|
This scenario shows how you can design an
infrastructure for Microsoft Windows 2000 Domain
Name System (DNS) servers that simplifies DNS management
and that supports the Active Directory™ directory
service by enabling computers to locate domain
controllers. It also shows how you can use Active
Directory to enhance DNS security and
reliability.
Objectives
In this scenario, we configured Windows 2000 DNS
servers to support the following objectives:
- To support Active Directory. DNS enables computers
to locate domain controllers so that Active Directory
can function.
- To take advantage of the integration of DNS with
Active Directory. When you install DNS on a domain
controller, you can use , which provide enhanced
security by means of and enhanced reliability and
simplified management by means of . Secure dynamic update minimizes
administration and prevents unauthorized users from
modifying DNS zones and records.
- To provide a reliable solution.
This scenario shows only the Windows 2000 DNS
server service. You can also use other DNS servers for
name resolution and to support Active Directory. For
more information, see the section "Interoperability
with Other DNS Servers" in the chapter
"Windows 2000 DNS" in the Microsoft®
Windows® 2000 Server Resource Kit TCP/IP
Core Networking Guide.
Also, this scenario shows only DNS, not . DNS is required for
clients to locate Windows 2000 domain
controllers.
In "Design Logic" later in this scenario, we show how
we met our objectives.
Design Logic
This scenario, as shown in Figure 1, includes domain
controllers in the reskit.com and noam.reskit.com
domains. It includes one domain controller in the
reskit.com domain and two domain controllers in the
noam.reskit.com domain: one in the Seattle site and one
in the Vancouver, B.C. site. This scenario also includes
a client in the noam.reskit.com domain, in the Seattle
site.
Figure 1 Computers in
the domains reskit.com and noam.reskit.com
Click the hardware icons for detailed
information. 
Each domain controller also has the DNS server
service installed. When the DNS server service is
installed on a domain controller, you can use Active
Directory–integrated zones. Each zone in this scenario
is Active Directory–integrated.
Note This scenario shows
only the components necessary for the scenario to work.
However, in accordance with best practices, we use
additional components in the Windows 2000 Resource
Kit Deployment Scenarios lab.
SEA-RK-DC-01.reskit.com
The domain controller in the domain reskit.com,
SEA-RK-DC-01.reskit.com, runs Windows 2000 and the
DNS server service. It resides in the Seattle site. In
the Deployment Scenarios lab, we also have an additional
domain controller for this domain, with the DNS server
service installed. It is a best practice to include at
least two domain controllers per domain so that if one
domain controller becomes unavailable, computers can
still access and update information about the
domain.
For more information about how to determine the
number of domain controllers you need, see the chapter
"Designing the Active Directory Structure" in the
Microsoft® Windows® 2000 Server
Resource Kit Deployment Planning Guide. You can also
use Active Directory Sizer, a tool for estimating the
number of domain controllers you need based on your
organization's profile, domain information, and site
topology. To download Active Directory Sizer, visit http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/adsizer-o.asp.
A DNS server running on SEA-RK-DC-01.reskit.com is
authoritative for the Active Directory–integrated zone
reskit.com. In our lab, we also have the DNS server
service installed on the replica; it is also
authoritative for the Active Directory–integrated zone
reskit.com. It is a best practice to make at least two
DNS servers authoritative for each zone to enhance fault
tolerance and load sharing.
SEA-RK-DC-01.reskit.com refers to itself as its
preferred DNS server, because it is the first domain
controller in the domain. As an alternative, we could
have configured it to refer to another DNS server that
is authoritative for-or that can query a server that is
authoritative for-reskit.com.
SEA-NA-DC-01.noam.reskit.com
The first domain controller in the domain
noam.reskit.com, SEA-NA-DC-01.noam.reskit.com, also runs
Windows 2000 and the DNS server service. It resides
in the Seattle site.
In our Microsoft® Windows® 2000 Resource Kit
Deployment Scenarios poster, we also have an additional
domain controller for this domain and site, in addition
to several additional domain controllers in different
sites. It is a best practice to include at least two
domain controllers per domain, and at least one per
site, to enhance fault tolerance and load sharing; if
you have a large number of users, you might want to
include more than two domain controllers for additional
fault tolerance and load sharing. Because we have many
users, we include multiple domain controllers in our
poster.
