Module 4: DNS as a Solution for Name Resolution Contents Overview Introducing DNS Designing a Functional DNS Solution Discussion: Designing DNS Solutions 20 Securing DNS 22 Enhancing a DNS Design for Availability 28 Optimizing a DNS Design for Performance 31 Discussion: Enhancing DNS Solutions 35 Lab A: Designing a DNS Solution 37 Review 49 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2000 Microsoft Corporation All rights reserved Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries/regions Project Lead: Don Thompson (Volt Technical) Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Jack Creasey, Doug Steen (Independent Contractor) Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Kristen Heller (Wasser) Copy Editor: Kaarin Dolliver (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Test Leads: Sid Benevente, Keith Cotton Test Developer: Greg Stemp (S&T OnSite) Production Support: Lori Walker (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Manager: Ken Rosen Group Product Manager: Robert Stewart Other product and company names mentioned herein may be the trademarks of their respective owners Module 4: DNS as a Solution for Name Resolution iii Instructor Notes Presentation: 75 Minutes Lab: 45 Minutes This module provides students with the knowledge and decision-making skills that are necessary to design a functional name resolution service by using DNS within a Microsoft® Windows® 2000 networking infrastructure In the module, students will make DNS technology decisions to enhance the design’s security, availability, and performance based on the organization’s requirements At the end of this module, students will be able to: Recognize DNS as a solution for name resolution Evaluate and create a DNS solution to support an organization’s namespace requirement Select appropriate strategies to secure DNS Select appropriate strategies to improve the availability of DNS Select appropriate strategies to improve DNS performance Upon completion of the design lab, students will be able to design DNS solutions that meet the name resolution requirements of a variety of organizations Materials and Preparation This section provides you with the materials and preparation needed to teach this module Materials To teach this module, you need the following materials: Microsoft PowerPoint® file 1562B_04.ppt Preparation Tasks To prepare for this module: Review the contents of this module Read any relevant information in the Windows 2000 Help files, the Windows 2000 Resource Kit, or in documents provided on the Instructor CD Read the relevant RFCs in the Windows 2000 Help files Review discussion material and be prepared to lead class discussions on the topics Complete the lab and be prepared to elaborate beyond the solutions found there Read the review questions and be prepared to elaborate beyond the answers provided in the text iv Module 4: DNS as a Solution for Name Resolution Module Strategy Use the following strategy to present this module: Introducing DNS Emphasize the importance of name resolution in a network Give some examples of user-friendly addresses and numerical Internet Protocol (IP) addresses After the students understand the importance of name resolution, give a brief overview of Windows 2000 DNS Explain how DNS resolves names For an overview of DNS, you can ask the students to view the DNS video on the Student CD In this section: • Emphasize that the first step in designing a DNS solution is to identify the design decisions that influence the design Point out that it is essential to determine the network configuration and the number of hosts, locations, subnets, and routers, before starting the design • Describe the solutions provided by DNS Emphasize that DNS can integrate with other products Discuss the impact of DNS on network management • Emphasize that integration of DNS with WINS, DHCP, and the Active Directory™ directory service helps in name resolution by obtaining IP configuration and DNS server authentication Designing a Functional DNS Solution Explain that DNS functionality can be established by selecting appropriate zone types, determining server placements, and integrating DNS with other Windows 2000 services Provide an overview of the decisions involved in establishing a functional design In this section: • Explain what a zone is and how zones work Give a brief overview of Active Directory integrated zone, traditional DNS zones, and the combination zone in terms of how to select an appropriate zone • Tell the students that the structure of DNS namespace and the DNS zone type influence the placement of DNS servers in a network design Discuss how to determine server placement based on namespace design and zone type • Introduce reverse lookup zones Tell the students that if applications or network security requires the conversion of IP addresses to domain names, they can include reverse lookup zones in their network design Explain that the reverse lookup zones can be Active Directory integrated zones, traditional primary zones, or traditional secondary zones • Point out that DNS servers interact with servers on the Internet to resolve names Explain how DNS integrates with the Internet • Explain that the Windows 2000 DNS service can be combined with BIND and DNS servers in Microsoft Windows NT® version 4.0, if you cannot replace the existing DNS servers • Point out that the host names found in WINS can be resolved by forwarding unresolved DNS queries to a WINS server The forwarding Module 4: DNS as a Solution for Name Resolution of unresolved DNS queries to WINS can be established on a zone-byzone basis v vi Module 4: DNS as a Solution for Name Resolution • Explain that the DNS zones provided by Windows 2000 can be integrated into the existing namespace of an organization Tell students that they need to integrate the DNS zones into the existing namespace if they are unable to specify a computer running Windows 2000 as the DNS root server for the organization • Ensure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses Securing DNS Because DNS servers are exposed to the network, you need to secure DNS access from