After you define the domain hierarchy for your organization's forests and name the domains, the final step in creating a domain plan is to plan DNS server deployment. This lesson explains how to plan DNS server deployment, which includes assessing the organization's current DNS server environment and determining the placement of its DNS servers.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
A DNS server is a computer that resolves names to IP addresses and IP addresses to names for host devices contained within a portion of the namespace. When a client queries a DNS server for a name or IP address, the server performs one of the following actions: provides the name or IP address, refers the client to another DNS server, or indicates that it cannot fulfill the request. DNS servers are also known as DNS name servers.
A detailed discussion of DNS is beyond the scope of this course. For a thorough discussion of DNS, refer to the Microsoft Windows 2000 Server TCP/IP Core Networking Guide volume of the Microsoft Windows 2000 Server Resource Kit.
DNS servers use information stored about zones to handle name resolution. Each DNS server can store information for no zones, one zone, or multiple zones. A zone is a contiguous portion of the DNS namespace that is administered separately by a DNS server. The DNS namespace represents the logical structure of your network resources, and DNS zones provide physical storage for these resources. Zones can encompass a single domain or a domain and subdomains. Each zone contains a zone database file, a text file containing resource records for the zone. Resource records are records that contain information used to process client queries. There are many different types of resource records. When a zone is created, DNS automatically adds two resource records: the Start of Authority (SOA) and the Name Server (NS) records. Table 4.1 describes these resource record types, along with the most frequently used resource records.
Table 4.1 Frequently Used Resource Record Types
|Resource record type||Description|
|Host (A)||Lists the host name to IP address mappings for a forward lookup zone.|
|Alias (CNAME)||Creates an alias, or alternate name, for the specified host name. You can use a Canonical Name (CNAME) record to use more than one name to point to a single IP address. For example, you can host a File Transfer Protocol (FTP) server, such as ftp.microsoft.com, and a Web server, such as www.microsoft.com, on the same computer.|
|Host Information (HINFO)||Identifies the CPU and operating system used by the host. Use this record as a low-cost resource-tracking tool.|
|Mail Exchanger (MX)||Identifies which mail exchanger to contact for a specified domain and in what order to use each mail host.|
|Name Server (NS)||Lists the name servers that are assigned to a particular domain.|
|Pointer (PTR)||Points to another part of the domain namespace. For example, in a reverse lookup zone, it lists the IP-address-to-name mapping.|
|Service (SRV)||Identifies which servers are hosting specific services. For example, if a client needs to find a server to validate logon requests, the client can send a query to the DNS server to obtain a list of domain controllers and their associated IP addresses.|
|Start of Authority (SOA)||Identifies which name server is the authoritative source of information for data within this domain. The first record in the zone database file must be the SOA record.|
Figure 4.17 shows the relationship of DNS servers, domains, zones, zone database files, and resource records.
Figure 4.17 Relationship of DNS servers, domains, zones, zone database files, and resource records
Zone replication is the synchronization of DNS data between DNS servers within a given zone. Replicating zones provides the following benefits:
There are two methods for replicating zones: standard zone replication and Active Directory zone replication. The use of Active Directory zone replication is strongly recommended.
Standard Zone Replication
In standard zone replication, primary and secondary zones and primary and secondary DNS servers handle zone replication. A primary zone is the master copy of a zone stored in a standard text file on a primary DNS server. A primary DNS server is the authoritative server for a primary zone; you must administer and maintain a primary zone on the primary DNS server for the zone. A secondary zone is a read-only replica of an existing standard primary zone stored in a standard text file on a secondary DNS server. A secondary DNS server is a backup DNS server that receives the zone database files from the primary server in a zone transfer. Zone transfer is the process by which DNS servers interact to maintain and synchronize authoritative name data. A zone can have multiple secondary servers, and a secondary server can serve more than one zone. Figure 4.18 shows the use of primary and secondary DNS servers.
Figure 4.18 Use of primary and secondary DNS servers in zones
There are three types of zone transfers: full zone transfers, incremental zone transfers, and transfers that use the DNS Notify process. In a full zone transfer (AXFR query), the primary DNS server transmits the entire zone database file for the primary zone to the secondary DNS server. In an incremental zone transfer (IXFR query), the servers keep track of and transfer only incremental resource record changes between each version of the zone database file.
To perform incremental zone transfer, you must implement a DNS service that supports RFC 1995, which includes Windows 2000 Server. For earlier versions of DNS service, such as those running on Windows NT 4, incremental zone transfer is not supported and only full zone transfers can be used to replicate zones.
Figure 4.19 illustrates the full and incremental zone transfer processes.