The domain noam.reskit.com is a child domain of
reskit.com. Before promoting
SEA-NA-DC-01.noam.reskit.com, we added a delegation to
the zone reskit.com, hosted by SEA-RK-DC-01.reskit.com,
referring to SEA-NA-DC-01.noam.reskit.com as
authoritative for the zone noam.reskit.com. During the
promotion, we agreed to automatic DNS configuration, and
the zone noam.reskit.com was added to
SEA-NA-DC-01.noam.reskit.com. For more information, see
"How We Did It," later in this scenario.
A DNS server running on SEA-NA-DC-01.noam.reskit.com
is authoritative for the Active Directory–integrated
zone noam.reskit.com. In our lab, we also host the zone
on additional DNS servers running on domain controllers
in the same Active Directory domain. Although it is a
best practice to include at least two DNS servers
authoritative for each zone, you can include more.
SEA-NA-DC-01.noam.reskit.com refers to
SEA-RK-DC-01.reskit.com as its preferred DNS server.
VAN-NA-DC-01.noam.reskit.com
This domain controller in the domain noam.reskit.com,
VAN-NA-DC-01.noam.reskit.com, also runs
Windows 2000 and the DNS server service. It resides
in the Vancouver site. For additional fault tolerance
and load sharing, we include an additional domain
controller in our poster for this domain and site.
VAN-NA-DC-01.noam.reskit.com is authoritative for the
Active Directory–integrated zone noam.reskit.com. In our
poster, we also have the DNS server service installed on
the additional domain controller for the domain and
site.
In this scenario, VAN-NA-DC-01.noam.reskit.com refers
to SEA-RK-DC-01.reskit.com as its preferred DNS server.
However, in our poster, because we have two domain
controllers in the Vancouver, B.C. site,
VAN-NA-DC-01.noam.reskit.com refers to another server in
the same site. It is a best practice to use as a
preferred server a DNS server in the same site. A domain
controller running the DNS server service can also refer
to itself if it is the first domain controller in the
forest, or if the DNS server is not authoritative for
names in the domain
_msdcs.<DNSForestName>.
Client
The client runs Microsoft® Windows® 2000
Professional. Because it resides in the Seattle site, we
chose SEA-NA-DC-01.noam.reskit.com as its preferred DNS
server. This reduces network traffic by enabling the
client to first query the DNS server closest to it.
In "How It Works" later in this scenario, we explain
how the infrastructure meets our planning
objectives.
How It Works
The domain controller SEA-NA-DC-01.noam.reskit.com
registers its domain controller locator resource records
in DNS. The records are added to the Active
Directory–integrated zone noam.reskit.com, on the DNS
server SEA-NA-DC-01.noam.reskit.com. The zone is then
replicated to the domain controller
VAN-NA-DC-01.reskit.com. A workstation client uses the
domain controller locator resource records to locate a
domain controller. Figure 2 shows these computers.
Figure 2 Computers in
the domains reskit.com and noam.reskit.com
Click the hardware icons for detailed
information.
For the process in this scenario to function as
described, the computers SEA-RK-DC-01.reskit.com and
SEA-NA-DC-01.noam.reskit.com must be configured
according to the steps in "How We Did It," later in this
scenario. Also, the events that occur in this section
are specific to this scenario only. If you configure the
servers differently, or if network conditions prevent
the servers from performing optimally, you might see
different results. For more information about how DNS
works, see the chapter "Windows 2000
DNS" in the TCP/IP Core Networking Guide. Also, this
section and the animation show only some of the packets
that pass between the computers — enough to give a
general understanding of the process.
The following steps show how DNS and Active Directory
work together after promotion is complete. For more
information about the promotion process for the
computers in our scenario, see "Setup Instructions"
later in this scenario.