private and public networks In this section, explain the use of restricted updates, Internet Protocol Security (IPSec), virtual private network (VPN) tunnels, Active Directory, and screened subnets to secure DNS In this section: • Emphasize that unauthorized updates to the dynamically updated DNS servers are prevented to avoid impersonation of DNS servers • Point out that names and IP addresses replicated over public networks can be protected against unauthorized access by using IPSec, VPN tunnels, and Active Directory • Point out that when integrating DNS into screened subnets, you must restrict Internet-based user access and encrypt any zone replication within the private network Describe the placement and interaction of DNS services within screened subnets Enhancing a DNS Design for Availability Describe the usage of replicated DNS zones and server clusters to enhance the availability of a DNS design In this section: • Emphasize that implementing multiple DNS servers that have replicated zones at local and remote locations can enhance the availability of DNS By adding additional DNS servers at remote locations, DNS availability can be ensured in the event of a wide area network (WAN) link or router failure • Explain that the availability of DNS can be enhanced by using server clusters The availability that is provided by server clusters is used for solving availability issues only at local locations Optimizing a DNS Design for Performance Explain the methods of improving the performance of a DNS design Reducing the query resolution time, and reducing the impact of replication on network traffic, can maximize the performance of the DNS service In this section: • Emphasize that the use of caching-only servers, delegated zones, and load balancing can reduce query resolution time Module 4: DNS as a Solution for Name Resolution vii • Point out that the data transmission rates for network traffic can be improved by reducing the impact of DNS replication traffic Explain that the performance of the replication traffic can be improved by using fast zone transfers, modifying the replication schedule, and performing incremental zone updates • Make sure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses Lab Strategy Use the following strategy to present this lab Lab A: Designing a DNS Solution In this lab, students will design a DNS solution based on specific requirements outlined in the given scenario Students will review the scenario and the design requirements, and read any supporting materials They will use this information, and the knowledge gained from the module, to develop a detailed design that uses DNS as the solution To conduct the lab: Read through the lab carefully, paying close attention to the instructions and to the details of the scenario Divide the class into teams of two or more students Present the lab and make sure students understand the instructions and the purpose of the lab Explain that the planning worksheet is to be used to develop the design of their solution Remind students to consider any functionality, security, availability, and performance criteria that are provided in the scenario, and how they will incorporate strategies to meet these criteria in their design Take the opportunity to assess each student’s comprehension of the design strategies presented in the module while students are completing the lab Allow some time to discuss the solutions after the lab is completed A solution is provided on the Instructor CD to help you review the lab results Encourage students to critique each other’s solutions and to discuss any ideas for improving the designs Module 4: DNS as a Solution for Name Resolution Overview Slide Objective To provide an overview of the module topics and objectives Lead-in While designing a network, you must identify name resolution solutions to locate computers and services on the network In this module, you will evaluate and design a DNS solution for name resolution Introducing DNS Designing a Functional DNS Solution Securing DNS Enhancing a DNS Design for Availability Optimizing a DNS Design for Performance Name resolution processes allow users to remember resource names You can use these resource names instead of the numerical Internet Protocol (IP) addresses that computers use to identify themselves on the network DNS in Microsoft® Windows® 2000 allows users to refer to network resources with easy-to-remember names by resolving names to IP addresses In this module, you will evaluate and design a DNS solution for name resolution At the end of this module, you will be able to: Recognize DNS as a solution for name resolution Evaluate and create a DNS solution to support an organization’s name resolution requirement Select appropriate strategies to secure DNS Select appropriate strategies to enhance the availability of DNS Select appropriate strategies to improve DNS performance Module 4: DNS as a Solution for Name Resolution Introducing DNS Slide Objective To introduce DNS as a solution for name resolution in a Windows 2000 network Lead-in While designing a network, you must identify solutions for name resolution to locate computers and services on the network Remind students that in this module, DNS always refers to the DNS services provided by Windows 2000 unless otherwise specified Design Decisions for a DNS Solution Microsoft DNS Features Integrating DNS with Other Windows 2000 Services While designing a network, you must identify solutions for name resolution to locate computers and services on the network The large number of available network resources creates the need for meaningful resource names to simplify the user’s access to resources Windows 2000 DNS allows users to refer to network resources with names complying with the DNS standard You can use DNS to resolve names to IP addresses DNS can also integrate with other Windows 2000 services to extend the name resolution capabilities To design a strategy for locating network resources by using DNS, you must: Collect information about network and host configuration, and the number of locations Identify the features provided by DNS and how these