1 / 33

Active Directory

Active Directory. DNS. What is DNS?. Internet Protocol Distributed database Maps hierarchically organized keys to values E.g. host name to IP address Mailer records Name space Developed to replace hosts file. DNS Namespace. DNS Namespace. Hierarchical tree of domains Root

nelson
Télécharger la présentation

Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directory DNS

  2. What is DNS? • Internet Protocol • Distributed database • Maps hierarchically organized keys to values • E.g. host name to IP address • Mailer records • Name space • Developed to replace hosts file

  3. DNS Namespace

  4. DNS Namespace • Hierarchical tree of domains • Root • Top level domains (gov, edu, com, fr, se, uk etc.) • Some countries have subdomains denoting organisation type (e.g. ac.uk, co.uk) • Subdomains generally for specific organisations (e.g. mit.edu, microsoft.com etc.) • Subdomains within organisation (e.g. oucs.ox.ac.uk) • Technically, a domain is the part of the name space at or below the domain name identifying the domain.

  5. Delegation of Responsibility • Vital to understand this concept • DNS Database is distributed • No one server is responsible for the whole namespace • Given name server is responsible for part of the namespace • Called a zone • Server is “authoritative” for the zone

  6. Delegation of Authority • Authority is delegated from the top down • Cannot simply set up a name server for a domain and expect clients to resolve names correctly • Will not work • Name servers for parent domain must know that authority has been delegated to new domain • E.g. if new ac.uk domain xxx.ac.uk is created, name servers for ac.uk must be configured with information about name servers responsible for new domain

  7. DNS Queries • Client queries DNS Server • DNS Server • Checks its cache • Checks whether it contains the information in its own zone files • Queries other name servers iteratively • Returns an answer

  8. Iterative Queries • Example — client queries name server for IP address of fred.test.com • Sends query to root name servers • Root name servers refer to name servers authoritative for com domain • Queries com domain name servers • com name servers refer to name servers authoritative for test.com domain • Queries test.com domain name servers • test.com name returns answer • Name server returns answer to client

  9. Root hints and Forwarders • Root hints table provides IP addresses of name servers for root domain • Starting point for iterative queries • DNS server can be configured as forwarder • Queries for information about which it is not authoritative forwarded to other name servers (forwarders)

  10. Zones • Zone may contain a domain or part of a domain • A name server may be authoritative for more than one zone • Should be a minimum of two name servers for a zone (resilience) • One server is primary • “Start of authority” for zone • Others are secondaries • Updates to primary are replicated to secondaries (zone transfer) • Subsidiary zones can be delegated to other name servers

  11. DNS Records • A — host name to IP address mapping • NS — name server • MX — mailer exchange • SOA — start of authority • CNAME — canonical name (alias) • PTR — pointer (IP address to host) • SRV — service resource record (2000) • …and others

  12. DNS Overview Reference • Domain Name Service (DNS) • http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/network/deploy/confeat/domain.asp

  13. Active Directory and the DNS • Active Directory requires DNS • Used to locate services • E.g. client locating domain controller • Domain controller locating replication partners • Active Directory requires SRV record support • Active Directory prefers dynamic registration (DDNS)

  14. How does AD use the DNS • A 2000 system will attempt to register its A record in the DNS • Domain controllers will attempt to register around 20 SRV records in the DNS • Things will break if the correct records for DCs are not in the DNS

  15. Active Directory Namespace

  16. Active Directory Namespace • For the above AD forest structure to function correctly, all domains must be registered in DNS • test.com • fr.test.com • uk.test.com • sales.fr.test.com • accounts.fr.test.com

  17. Records required by DCs • About 20 SRV records required by a DC • Number determined by functions of DC • Registered in 4 subdomains of domain name • _tcp.sales.fr.test.com • _udp.sales.fr.test.com • _msdcs.sales.fr.test.com • _sites.sales.fr.test.com • One A record required • Also registered in one of these subdomains

  18. Windows 2000 Overview Reference • Windows 2000 DNS White Paper • http://www.microsoft.com/windows2000/docs/w2kdns.doc

  19. DNS Setup to support AD in Oxford • Various methods of setting up DNS for AD • Can even have different internal host names and internet host names • Oxford — chosen to integrate into existing structure • Carry on using BIND without DDNS for main DNS (security) • Delegate four subdomains for each unit to local 2000 DNS servers • http://support.microsoft.com/support/kb/articles/Q280/4/39.ASP for details of this scenario

  20. Advantages of chosen AD DNS Setup in Oxford • Main DNS remains secure (no dynamic DNS) • Host names controlled at central level • Client configuration remains unchanged • Only main DNS servers visible outside firewall • Allows dynamic DNS for DCs • DCs need this most • Can use Active Directory integrated zones • More secure • Multimaster replication