- The servers SEA-RK-DC-01.reskit.com and
SEA-NA-DC-01.noam.reskit.com are promoted to domain
controllers. After SEA-NA-DC-01.noam.reskit.com is
promoted and restarted, the Netlogon service requests
that the DNS client service on the same computer
dynamically update the domain controller locator
resource records. The DNS client queries its preferred
DNS server for the name of the server and zone that
are authoritative for the resource records that it
needs to update. Here, the preferred DNS server is
SEA-RK-DC-01.reskit.com. Figure 3 shows the query
process.
Figure 3 Query for
authoritative zone and server
Click the hardware icons for detailed
information. 
- The DNS server responds to the DNS client with the
name of the authoritative server and zone. Here, the
authoritative server is the DNS server on the same
computer as the DNS client service. The client then
registers the locator resource records in DNS by using
secure dynamic update, which this server is configured
to use. The server adds these records to the zone
noam.reskit.com. This zone is located on the server
SEA-NA-DC-01.noam.reskit.com. It was added during the
promotion because we had delegated the zone
noam.reskit.com from SEA-RK-DC-01.reskit.com to
SEA-NA-DC-01.noam.reskit.com, and because we agreed to
automatic configuration.
- The server VAN-NA-DC-01.noam.reskit.com is
promoted to the role of an additional domain
controller for the child domain noam.reskit.com.
During and after promotion, the two domain controllers
in the domain noam.reskit.com can
directory information, including DNS zones.
- During the process of Active Directory replication
in the domain noam.reskit.com, the domain controller
SEA-NA-DC-01.noam.reskit.com sends the zone containing
the locator resource records to the domain controller
VAN-NA-DC-01.noam.reskit.com. Figure 4 shows the zone
replication. When a DNS server is installed on the
domain controller VAN-NA-DC-01.noam.reskit.com, the
DNS server automatically loads the DNS zone from
Active Directory. Thus, the DNS infrastructure takes
advantage of Active Directory to simplify DNS
management.
Figure 4 Zone
replication
Click the hardware icons for detailed
information. 
- Computers use DNS to locate domain controllers.
When the wokstation client is restarted, it must find
a domain controller for the domain in its site or the
closest site. It is a member of the domain
noam.reskit.com in the Seattle site. The Netlogon
service on the workstation client requests that the
DNS client on the same computer locate an appropriate
domain controller. The DNS client service sends a DNS
query to its preferred DNS server,
SEA-NA-DC-01.noam.reskit.com, requesting resource
records that provide the names and IP addresses of the
domain controllers for its domain and site. The client
queries for the service (SRV) resource record
_ldap._tcp.seattle._sites.dc._msdcs.noam.reskit.com.
- In our poster, two domain controllers fit the
criteria: the two domain controllers for the
noam.reskit.com domain, in the Seattle site. In this
scenario, however, only one domain controller fits the
criteria: SEA-NA-DC-01.noam.reskit.com. The preferred
DNS server of the workstation client replies with the
SRV and address (A) resource records that list the
name and IP address for the domain controller that
satisfy the requested criteria. If more than one
domain controller had satisfied the requested
criteria, the DNS server would have replied with
additional resource records referring to those domain
controllers.
- The client then sends a Lightweight Directory
Access Protocol (LDAP) query to the domain controller,
asking whether the domain controller resides in the
same domain and site as the client. The domain
controller replies that it does. After the client
authenticates itself, it can begin using the domain
controller. Thus, the DNS infrastructure successfully
supports Active Directory by enabling computers to
locate domain controllers.
 |
How We Did It
The procedures that we used to configure the
computers and devices in our scenario are presented here
as an example; the actual steps required to configure
similar computers and devices in your own network will
be different. Also, this scenario shows only the
procedures necessary for the scenario to work. It does not cover other procedures that are
required in a production network.
For each computer, to complete the tasks described in
the setup instructions, the administrator must have the
appropriate authority to perform the necessary
configuration. By default, the Administrator account for
the root domain (RESKIT\Administrator) has the
appropriate authority; it becomes a member of the
Enterprise Admins group after a domain controller is
promoted. However, in a production network, you might
want to restrict authority further. The setup
instructions explain which accounts we used.
Our setup instructions assume the following
configuration:
- The hard drives on each computer have been
reformatted and the appropriate operating system has
been installed.
