upgrade DNS servers running compatible DNS services to Windows 2000 DNS. You learned that DNS BIND version 4.x does not meet the DNS server requirements to support Active Directory and that to implement Windows 2000 in the DNS BIND 4.x environment, you have to upgrade the BIND 4.x environment to BIND 8.1.2 or later. Finally, you learned that if you are using Windows 2000 DNS service, you can use Active Directory—integrated zone replication. If you are using DNS BIND version 8.1.2 or later or Windows NT 4 DNS service, you must use standard zone replication.