Windows Server 2003 DNS 安裝設定與管理維護 林寶森
[email protected]
What Is a Domain Namespace? Root Domain Top-Level Domain
net
Second-Level Domain Subdomains
com
org
nwtraders
west
FQDN: server1.sales.south.nwtr aders.com
south
sales
east
Host: server1
Overview of the DNS Query Process Query Query Types Types The The DNS DNS server server returns returns the the best best answer answer that that it it can can Iterative Query Iterative provide Query provide without without help help from from other other servers servers The The DNS DNS server server returns returns aa complete complete answer answer to to the the Recursive Query Recursive Query query, query, not not aa pointer pointer to to another another DNS DNS server server
Lookup Lookup Types Types Forward Requires name-to-address name-to-address resolution resolution Forward Lookup LookupRequires Reverse Requires address-to-name address-to-name resolution resolution Reverse Lookup LookupRequires
How Recursive Queries Work A recursive query is a query made to a DNS server, in which the DNS client asks the DNS server to provide a complete answer to the query DNS server checks the forward lookup zone and cache for an answer to the query Recursive query for mail1.nwtraders .com 172.16.64.11 Computer1
Database Local DNS Server
How Iterative Queries Work An iterative query is a query made to a DNS server in which the DNS client requests the best answer that the DNS server can provide without seeking further help from other DNS servers. The result of an iterative query is often a referral to another DNS server lower in the DNS tree Iterative Query
Re ma cursi il1. ve nw que tra der ry for 17 s.c 2.1 om 6.6 4.1 1
Local DNS Server
Computer1
Ask Iter.com at i v e
Root Hint (.) Query
.com Ask nwtr ader Itesr.co m a t iv A ut eQ hor uer itat y ive Res pon se nwtraders.com
How Root Hint Works Root hints are DNS resource records stored on a DNS server that list the IP addresses for the DNS root servers Corp. or ISP DNS Servers
InterNIC Root (.) Servers Root Hints
Local DNS Server Computer1
com micros oft
How Forwarders Work A forwarder is a DNS server designated by other internal DNS servers to forward queries for resolving external or offsite DNS domain names
Qu 17 er 2.1 y 6.6 4.1 1
Forwarder
Iterative Query Ask Iter.com at i v e
Root Hint (.) Query
Re cu rs ive
Ask n .com wtra ders. com Iter at i v Aut eQ ho r uer i t y a 172 ti v e .16. Res 6 4 pon Rec .11 se ur s i mai ve q l1.n wtra uery fo nwtraders.com r ders Local .com Computer1 DNS Server
What Is a DNS Zone? Nwtraders
South
West
Sales
North
Support
Training
What Are DNS Zone Types? Zones
Description
Primary
Read/write copy of a DNS Read/Writedatabase
Secondary
Read-only copy of a DNS Read-Only database
Stub
Copy of a zone containing Copy of limited records limited records
Selecting Zone Data Location Standard Zones Change
Zone Transfer
Primary Zone
Secondary Zone
Active Directory Integrated Zones Zone Transfer
Change
Change
Change
Configuring Standard Zones • You can configure a DNS server to host standard primary zones, standard secondary zones, or any combination of zones • You can designate a primary server or a secondary server as a master server for a standard secondary zone DNS Server A
DNS Server B
B
A
Primary Zone
Zone Informa tion Secondary Zone Secondary Zone (Master DNS Server =(Master DNS Server = DNS Server A) DNS Server A)
DNS Server C
C
What Are Resource Records and Record Types?
Record type
Description
A
Resolves a host name to an IP address
PTR
Resolves an IP address to a host name
SOA
The first record in any zone file
SRV
Resolves names of servers providing services
NS
Identifies the DNS server for each zone
MX
The mail server
CNAME
Resolves from a host name to a host name
Zone Transfer Process A Zone Transfer is Initiated When – A master DNS server sends notification of zone changes to the secondary server or servers – The secondary server queries a master DNS server for changes to the zone file DNS Serv er
DNS Serve r
(Mast er)
Primary Zone Database File
nwtraders
support
Secondary Zone Database File
training
Zone 1
Configuring Zone Transfers • Zone Transfer Types – Full zone transfer (AXFR) – Incremental zone transfer (IXFR)
• Configuring Zone Transfer Properties Serial number:
Increment
2 Refresh interval: Retry interval: Expires after:
15 minutes 10 minutes 1 days
Minimum (default)0 TTL: :1
• Configuring DNS Notify
:0
:0
Configuring Zone Transfers nwtraders.msft Properties WINS General
Zone Transfers Start of Authority (SOA)
Serial number: 28 Primary server: london.contoso.com Responsible person:
Security
nwtraders.msft Properties
Name Servers General Start of Authority (SOA) Name Servers Zone Transfers WINS Security Increment A zone transfer sends a copy of the zone to requesting servers. Allow zone transfers Browse… To any server Browse…
admin.contoso.com Refresh interval:
15
minutes
Retry interval:
10
minutes
Expires after:
1
days :1
:0
:0
TTL for this record:
:1
:0
:0
OK
Only to the following servers IP address:
A Adddd R Remove emove
Minimum [default] TTL: 0
0
Only to servers listed on the Name Servers tab
To specify secondary servers to be notified of zone updates, click Notify. Cancel