- Each computer has been named
- Routing has been set up as appropriate for the
computers to communicate, given that they will have
the following IP addresses:
SEA-RK-DC-01.reskit.com 172.16.4.11
SEA-NA-DC-01.noam.reskit.com 172.16.8.11
VAN-NA-DC-01.noam.reskit.com 172.16.44.11
Client 172.16.8.51
Note These IP addresses
are addresses from an IP address range reserved for
private networks. You can use them in a test
environment, behind a firewall, but do not use them on
the Internet. For more information, see RFC
1918.
Table 1 lists the hardware and software used to
create this scenario in the Deployment Scenarios
lab.
Table 1 Components used in this Deployment Lab
Scenario
|
Element |
Hardware |
Software |
|
SEA-RK-DC-01.reskit.com |
Compaq ProLiant Server |
Microsoft® Windows® 2000
Server configured as a domain controller and DNS
server. |
|
SEA-NA-DC-01.noam.reskit.com |
Compaq ProLiant Server |
Windows 2000 Server configured
as a domain controller and DNS server. |
|
VAN-NA-DC-01.noam.reskit.com |
Compaq ProLiant Server |
Windows 2000 Server configured
as a domain controller and DNS server. |
|
Client |
Compaq Deskpro Desktop
Computer |
Windows 2000 Professional
installed. |
|
VAN-NA-W2RT-01.noam.reskit.com |
Compaq ProLiant Server |
Windows 2000 Server configured
as a router. |
|
SEA-NA-CISCO-01 |
Cisco 7513 router |
|
|
SEA-NA-CISCO-03 |
Cisco 6006 L3 switch |
|
Setup Instructions
To set up this scenario, we completed the following
tasks:
- Configuration
of SEA-RK-DC-01.reskit.com
- Configuration
of SEA-NA-DC-01.noam.reskit.com
- Configuration
of VAN-NA-DC-01.noam.reskit.com
- Configuration
of the client
Figure 5 shows the portion of our network discussed
in this scenario.
Figure 5 Computers in
the domains reskit.com and noam.reskit.com
Click the hardware icons for detailed
information.
Additional
Resources
Microsoft Windows 2000 Server Resource
Kit
- TCP/IP Core Networking Guide, "Introduction
to DNS"
- TCP/IP Core Networking Guide, "Windows 2000
DNS"
- Microsoft® Windows® 2000
Server Resource Kit Distributed Systems Guide,
"Active Directory Logical Structure"
- Microsoft® Windows® 2000
Server Resource Kit Deployment Planning Guide,
"Designing the Active Directory Structure"
Tools
- Active
Directory Sizer
Active Directory Sizer lets you estimate the
hardware required for deploying Active Directory based
on your organization's profile, domain information,
and site topology. Based on user input and internal
formulas, Active Directory Sizer estimates the number
of the following:
- Domain controllers per domain per site
- Global Catalog servers per domain per site
- CPUs per machine and type of CPU
- Disks needed for Active Directory data storage
In addition, Active Directory Sizer provides
approximate estimates for the following:
- Amount of memory required
- Network bandwidth utilization
- Domain database size
- Global catalog database size
- Bandwidth required for replication between sites
- Netdiag
Netdiag helps isolate networking and connectivity
problems by performing a series of tests to determine
the state of your network client and whether it is
functional. For more information about Netdiag, see
Windows 2000 Support Tools Help. For information
about installing and using the Windows 2000
Support Tools and Support Tools Help, see the file
Sreadme.doc in the \Support\Tools folder on the
Windows 2000 operating system CD.
- Dnscmd.exe
You can use the command-line tool Dnscmd.exe to
configure the DNS server. For more information about
Dnscmd.exe, see Windows 2000 Support Tools Help.
For information about installing and using the
Windows 2000 Support Tools and Support Tools
Help, see the file Sreadme.doc in the \Support\Tools
folder on the Windows 2000 operating system
CD.
Windows 2000 Server Online
Documentation
Whitepaper
White Papers
Microsoft Press
Miscellaneous
Deployment Lab and Deployment Lab Partners
Resource Kit Deployment Lab Scenarios
Legend
- For information about the abbreviations and
symbols represented on the Microsoft Windows 2000
Resource Kit Deployment Lab Scenarios network diagram
and referenced in the Deployment Lab Scenarios, see
the "Deployment
Lab Scenarios Legend."