features support the design requirements Identify the benefits provided by integrating DNS with other services in Windows 2000 38 Module 4: DNS as a Solution for Name Resolution Exercise Designing a DNS Solution In this exercise, you are presented with the task of designing a DNS solution for an insurance firm This insurance firm has a central office, six regional offices, and two types of insurance agent offices Your instructor will assign you to design the central office, the regional office, or one of the insurance agent offices You will work in teams to design a DNS solution that supports an organization’s name resolution requirements You will design your solution for the assigned location by using a white board, flip chart, or other presentation medium Review the scenario, the design requirements, and the diagram for your assigned location Follow the instructions to complete the exercise At the end of the exercise, be prepared to provide a justification for your design decisions and to provide feedback to the other teams Circle your assignment: a Central office b Regional office c Insurance agent offices Scenario An insurance firm is evaluating their existing network in preparation for the deployment of Windows 2000 As a consultant to the firm, you have been assigned the task of evaluating and redesigning the current network The insurance firm has a central office that handles billing and accounting for the firm In addition, the firm has six regional offices that support the insurance agents within each region The insurance agent offices are independently owned and operated The agent offices can consist of an individual agent or a group of agents working at a single location Module 4: DNS as a Solution for Name Resolution 39 This is the high-level network diagram of the insurance firm network Additional detail for the central office, regional offices, and the insurance agent offices are shown in subsequent diagrams 40 Module 4: DNS as a Solution for Name Resolution This is the existing network at the central office of the insurance firm Module 4: DNS as a Solution for Name Resolution This is the existing network at the regional offices of the insurance firm The network configuration in the six regional offices is identical 41 42 Module 4: DNS as a Solution for Name Resolution Module 4: DNS as a Solution for Name Resolution This is the existing network at the insurance agent offices that consist of multiple insurance agents The network configuration of all of these offices is identical 43 44 Module 4: DNS as a Solution for Name Resolution This is the existing network at the insurance agent offices that consist of a single insurance agent The network configuration of all of these offices is identical Module 4: DNS as a Solution for Name Resolution 45 Design Requirements and Limitations Investigation of the current network, user traffic patterns, and future network requirements reveals the following additional information that you must consider when making your design decisions Applications The insurance firm uses a number of applications to conduct day-to-day operations To create a solution for the insurance firm, your design must provide: Support for a mission-critical Web-based application that manages customers and their policies Support for a mission-critical Web-based application that allows customers to check the status of claims and historical claim payment information over the Internet Private network access to all shared folders and Web-based applications from the central and regional offices Internet access from the central and regional offices DNS query response times such that the application response time is not reduced Pilot tests on approved DNS servers indicate that each DNS server can support no more than 1,200 hosts while providing performance within given application response times Support for all mission-critical applications to be available 24-hours-a-day, 7-days-a-week Connectivity The applications used by the insurance firm require connectivity between the central office, the regional offices, and the agent offices When creating the DNS design for the insurance firm, remember that your design must provide: Support for the regional offices to connect to the central office by using dedicated connections over the Internet Support for the agent offices that consist of multiple agents to connect to the regional offices by using dedicated connections over the Internet Support for the agent offices that consist of an individual agent to connect to the regional offices by using dial-up connections over the Internet Isolation of the central office, the regional offices, and the agent offices from the Internet 46 Module 4: DNS as a Solution for Name Resolution Instructions You will complete this exercise in a team To complete this exercise you must: Examine the current networking environment presented in the scenario, the network diagrams, and the design requirements and limitations On a white board, flip chart, or other presentation medium, design your DNS solution Ensure that your design fulfills the requirements of the scenario Consider the following while designing your DNS solution: • Placement of DNS servers within the network • Types of DNS zones supported on each DNS server • DNS replication specifications between the zones on each DNS server • Required methods of improving the security, availability, and performance Note For your DNS solution, you can eliminate or replace existing networking devices or network segments Be prepared to discuss your DNS solution and provide a justification for the design decisions that you made Module 4: DNS as a Solution for Name Resolution 47 The following table is one solution to the scenario Office type Central Server name(s) Server placement DNSSRV1 Subnet C DNSSRV2 Reason for server placement To minimize the traffic between Subnets A, B, D, E, and F by placing the DNS server equidistant from all remaining subnets To provide load balancing and redundancy for the central office DNS clients Regional DNSSRV3 Subnet H DNSSRV4 To minimize the traffic between Subnets G, I, J, and K by placing