活动目录设计(13)
A.8 Network Services Design
A.8.1 DNS
A.8.1.1 Active Directory Requirements
Forest trusts can only be created when one of the following DNS configurations is in place in the infrastructure:
![*]()
Scenario 1: a single root DNS server is the root DNS server for both forest DNS namespaces: the root zone contains delegations for each of the DNS namespaces and the root hints of all DNS servers include the root DNS server.
![*]()
Scenario 2: where there is no shared root DNS server and the root DNS servers for each forest DNS namespace are running a member of the Windows Server 2003 family, DNS conditional forwarders are configured in each DNS namespace to route queries for names in the other namespace.
![*]()
Scenario 3: where there is no shared root DNS server and the root DNS servers for each forest DNS namespace are not running a member of the Windows Server 2003 family, DNS secondary zones are configured in each DNS namespace to route queries for names in the other namespace.
Design Decision
Scenario 1 is the easier and preferred implementation.
A.8.1.2 Xxx Asia DNS Zones
DNS Zones supporting the Asia Country forests will rely on the Group DNS infrastructure to host the “.corp” zone.
The DNS zone design is illustrated in the following diagram:
A.8.1.3 _MSDCS zone
Active Directory uses the _MSDCS zone to store the locators for the services provided by the Domain Controllers and Global Catalogs. Client computers query this zone to locate the nearest Domain Controller or Global Catalog that can provide the service.
The NETLOGON process dynamically creates these entries when a Domain Controller comes online.
In Windows Server 2003, the _msdcs namespace is a subdomain in the <domain id>.corp zone and it is replicated forest-wide.
Recommendation
Do not manually create the _msdcs zone. Use DCPromo wizard.
A.8.1.4 Physical DNS Architecture
The physical DNS architecture will follow the Active Directory physical design.
Design Decision
Every Domain Controller is also DNS Server.
A.8.1.5 DNS Server Configuration
<domain id>.corp DNS Zone properties
The zone configuration is specified in the following table:
|
Property |
Setting |
|
Zone type |
Active directory-integrated |
|
Replication scope |
All DNS domain controllers in the forest ad.corp |
|
Dynamic updates |
Secure only |
|
Scavenging |
Enabled, with default settings |
DNS resolution outside the Active Directory forest
|
The Forwarders tab is used to set which DNS servers to forward requests when queried by a client for a name for which it is not authoritative. You can configure multiple DNS forwarders that will be queried from top to bottom in recursive mode.
If DNS forwarders are set up, the DNS root hints are not used.
You can configure a time-out interval to tell your DNS server how long to wait between forwarders in the list before jumping to the next one. Use the “Number of seconds before forward queries time out”. The default is five seconds.
|
|
A.8.1.6 Reverse Lookup Zone
Generally Windows infrastructure does not require this zone; however some web sites and applications use the reverse lookup zone for security purpose.
The main reasons why PTR records should be implemented are:
![*]()
to replace WINS reverse lookups in the future
![*]()
to support applications that need reverse lookups (Cisco)
![*]()
to resolve IP addresses
Design Decision
Reverse Lookup Zone is implemented in Xxx Asia DNS infrastructure.
A.8.1.7 DNS Client Configuration on Domain Controllers
DNS Server Addresses
On Domain Controllers, the primary DNS server must Domain Controller itself.
The secondary DNS is:
![*]()
For Domain Controllers in Head Office: the secondary DNS Server is the Domain Controller in the Head Office.
![*]()
For Domain Controllers in stores: the secondary DNS Server is any of the site bridgehead Domain Controllers in Head Office.
Disable Dynamic Update on isolated NIC
A Domain Controller registers itself into the DNS for A and PTR records. The dynamic update must be disabled for any network interface card connected to an isolated network, for example a backup or a monitoring network
This is to not register DNS records which are not accessible by the clients.
To disable Dynamic Update on a specific adapter, change the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<Interface name>\DisableDynamicUpdate
Data type: REG_DWORD
Value: 1