  21. Disadvantages of chosen AD DNS Setup in Oxford • Unit domain name must be identical to unit DNS name • Limited to a single domain per unit • May be seen as an advantage • Unlikely to a problem as it might have been for NT because of improvements in 2000 • NB Can still group related units together into multi-domain forest if required

  22. Configuring DNS on Domain Controllers in Oxford • http://www.oucs.ox.ac.uk/micros/oss/win2k/w2koxford.html and follow DNS Instructions link for full instructions • Generally • DNS must be configured for everything to work (e.g. replication) • DNS for first DC in forest can be configured before or after promotion to DC • DNS for subsequent DCs in forest should be configured before promotion to DC

  23. Steps to Configure DNS on the first Domain Controller • Delegate authority for subdomains from main DNS (web form or mail hostmaster) • Install DNS on first domain controller (N.B. this can be done before or after promotion to DC) • Create and configure _tcp, _udp, _msdcs and _sites subdomains; delete unit domain if you used the wizard to install • Ensure DC is configured to use itself as DNS server in TCP/IP configuration • Make sure it is all working! • If desired, tweak registry to prevent error messages

  24. Steps to Configure DNS on Subsequent Domain Controllers • Ensure the DNS setup on first DC is correct and working beforeinstalling other DCs • Disable secure updates for all subdomains on first DC • Ensure new server is configured to use only the first DC as DNS server in its TCP/IP configuration • Promote server to domain controller • Make sure that its entries are registered in DNS • Enable secure updates for subdomains on first DC • If desired, install DNS on new DC • Set as its own DNS server in TCP/IP config

  25. Hints and Caveats • NB the first DC will generally operate correctly without proper DNS setup; the second will not • May not be able to install AD on 2nd, replication may break • Always check correct registration etc. • Incorrect DNS setup can cause major problems e.g. with replication • Never install another DC with an incorrectly functioning DNS • Don’t turn off “Register this connection’s addresses in the DNS” on DCs • Stops all registrations, including SRV, for SP1 and above • http://support.microsoft.com/support/kb/articles/Q280/4/39.ASP

  26. Hints and Caveats cont. • Event log error message 5774 will be seen (sometimes also 5775) because unitname.ox.ac.uk cannot be registered • This record is unnecessary; edit registry to stop this but if so you will need to put in another required entry manually for global catalog servers • http://support.microsoft.com/support/kb/articles/Q280/4/39.ASP • http://support.microsoft.com/support/kb/articles/Q258/2/13.ASP

  27. Hints and Caveats cont. • For Active Directory-integrated zones, no configuration required for DNS servers installed on DCs after first DNS server is and configured • Zone information stored in Active Directory • May be a good idea to set DNS servers up to forward requests to Oxford DNS servers (forwarders) • Most requests likely to be for Oxford addresses • Not currently in the instructions

  28. Hints and Caveats cont. • If you initially set up a test network with no WAN connection, DNS server may be set up as root server • If so, may be missing root hints table; may be unable to access root hints and forwarders tabs • If it exists, delete root domain entry (.) • May also need to replace root hints table from sample file (unnecessary if configured to use forwarders) • http://support.microsoft.com/support/kb/articles/Q229/8/40.ASP • http://support.microsoft.com/support/kb/articles/Q249/8/68.ASP

  29. Hints and Caveats cont. • Manually adding an SRV record may not work • e.g. _rvp._tcp.unit.ox.ac.uk for netmeeting • Problem with Snap-In — use dnscmd.exe in Support Tools instead • http://support.microsoft.com/support/kb/articles/Q282/5/23.ASP • NB Above article is incorrect — dnscmd.exe is in Support Tools, not Resource Kit

  30. Hints and Caveats cont. • Netlogon service is responsible for dynamic DNS registrations • Refreshes registrations every two hours • DNS entries stored in netlogon.dns file in %systemroot%\winnt\system32\config on DCs • Root hints table is called cache.dns in %systemroot%\winnt\system32\dns • Sample copy in samples subdirectory

  31. Setup for Install/DNS Practical • ? Set up front desk PC as authoritative for ad.oucs-public.ox.ac.uk • Include zones for dom1.ad.oucs-public.ox.ac.uk etc. • Delegate _msdcs, _sites, _tcp, _udp etc. for dom1, dom2 etc. to servers • Point servers at front desk PC as DNS server

  32. Installation and DNS Practical • First server to set up DNS as per current instructions • Run dcpromo to install AD on first server • Point second server at first server for DNS resolution • Dcpromo to install AD on second server • Switch DNS on first server to AD Integrated

  33. Installation and DNS Practical • Install DNS on second server and see how it picks up the AD integrated DNS configuration • Look at different options that can be configured • Become familiar with records registered • Turn off “Register this connections addresses in DNS” on 2nd server and reboot — check effect this has

More Related