the DNS server equidistant from all remaining subnets To provide load balancing and redundancy for the regional office DNS clients Multiple Agent DNSSRV5 Single Agent No Server Required Subnet L It is the only available subnet in office No server required 48 Module 4: DNS as a Solution for Name Resolution The following tables list one possible solution to the scenario Office type Active Directory integrated zone To use the existing Active Directory infrastructure for storing DNS zone information so that zone updates and replication are secure and zone replication is performed by Active Directory Only the DHCP servers are authorized to update the DNS Active Directory integrated zone Configure DNS clients on Subnets A and B to submit queries to DNSSRV1 first and then to DNSSRV2 To distribute the DNS queries between DNSSRV1 and DNSSRV2 Configure DNS clients on subnets C, D, E and F to Submit queries to DNSSRV2 first and then DNSSRV1 Single Agent Office Reason for specifying the option Enable dynamic DNS updates from the DHCP servers Central Office DNS service configuration option To distribute the DNS queries between DNSSRV2 and DNSSRV1 Specify that the DHCP server in the regional offices configures the computer in the single agent office to submit queries to DNSSRV4 and then DNSSRV3 in the regional office To automatically configure the single agent office computer to use the DNS servers in the regional office Module 4: DNS as a Solution for Name Resolution 49 Review Slide Objective To reinforce module objectives by reviewing the key points Lead-in The review questions cover some of the key concepts taught in the module Introducing DNS Designing a Functional DNS Solution Securing DNS Enhancing a DNS Design for Availability Optimizing a DNS Design for Performance Recently, the performance of DNS within your organization has diminished The network support staff has requested your assistance to evaluate the current DNS implementation and to prescribe ways to resolve performance issues In preparation for your evaluation, the support staff has requested that you supply them with a list of information they must collect to assist you in your analysis What key pieces of information you need to prescribe a solution? To prescribe a solution for the DNS performance problems, you need the following information: Processor, memory, and disk utilization by DNS server Baseline performance data Number and placement of DNS servers Size of DNS database files Number and distribution of DNS clients Any standard secondary zones needed to evaluate replication traffic Any Active Directory integrated zones to evaluate replication traffic Location of standard primary zones Location of delegated domain name zones Any redundancy requirements of the design 50 Module 4: DNS as a Solution for Name Resolution During the process of tracking trends in DNS server performance, the network support staff determined that key DNS servers would exceed their resource capacity in the near future In addition, the hardware limitations of the DNS servers prevent any further hardware upgrades What recommendations will you make to improve DNS performance? Because you cannot upgrade current hardware, you can add additional servers Using standard secondary zones or delegated domain names, the DNS database can be distributed across multiple DNS servers Also, you can replace the existing DNS servers by using hardware that has greater performance and upgrade potential An organization has a significant installation base of Microsoft networking clients, including Microsoft Windows 95, Microsoft Windows 98, Windows NT, and Windows 2000 Because of the nature of the business, the location and naming of these clients is in a state of constant change When you create a networking strategy, which features of DNS can you take advantage of to enhance the integration of these networking clients? You can configure DNS to resolve names by using existing WINS servers Also, you can configure DNS to interact with DHCP by using dynamic update protocol to allow DNS to automatically update the DNS database information Finally, the DNS information can be replicated into Active Directory by using Active Directory integrated zones, thereby reducing the number of required servers for name resolution A group of software developers within your organization is deploying a mission-critical Web-based application The application requires that there be no single point of failure to disrupt normal operation of the application Which feature of DNS would you recommend to enhance the reliability of the application? The ability of DNS to have a single FQDN resolve to multiple IP addresses provides both fault tolerance and load balancing for the application If desired, you can use a priority or round-robin scheme when returning the IP address of a Web server In your organization, two different support staffs manage DNS and desktop computers You plan to use Active Directory to supply DNS information to the desktop computers; however, the DNS infrastructure is currently implemented by using UNIX computers How can you configure Windows 2000 to integrate DNS and Active Directory? First, migrate the UNIX-based DNS database into an Active Directory integrated zone Next, configure the original UNIX-based DNS server to become a standard secondary zone, replicating the Active Directory integrated zone Finally, instruct DNS administrators to perform all DNS updates on the Active Directory integrated zone THIS PAGE INTENTIONALLY LEFT BLANK ... Directory replication to replicate DNS zone databases Providing secured and automatic maintenance of DNS zone databases by using dynamically updated DNS Module 4: DNS as a Solution for Name Resolution. .. solution for name resolution At the end of this module, you will be able to: Recognize DNS as a solution for name resolution Evaluate and create a DNS solution to support an organization’s name resolution. .. evaluate and design a DNS solution for name resolution Introducing DNS Designing a Functional DNS Solution Securing DNS Enhancing a DNS Design for Availability Optimizing a DNS Design for Performance