Notify…
Apply OK
Cancel
A Apply pply
How DNS Notify Works A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur Destination Server
Resource record is updated serial 2 SOA number is updated 3DNS notify
1
Source Server
4Zone transfer Secondary Server
Primary and Master Server
Configuring AD Integrated Zones • Active Directory Integrated Zone Data Is – Stored as an Active Directory object – Replicated as part of domain replication Active Directory Integrated Zone
Active Active Directory Directory
contoso.c om DNS Server
What Are Directory Partitions? Contains:
Definitions and rules for creating and manipulating objects and attributes
Forest
Schema Configuration
Domain
Configurable replication
<Application> Active Directory Database
Information about the Active Directory structure Information about domain-specific objects Information about applications
Selecting a Partition Forest Application Domain Application Domain Partition
Configuring Dynamic Updates • DNS Dynamic Update Protocol – Allows clients to automatically update DNS servers – Can be used in conjunction with DHCP 1 Request Request for for IP IP address address
Windows Windows client client updates updates forward forward resource resource record record on on DNS DNS server server
DHCP Server
2 Assign Assign IP IP address address DHCP of DHCP updates updates reverse reverse of 192.168.120.133 192.168.120.133 resource resource record record for for Windows Windows 2000, 2000, XP XP and and 2003 2003 clients clients and and both both resource resource records records for for other other clients clients Computer1
192.168.120.133 DNS Server Zone Database
Securing Dynamic Updates nwtraders.msft. Properties WINS General
Active Active Directory Directory Integrated Integrated Zone Zone
Zone Transfers Start of Authority (SOA)
Status:
Running
Type:
Active Directory-integrated
Security Name Servers Pause Change…
Data is stored in Active Directory. Allow dynamic updates?
Secure Secure Dynamic Dynamic Updates Updates
Only secure updates
To set aging/scavenging properties, click Aging
OK
Aging…
Cancel
Apply
Creating a Subdomain • Create a Subdomain to Better Organize Your Namespace • Delegate Authority of a Subdomain To – Delegate management of portions of the namespace – Delegate administrative tasks of maintaining one large DNS database “ “.”
org.
com. com.
edu.
tw.
microsoft.com.
training.microsoft.com. Subdomain Second-Level Domain Top-Level DomainRoot
DNS Server Roles Role Caching-only servers
Situation A remote office has a limited amount of available bandwidth
Non-recursive You have Internet-facing DNS that are servers authoritative for one or more zones Forward-only You want to manage the DNS traffic between servers your network and the Internet Conditional forwarders
You want DNS clients in separate networks to resolve each others’ names without having to query the DNS server on the Internet
How the Time-to-Live Value Works The Time-to-Live (TTL) value is a time-out value expressed in seconds that is included with DNS records that are returned in a DNS query Resource Record
Cac he DNS Client
1 2 3
Resource Record
Cac he Authoritative
DNS Server1
Zone
DNS Server2TTL set on the zone
The records in the zone are sent to other DNS servers and clients in response to queries DNS servers and DNS clients that store the record in their cache hold the record for the TTL period supplied in the record When the TTL expires, the record is removed from the cache
Reducing Network Traffic by Using Caching-Only Servers Caching-Only Servers – Perform name resolution on behalf of client computers and cache the results – Can be used to reduce DNS-related traffic across a WAN
Remote Office Caching-Only Slow WAN Link Client DNS Server DNS Server
Client
Corporate Headquarters Client
How Aging and Scavenging Works
7-days Jan 1 Time stampe d
7-days Jan 8
Jan 15 Refres h interva l
NoRefresh interval
Aging
Scave nge
What Is DNS Debug Logging? DNS debug logging is an optional logging tool for DNS that stores the DNS information that you select Primary DNS Server1
Secondary DNS Server2
Planning a DNS Implementation • Small Companies – Can use ISP DNS servers for queries and to store company domain names
• Larger Companies – Maintain their own DNS servers
• Two DNS Servers Recommended – Primary name server – Secondary name server
DNS Namespace Options Same Namespac Existing e DNS Namespa ce nwtraders.c om Internal Namesp ace nwtraders.c om
Delegated Namespac Existing e DNS Namespa ce nwtraders.c om Internal Namesp ace ad.nwtraders.com
Unique Namespac Existing e DNS Namespa ce nwtraders.c om Internal Namesp ace nwtraders. local
Connecting DNS to the Internet Internal DNS Server
External DNS Server
Firewall Internet
Firewall
Screened Subnet
Forwarding DNS Queries to Internet DNS Servers
Responding to DNS Queries from the Internet
Internet DNS Server
Integrating DNS into Screened Subnets public.contoso.msft Primary DNS Zone
public.contoso.msft Secondary DNS Zone
Firewall Private Network
Internet
Firewall
Screened Subnet
Zones Contain Records for Public Resources
Configure Firewalls to Permit Appropriate DNS Traffic
Place Only Secondary Zones
Encrypt Replication Traffic with IPSec