Designing the Active Directory Structure
Designing the Active Directory Structure |
|
To plan DNS server deployment for support of your Active Directory domains, you must identify the DNS servers that will be authoritative for your domain names, and ensure that they meet the requirements of the domain controller locator system.
The Domain Name System is a hierarchical, distributed database. The database itself consists of resource records, which primarily consist of a DNS name, a record type, and data values that are associated with that record type. For example, the most common records in the DNS database are Address (A) records, where the name of an Address record is the name of a computer, and the data in the record is the TCP/IP address of that computer.
Like Active Directory, the DNS database is divided into partitions that enable the database to scale efficiently even on very large networks. A partition of the DNS database is called a zone. A zone contains the records for a contiguous set of DNS names. A DNS server that loads a zone is said to be authoritative for the names in that zone.
A zone begins at a specified name and ends at a delegation point. A delegation point indicates where one zone ends and another zone begins. For example, there is a registration authority on the Internet that is responsible for the zone called "com." Inside this zone are thousands of delegation points to other zones, for example, reskit.com. The data in a delegation point indicates which servers are authoritative for the delegated zone. Figure 9.10 shows the relationship among DNS servers, zones, and delegations.
Figure 9.10 Servers, Zones, and Delegations in DNS
Domain controllers register a set of records in DNS. These records are collectively called the locator records. When a client requires a particular service from a domain, it sends a query for a specific name and type of record to the nearest DNS server. The answer is a list of domain controllers that can satisfy the request.
The names of the locator records for each domain end in <DNS-domain-name> and <DNS-forest-name>. The DNS servers that are authoritative for each <DNS-domain-name> are authoritative for the locator records.
Note
Windows 2000 does not require reverse lookup zones to be configured. Reverse lookup zones might be necessary for other applications, or for administrative convenience.
If you do not already have DNS servers running on your network, it is recommended that you deploy the DNS service that is provided with Windows 2000 Server. If you have existing DNS servers, then the servers that are authoritative for the locator records must meet the following requirements to support Active Directory:
The DNS servers that are authoritative for the locator records must support the Service Location (SRV) resource record type. For more information about the SRV record, see "Introduction to DNS" in the TCP/IP Core Networking Guide.
The DNS servers that are authoritative for the locator records and are the primary master servers for those zones should support the DNS dynamic update protocol as defined in RFC 2136.
The DNS service provided with Windows 2000 Server meets both these requirements and also offers two important additional features:
Using this feature, the Windows 2000 DNS service stores zone data in the directory. This makes DNS replication create multiple masters, and it allows any DNS server to accept updates for a directory service–integrated zone. Using Active Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology.
Secure dynamic update is integrated with Windows security. It allows an administrator to precisely control which computers can update which names, and it prevents unauthorized computers from obtaining existing names from DNS.
The remaining DNS servers on your network that are not authoritative for the locator records do not need to meet these requirements. Servers that are not authoritative are generally able to answer SRV record queries even if they do not explicitly support that record type.
For each DNS name you choose, consult your DNS management team and find out if the DNS server supports the listed requirements. If you find one that does not, there are three basic courses of action that you can take:
If the authoritative servers are running the Windows NT 4.0 DNS service, simply upgrade those servers to Windows 2000. For other DNS server implementations, consult the vendor's documentation to find out which version supports the features necessary to support Active Directory.
If the authoritative DNS servers are not under your control, and you cannot persuade the owners of those servers to upgrade, you can use one of the other options.
You can migrate the zone from the authoritative servers to Windows 2000 DNS instead of upgrading those servers to a version that supports Active Directory requirements. Migrating a zone to Windows 2000 DNS is a straightforward process. Introduce one or more Windows 2000 DNS servers as secondary servers for the zone. After you are comfortable with the performance and manageability of the servers, convert the zone on one of the servers to be the primary copy, and rearrange the DNS zone transfer topology as necessary.
If upgrading and migrating authoritative servers are not suitable options, you can change the authoritative servers by delegating the domain name to Windows 2000 DNS servers. How this is done depends on the relationship of the domain name to the existing zone structure.