Figure 4.19 Full and incremental zone transfer processes
In the DNS Notify process, the primary server, rather than the secondary server, initiates the zone transfer. The following is a summary of the DNS Notify process:
Active Directory Zone Replication
In Active Directory zone replication, Active Directory—integrated zones and domain controllers handle zone replication. Each domain controller functions as a primary DNS server, using Active Directory to store and replicate primary zone files. Active Directory zone replication provides the following advantages over standard zone replication:
To replicate zones with Active Directory zone replication, you must implement the Windows 2000 DNS service.
Existing authoritative DNS servers must meet the following minimum requirements to support Active Directory:
It is recommended that organizations deploy the Windows 2000 DNS service provided with Windows 2000 Server. Windows 2000 DNS service meets the minimum requirements and provides two additional features:
Servers that are not authoritative do not need to meet the DNS server requirements. These servers can usually answer SRV record queries even though they do not support that record type.
To plan DNS server deployment, you must complete the following tasks:
To plan the DNS server deployment for your organization, you must first consult the following documents compiled earlier by your design team:
Blank copies of the worksheets are located on the Supplemental Course Materials CD-ROM (\chapt02\worksheets). Completed examples of the worksheets are located in Chapter 2, "Introduction to Designing a Directory Services Infrastructure."
In addition to assessing the information compiled in these worksheets, it is imperative that you also assess changes currently planned for DNS server environments to address growth, flexibility, and the ideal design specifications of the organization.
To determine the placement of your DNS servers, you must plan additional zones, determine the existing DNS services employed on your DNS servers, and determine the zone replication method to use.
Planning Additional Zones
To determine when to divide your DNS namespace into zones, consider if there is a need to
If you can answer "yes" to any of these considerations, you may want to divide your namespace into additional zones.
Determining Existing DNS Services
If your organization is already using a DNS service other than Windows 2000 DNS, you will need to find out whether the service is compatible with Active Directory and how it is currently structured. The following DNS services meet the DNS server requirements to support Active Directory:
Although these DNS services are compatible with Active Directory, only the Windows 2000 DNS service allows you to use Active Directory—integrated zones, incremental zone transfer, and secure dynamic updates. To take advantage of these features, you can upgrade DNS servers running compatible DNS services to Windows 2000 DNS.
It is important to note that the DNS BIND version 4.x does not meet the DNS server requirements to support Active Directory. To implement Windows 2000 in the DNS BIND 4.x environment, you will have to upgrade the BIND 4.x environment to BIND 8.1.2 or later. From that point you can upgrade your DNS servers to Windows 2000 DNS.
If you cannot upgrade your DNS servers to Windows 2000 DNS, the best solution is to create a delegated subdomain. A delegated subdomain is a separate Windows 2000 DNS subdomain set up in the established DNS namespace. The DNS server in the Windows 2000 DNS subdomain is authoritative for that subdomain. You can add child domains to the subdomains as needed.
Determining the Zone Replication Method
Once you've identified the existing DNS service and settled on the DNS service you will use for your Active Directory implementation, you can easily determine the replication method to use. If you are using Windows 2000 DNS service, you can use Active Directory—integrated zone replication. In this case, all of your domain controllers function as primary DNS servers. If you are using DNS BIND version 8.1.2 or later or Windows NT 4 DNS service, you must use standard zone replication. In this case, you must specify primary and secondary DNS servers and zones.
To plan DNS server deployment
Pacific Musical Instruments would like to delegate management of part of the us.corp.pac-100times.com domain to the organization's Anchorage location. To do this, the design team plans to split the domain into two zones. Because Pacific Musical Instruments is committed to using Windows 2000 DNS, the company will be able to use Active Directory-integrated zone replication. Because all domain controllers function as primary DNS servers, it is not necessary to define the location of primary and secondary zones and DNS servers. The domain hierarchy diagram showing the planned zones is presented in Figure 4.20.
Figure 4.20 Domain hierarchy diagram with planned zones for Pacific Musical Instruments
In this lesson you learned how to plan DNS server deployment by assessing the organization's current DNS server environment and determining the placement of its DNS servers. To determine the placement of your DNS servers, you learned how to plan additional zones, determine the existing DNS services employed on the DNS servers, and determine the zone replication method to use.
To plan additional zones, you learned the reasons for dividing your DNS name-space into zones. You also learned that the existing DNS services of DNS BIND version 8.1.2 or later and Windows NT 4 DNS are compatible with Active Directory. Only the Windows 2000 DNS service allows you to use Active Directory—integrated zones, incremental zone transfer, and secure dynamic updates. To take advantage of these features, you can upgrade DNS servers running compatible DNS services to Windows 2000 DNS. You learned that DNS BIND version 4.x does not meet the DNS server requirements to support Active Directory and that to implement Windows 2000 in the DNS BIND 4.x environment, you have to upgrade the BIND 4.x environment to BIND 8.1.2 or later. Finally, you learned that if you are using Windows 2000 DNS service, you can use Active Directory—integrated zone replication. If you are using DNS BIND version 8.1.2 or later or Windows NT 4 DNS service, you must use standard zone replication.