Resource Kit Deployment Lab Network
Diagrams
Disclaimer
The procedures that we used to
configure the computers and devices in our scenario are
presented here as an example; the actual steps required
to configure similar computers and devices in your own
network will be different. Also, this scenario shows
only the procedures necessary for the scenario to work.
It does not cover other procedures that are required in
a production network. All scenarios were tested using
Windows 2000 unless otherwise noted. They are best
viewed with Microsoft Internet Explorer 5 or later.
SEA-NA-CISCO-03.noam.reskit.com
Multilayer Switch
CISCO Catalyst
6006 Multilayer Switch
Configured as Layer
3 switch.
Catalyst OS version 5.3(1a)CSX
IOS version 12.1(1)E
Hardware
Specifications
Close |
SEA-NA-DC-01.noam.reskit.com
172.16.8.11
Domain
Controller
Windows 2000 Server
Active
Directory,DNS Server
Compaq ProLiant
DL360
Hardware
Specifications
Close |
|
SEA-RK-DC-01.reskit.com
172.16.4.11
Domain
Controller
Windows 2000 Server
Active
Directory,DNS Server,Global Catalog
Compaq
ProLiant DL360
Hardware
Specifications
Close |
|
VAN-NA-DC-01.noam.reskit.com
172.16.44.11
Windows 2000 Server
Domain
Controller
Active Directory, DNS Server, WINS
Server
Compaq ProLiant DL360
Hardware
Specifications
Close |
VAN-NA-W2RT-01.noam.reskit.com
Router
Windows 2000 Server
Proxy
Server (caching only)
Routing and Remote Access
Services
Internet Group Management Protocol
(IGMP) service
Compaq ProLiant ML530
Hardware
Specifications
Close |
|
Multimaster Replication
Windows 2000 DNS can use the multimaster
replication engine that is a part of Active
Directory, eliminating a single point of failure
for updates. For more information about
multimaster replication, see the section "Active
Directory Integration and Multimaster
Replication" in the chapter "Windows 2000
DNS" in the TCP/IP Core Networking Guide.
Close |
|
Secure Dynamic Update
Secure dynamic update preserves the ownership
of the DNS records. Secure dynamic update is
particularly important for zones configured to use
dynamic update, because secure dynamic update can
ensure that resource records are modified only by
their owners. (For example, a client that
registers its own A resource record owns that
record.) Currently, secure dynamic update is
possible only in Active Directory–integrated
zones. For more information about secure dynamic
update, see the section "Dynamic
Update and Secure Dynamic Update" in the
chapter "Windows 2000 DNS" in the Microsoft®
Windows® 2000 Server Resource Kit TCP/IP Core
Networking Guide.
Close |
|
Active Directory-integrated Zone
You can integrate DNS zones into Active
Directory; integration provides increased fault
tolerance and security. Every Active
Directory-integrated zone is replicated among all
domain controllers within the Active Directory
domain. All DNS servers running on these domain
controllers can act as primary servers for the
zone and accept updates. Also, Active Directory
replicates only changes to the zone, and not the
entire zone, which minimizes replication
traffic.
Close |
|
Windows Internet Name Service (WINS)
You can use WINS as an additional name
resolution mechanism on Windows 2000
networks, and you must use WINS for location of
domain controllers within domains that have domain
controllers or domain members running Microsoft®
Windows NT® version 4.0. For more
information about WINS, see "Windows Internet Name
Service" in the TCP/IP Core Networking Guide.
Close |
|
Active Directory Replication
Active Directory replication is the
synchronization of directory partition replicas
between Windows 2000 domain controllers. Directory
partition replicas are writable on each domain
controller (except for Global Catalog replicas).
Replication automatically copies the changes from
a specified directory partition replica to all
other domain controllers that hold the same
directory partition replica. More specifically, a
server called the "destination" pulls changes from
another server called the "source."
Close | |
.gif){kind=spacer}
