DNS Integration Options

Previous page
Table of content
Next page

If a DNS infrastructure already exists and is running reliably, many organizations will be reluctant to replace their DNS servers to support Windows 2000. Fortunately, Windows 2000 and existing non-Microsoft DNS can coexist peacefully and efficiently . In fact, many Windows 2000 implementation plans recognize the existence of and the need to interoperate with BIND and other Unix-based DNS installations. Depending on the Active Directory design, the current DNS infrastructure might require only a few minor changes, such as adding delegated zones or a few host records.

Four basic options are available to integrate Windows 2000 into an existing DNS infrastructure. These options are

  • Use BIND version 8.1.2 or higher.

  • Segregate DNS implementations at the firewall.

  • Create a separate Active Directory DNS domain for Windows 2000.

  • Delegate only Active Directory zones to Windows 2000 DNS servers.

Let's explore these options in detail, starting with the simplest.

Use BIND Version 8.1.2 or Higher

The Berkley Internet Name Daemon is the most popular DNS server implementation. The current version of BIND supports both SRV records and dynamic update, and BIND version 8.1.2 or higher supports all Windows 2000 requirements. Although version 8.1.1 supports dynamic update, it fails whenever a Windows 2000 host attempts an update, making it unsuitable for Windows 2000 deployments. Earlier versions of BIND do support SRV records but not dynamic updates, making them undesirable options.

Using version 8.1.2 or higher, hosts are configured as usual. The Windows 2000 DHCP server can be configured to dynamically register non-Windows 2000 clients or not to register them, as desired. A Windows 2000 server, when being promoted to domain controller, simply registers its set of SRV records, which are then used by hosts to locate Windows 2000 services.

Segregate DNS Implementations at the Firewall

The most critical DNS server at any organization is its authoritative DNS server ”the server used to resolve IP addresses for external hosts. By dividing DNS responsibilities at the firewall, the existing DNS environment used to resolve external requests is left untouched and the requirements of Windows 2000 are met internally by Windows 2000 DNS.

The Windows 2000 DNS servers should be configured to forward requests they cannot resolve locally to the external DNS server, and host records defined on the external servers must be manually added to the internal DNS.

For security, the firewall configuration should allow DNS traffic only between internal and external DNS servers because external hosts should not be allowed to query the internal Windows 2000 DNS information. Also, internal requests for Internet name resolution will be forwarded by the internal DNS to the external DNS for resolution.

Create a Separate Active Directory DNS Domain for Windows 2000

If a separate child domain is created for an organization's Windows 2000 implementation, the net result is similar to the prior scenario. However, this approach is more appropriate for environments with a substantial number of non-Microsoft hosts and in which the existing DNS is used to support internal as well as external name resolution.

The Active Directory domain can be defined in the main corporate DNS and delegated, allowing access to Windows 2000 servers from any host in the organization.

Delegate Only Active Directory Zones to Windows 2000 DNS Servers

The final option is appropriate when client computers will not dynamically update DNS, but servers will. In this case, the existing DNS can be configured to delegate the four Active Directory service locator zones only. These four zones are

  • _msdcs

  • _sites

  • _tcp

  • _udp

Only domain controller-generated SRV records are added to these zones, which can be delegated to one or more Windows 2000 DNS servers. Note, however, that domain controllers will be incapable of dynamically adding their own host or reverse-lookup records, unless the standard primary DNS server supports dynamic updates. As a result, if the primary DNS is incapable of dynamic updating, the A and PTR records for new domain controllers should be added before the dcpromo operation is run. This ensures that the new DC has the proper host entries on the primary DNS servers and only the delegated servers must be updated.


Previous page
Table of content
Next page
MCSE Active Directory Services Design. Exam Cram 2 (Exam Cram 70-219)
MCSE Windows 2000 Active Directory Services Design Exam Cram 2 (Exam Cram 70-219)
ISBN: 0789728648
EAN: 2147483647
Year: 2003
Pages: 148
Authors: Dennis Scheil, Diana Huggins, Ed Tittel
BUY ON AMAZON
VBScript Programmers Reference
Java for RPG Programmers, 2nd Edition
C++ GUI Programming with Qt 3
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy