Re: 70-294 next week
From: *FESWANY (alkholy2000_at_hotmail.com)
Date: 01/28/05
- Next message: *FESWANY: "Re: 70-294 next week"
- Previous message: LnkWizard: "Re: How many exams?"
- Maybe in reply to: *FESWANY: "Re: 70-294 next week"
- Next in thread: *FESWANY: "Re: 70-294 next week"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 28 Jan 2005 17:02:33 +0200
There is an important distinction to make between DNS
zones and Active
Directory domains. Although both use hierarchical
names and require name
resolution, DNS zones do not map directly to DNS
domains.
As shown in Figure 2.5, a zone may be an entire domain
or represent only
part of one.
FIGURE 2 . 5 The relationship between DNS domains and
zones
With this information in mind, let's take a more
detailed look at the
actual
process of DNS name resolution.
DNS Name Resolution
When using the Internet, DNS queries are extremely
common. For example,
every time you click a link to visit a Web site, a DNS
query must be made.
In the simplest scenario, the client computer requests
a DNS address from
its
designated DNS server. The DNS server has information
about the IP
address for the specified host name, it returns that
information to the
client,
and the client then uses the IP address to initiate
communications with
the
host. This process is shown in Figure 2.6.
company.com DNS Zone #2
DNS Zone #1
domain1.company.com
sales.domain1
.company.com
dev.domain1
.company.com
europe.sales.domain1
.company.com
CA
Overview of DNS Zones 55
FIGURE 2 . 6 A simple DNS name resolution process
What happens, though, if the DNS server does not
contain information
about the specific host requested? In this case, the
DNS server itself
initiates
a query to another DNS server, which thereby assumes
responsibility for
ultimately resolving the name. If the second DNS
server is unable to
fulfill
the request, it, in turn, queries another. This
process is known as
recursion.
In the process of recursion, one DNS server will
contact another, which
will
then contact another until one of the servers is able
to resolve the host
name.
The name resolution process will usually begin with a
query to the
top-level
DNS servers and continue downward through the domain
hierarchy until
the resource is reached. If, at this point, the name
still cannot be
resolved, an
error is returned to the client. Figure 2.7
illustrates the process of
recursion.
Usually, DNS servers include information about the
root- and top-level DNS
servers. This information is entered in during the
initial configuration
of
the server.
Web
Server
www.microsoft.com
Server
1
3
2
Client requests
"www.microsoft.com"
DNS
Server
Server returns
IP address
Client uses IP address
to connect to server
CA
56 Chapter 2 Integrating DNS with the Active Directory
FIGURE 2 . 7 DNS name resolution through recursion
Because recursion is such an important process, let's
look at an example.
Suppose I want to connect to the DNS name Computer1.
sales.somecompany
.com. The following steps will occur to make this
happen:
1. The client requests information from its preferred
DNS server.
2. The preferred DNS server is unable to find a
resource record for this
information in its own cache and must therefore query
another server.
The DNS server first queries a root server and then
sends a query to
the top-level domain server and requests information
about the server
that has authority over the somecompany.com domain.
.com
www.
company.
com
3
Preferred DNS
Server
5 Server returns IP
address and caches name
2 Server
cannot
resolve
name
6 Client
uses IP
address
to connect
to resource
Server
forwards name
request to rootlevel
servers
4 Root-level server
resolves name
DNS
1 Client requests
IP address
CA
Overview of DNS Zones 57
3. Once the information is obtained, the preferred DNS
server then queries
the somecompany.com DNS server for information about
the
computer1 host name within the sales domain.
4. The client's preferred DNS server then returns the
IP address of the
host name to the client. It can then use the IP
address to communicate
with the host. The preferred DNS server may choose to
cache a copy
of the resource record information just in case
additional requests for
the domain name are made.
A client may also be configured to query multiple DNS
servers for names.
This process is known as iteration. Iteration is
normally used when a
client
I
n the previous chapter, we looked at the things you
need to consider
before you implement the Active Directory in your own
environment.
In this chapter on the
Domain Name System
(DNS), we'll look at the technical
details of implementing the Active Directory and DNS.
Understanding DNS is vital to the deployment of the
Active Directory and
is a prerequisite for installing and configuring
domain controllers (which
we'll cover in more detail in Chapter 3, "Installing
and Configuring the
Active Directory"). A common mistake made by systems
administrators is
underestimating the importance and complexity of DNS.
The Active
Directory,
itself, relies on DNS in order to find clients,
servers, and network
services
that are available throughout your environment.
Clients rely on DNS
in order to find the file, print, and other resources
they require to get
their
jobs done. Fully understanding DNS is not an easy
task, especially for
those
who have limited experience with
Transmission Control Protocol/Internet
Protocol (TCP/IP)
. However, the understanding and proper implementation
of DNS is vital to the use of Active Directory.
DNS Overview
D
NS is a TCP/IP standard that is designed to resolve
Internet Protocol
(IP) addresses to host names. One of the inherent
complexities of working
in
networked environments involves working with various
protocols and network
addresses. Thanks largely to the tremendous rise in
popularity of the
Internet, however, most environments have transitioned
to the use of TCP/
IP as their primary networking protocol, and Microsoft
is no exception
CA
DNS Overview
43
when it comes to support for TCP/IP. All current
versions of Microsoft
operating
systems support it, as do almost all other modern
operating systems.
Since the introduction of Windows NT 4, TCP/IP has
been the default
protocol
installed.
TCP/IP is actually a collection of different
technologies that allow
computers
to function together on a single network. Some of the
major advantages
of the protocol include widespread support for
hardware, software,
and network devices, reliance on a system of
standards, and scalability.
TCP/IP is not the simplest protocol to understand,
however. As it was
designed to support large heterogeneous networks,
there are many issues
involved with TCP/IP addressing, the use of subnets,
routing, and name
resolution.
It is beyond the scope of this chapter to fully
describe the intricacies
of working with TCP/IP. However, we will cover the
information required to
understand DNS as it relates to Windows 2000 and the
Active Directory.
TCP/IP and DNS are based on a series of standards
ratified by the Internet
Engineering Task Force (IETF), a global standards
organization. The job of
this
committee is to consider submissions for new features
to the TCP/IP
protocol
and other related communications methods. Standards
that are approved by
the IETF are covered in Requests for Comments (RFCs).
If you are looking
for
in-depth technical information on various Internet
protocols and
standards,
see
www.ietf.org
.
An IP address is simply a number used to uniquely
identify a computer on
a TCP/IP network. The address takes the form of four
octets (eight binary
bits) each of which is represented by a decimal number
between 0 and 255.
Decimal points logically separate each of the
decimally represented
numbers.
For example, all of the following are valid IP
addresses:
128.45.23.17
230.212.43.100
10.1.1.1
Believe it or not the dotted decimal notated
representation was created to
make it easier for humans to deal with IP addresses.
Obviously, this idea
did
not go far enough, hence the development of the other
abstraction layer of
using names to represent the dotted decimal notation.
For example
11000000 10101000 00000001 00010101 maps to 192.168.1
.21, which
CA
44
Chapter 2
Integrating DNS with the Active Directory
maps to
server1.company.org
, which is how the address is usually presented
to the user or application. First, ASCII flat files,
called HOSTS files,
were used, but as the number of entries grew, this
became unwieldy with
manual updates required. This was the impetus for the
development of DNS.
When dealing with large networks, it is vital for
users and network
administrators alike to be able to locate the
resources they require with
a
minimal amount of searching. From a user's standpoint,
they don't care
about the actual physical or logical network address
of the machine. They
just want to be able to connect to it using a simple
name. From a network
administrator's standpoint, however, each machine must
have its own
logical
address that makes it part of the network on which it
resides. Therefore,
some method for resolving a machine's logical name to
an IP address is
required. DNS was created to do just that.
DNS is based on an Internet standard defined by the
IETF. It is a
hierarchical
naming system that contains a distributed database of
name-to-IP
address mappings. A DNS name is much friendlier and
easier to remember
than an IP address. For example, every time you enter
a URL (such as
www.microsoft.com
), your computer makes a query to a DNS server that
resolves it to an IP address. From then on, all
communications between
your
computer and Microsoft's Web server take place using
the IP address. The
beauty of the system is that it's all transparent to
users. The
scalability and
reliability of DNS can easily be seen by its
widespread use on the
Internet.
From a network and systems administration standpoint,
however, things
are considerably more complex. The Active Directory
itself is designed to
use
DNS to locate servers and clients. Microsoft has
included a DNS server
service
with the Windows 2000 operating system. As we'll see,
Microsoft has
also included many advanced features (some of which
are not yet part of
the
IETF-approved standard DNS) in order to reduce the
complexity of
maintaining
DNS databases.
If you're new to DNS, the following sections will
provide a lot of useful
information on how DNS works. If you're a seasoned DNS
veteran, you
should still read about Windows 2000's DNS, which
includes several
additional
features and enhancements that will be covered
thoroughly in this
chapter. We'll begin this chapter by looking at how
DNS works. Then, we'll
move on to look at how Microsoft's implementation of
DNS can be used for
name resolution. Finally, we'll look at the
integration between the Active
Directory and DNS.
CA
DNS Namespace
45
DNS Namespace
I
f the world could run on only one flat network, things
might be easier.
We wouldn't need subnets, routers, and switches to
isolate connections
from
each other. In the real world, however, technological
and other
limitations
force network and systems administrators to create and
adhere to their own
specific set of names and network addresses.
Furthermore, hierarchical
names are extremely useful and necessary when
participating in a worldwide
network such as the Internet. For example, if I have a
computer called
Workstation
1, there must be some way to distinguish it from
another computer
with the same name at a different company. Similar to
the way the Active
Directory uses hierarchical names for objects, DNS
allows for the use of a
virtually unlimited number of machines. In this
section, we'll look at how
these friendly names are structured.
The Anatomy of a DNS Name
We already mentioned that DNS is designed to resolve
network addresses
with friendly names. DNS names take the form of a
series of alphanumeric
strings separated by decimal points. Together, the
various portions of a
DNS
name form what is called the
DNS namespace,
and each address within it is
unique. All of the following examples are valid DNS
names:
microsoft.com
www.microsoft.com
sales.microsoft.com
engineering.microsoft.com
The leftmost portion of the name is called the
host name
and refers to the
actual name of a machine. The remaining portions are
part of the domain
name and uniquely specify the network on which the
host resides. The full
name
is referred to as the
Fully-Qualified Domain Name
(FQDN). For example,
the host name might be engineering, whereas the FQDN
is
engineering
.microsoft.com
.
CA
46
Chapter 2
Integrating DNS with the Active Directory
There are several features and limitations to note
about a DNS name:
The name is hierarchical.
The domains listed at the right-most side of
the address are higher-level domains. As you move
left, each portion
zooms in on the actual host. In other words, as you
read from left to
right,
you are moving from the specific host name to its
various containers.
The name is case-insensitive.
Although DNS names are sometimes
printed in mixed-case for clarity, the case of the
characters has no
relevance.
Each FQDN on a given network must be unique.
No two machines on
the same network may have the same FQDN. This
requirement ensures
that each machine can be uniquely identified.
Only certain characters are allowed.
Each portion of the DNS name
may include only standard English characters, decimal
numbers, and
dashes.
There are maximum lengths for addresses.
A DNS address can have a
maximum length of 255 characters, and each name within
the full name
can have up to 63 characters.
Figure 2.1 shows an example of a valid hierarchical
domain name.
FIGURE 2 . 1
A sample DNS namespace
Now that we know the structure of a DNS name, let's
move on to look at
how the name is actually composed in the real world.
The Root
In order to be able to resolve friendly names with IP
addresses, we must
have
some starting point. All DNS names originate from one
address known as the
root. This address typically does not have a name and
is represented in
the DNS
as a ".". Until recently there were only nine root DNS
servers in the
world.
server1.engineering.mycompany.com
Host Name Domain Name
Fully-Qualified Domain Name (FQDN)
CA
DNS Namespace
47
After the last Internet brownout, this number was
increased and their
administration
policies were modified. Registered in the root servers
are the standard
top-level domains with which most people are familiar.
Many organizations worldwide require domain names to
be resolved
starting at the root. That is the purpose of the top-
level domains. On the
Internet, there are several established top-level
domains. Table 2.1
provides
a list of the common North American top-level domains.
Each domain space
is reserved for a particular type of user, also shown
in the table.
In addition to these top-level domain names, there are
many country
codes for top-level domains throughout the world. Each
is managed by its
own authority. For example, a DNS name that is based
in the United Kingdom
may have a domain name of
mycompany.co.uk
. If you require a foreign
domain name registration, you should inquire with the
country's name
service
provider.
In order for an organization's own domain name to be
resolved on the
Internet, it must request that a second-level domain
name be added to the
global top-level DNS servers. Several registrars can
perform this function
worldwide.
TABLE 2 . 1
North American Top-Level Domain Names
Top-Level Domain Typical Users
.com Commercial organizations
.edu Educational institutions
.gov U.S. governmental organizations
.int International organizations
.mil U.S. military organizations
.net Large network providers (such as Internet Service
Providers)
.org Nonprofit organizations
CA
48
Chapter 2
Integrating DNS with the Active Directory
For more information on registering a domain name for
your own
organization,
see
www.internic.net
. There, you will find a list of common registrars
available worldwide. There is a nominal charge for
each domain name you
register.
The name that is registered on the Internet is known
as a second-level
domain name.
Company1.com
, for example, would be considered a secondlevel
domain name. Within an organization, however, all of
the domain
names would be subdomains of this one. Figure 2.2
provides an example of
how the various levels of DNS domain names form a
hierarchy.
FIGURE 2 . 2
A DNS name hierarchy
A major consideration of DNS namespace configuration
is whether or not
you want to trust public Internet Service Providers (
ISPs) for name
resolution.
If not, the alternative is to host your own domain
name (which can consist
of any top-level domain name you choose), but your
servers cannot be
made directly accessible on the Internet. For example,
I might choose to
use
the names
sales.mycompany
and
engineering.mycompany
. Although
these are perfectly valid DNS names for internal use,
Internet users will
not
be able to access them. On the other hand, I could
trust public Internet
authorities and use names such as
sales.mycompany.com
and
engineering.mycompany.com
(as long as I am the registered owner of
sales.company.com
workstation1.europe.
engineering.company.com
europe.engineering.
company.com
asia.engineering.
company.com
engineering.company.com
server1.sales.company.com
company.com Root
Domain
Second-Level
Domain
CA
DNS Namespace
49
the
mycompany.com
domain name). In this last scenario, you would need to
rely on the DNS servers managed by your ISP (Internet
Service Provider)
for
external name resolution.
Parent and Child Names
Once an organization has registered its own domain
name, it must list that
name on a DNS server. This might be a server
controlled by the
organization
itself, or it might be one controlled by a third party
such as an ISP that
hosts
the name. In either case, systems and network
administrators can start
adding
names to their DNS servers using this top-level domain
name.
If, for example, I have three computers that I want to
make available on
the Internet, I would first need to register a second
-level domain name,
such
as
mycompany.com
. I could then choose to add my own domain names,
such as the following:
www.mycompany.com
mail.mycompany.com
computer1.northamerica.sales.mycompany.com
Each of these domain names must be listed on the DNS
server as a
resource record (RR)
. The records themselves consist of a domain name to
IP address mapping. When users try to access one of
these machines
(through
a Web browser, for example), the name will be resolved
with the
appropriate
TCP/IP address.
DNS servers themselves are responsible for carrying
out various functions
related to name resolution. One of its functions is
related to fulfilling
DNS
name mapping requests. If a DNS server has information
about the specific
host name specified in the request, it simply returns
the appropriate
information
to the client that made the request. If, however, the
DNS server does
not have information about the specific host name, it
must obtain that
information
from another DNS server. In this case, a process
called name resolution
is required. In order to resolve names of which it has
no knowledge,
DNS servers query other DNS servers for that
information. As a result, you
can see how a worldwide network of names can be
formed. Later in this
chapter, we'll see the various steps required to
ensure that DNS servers
are
communicating worldwide.
CA
50
Chapter 2
Integrating DNS with the Active Directory
Planning a DNS Structure
It is extremely important for your organization to
choose intuitive and
consistent names when planning its DNS infrastructure.
These are the names
that users throughout the world will use to access
your resources. The
root
domain name is especially important since it will be a
part of the FQDN of
all the machines on your network. For example, many
users are accustomed
to accessing a company's main Web servers via the host
name www, and
they may find it difficult to access your main Web
servers if you use
another
host name. In this section, we'll look at several
issues related to
selecting
internal and external DNS names.
Selecting a DNS Root Name
The first step in establishing a DNS structure for
your organization
involves
selecting a top-level domain name. The most common
choice for a top-level
domain is .COM (for commercial companies). Usually,
you would then want
to reserve a second-level domain name based on the
name of your company.
Currently, however, due to the large number of
registered domains, it may
be difficult to reserve that name. In any case, you
should inquire with
the
Internet Network Information Center (InterNIC) at www
.internic.net to
find a usable domain name. A good name would be one
that is easy to
remember and that people will quickly associate with
your company. If your
company has a long name or its name consists of
multiple words, you might
want to abbreviate it. For example, users might find
ComputerTechnologies-
Inc.com difficult to type, whereas CompTech.com is
much simpler. Some
common guidelines for choosing a suitable name include
the following:
Choose a name that is similar to the name of your
company.
Use a name that will not usually change. Department or
product
names, for example, might change over time, whereas
company names
will remain relatively static.
Ensure that you have the approval of your company's
management
- Next message: *FESWANY: "Re: 70-294 next week"
- Previous message: LnkWizard: "Re: How many exams?"
- Maybe in reply to: *FESWANY: "Re: 70-294 next week"
- Next in thread: *FESWANY: "Re: 70-294 next week"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
