Download
active directory n.
Skip this Video
Loading SlideShow in 5 Seconds..
Active Directory PowerPoint Presentation
Download Presentation
Active Directory

Active Directory

83 Vues Download Presentation
Télécharger la présentation

Active Directory

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Active Directory DNS

  2. What is DNS? • Internet Protocol • Distributed database • Maps hierarchically organized keys to values • E.g. host name to IP address • Mailer records • Name space • Developed to replace hosts file

  3. DNS Namespace

  4. DNS Namespace • Hierarchical tree of domains • Root • Top level domains (gov, edu, com, fr, se, uk etc.) • Some countries have subdomains denoting organisation type (e.g. ac.uk, co.uk) • Subdomains generally for specific organisations (e.g. mit.edu, microsoft.com etc.) • Subdomains within organisation (e.g. oucs.ox.ac.uk) • Technically, a domain is the part of the name space at or below the domain name identifying the domain.

  5. Delegation of Responsibility • Vital to understand this concept • DNS Database is distributed • No one server is responsible for the whole namespace • Given name server is responsible for part of the namespace • Called a zone • Server is “authoritative” for the zone

  6. Delegation of Authority • Authority is delegated from the top down • Cannot simply set up a name server for a domain and expect clients to resolve names correctly • Will not work • Name servers for parent domain must know that authority has been delegated to new domain • E.g. if new ac.uk domain xxx.ac.uk is created, name servers for ac.uk must be configured with information about name servers responsible for new domain

  7. DNS Queries • Client queries DNS Server • DNS Server • Checks its cache • Checks whether it contains the information in its own zone files • Queries other name servers iteratively • Returns an answer

  8. Iterative Queries • Example — client queries name server for IP address of fred.test.com • Sends query to root name servers • Root name servers refer to name servers authoritative for com domain • Queries com domain name servers • com name servers refer to name servers authoritative for test.com domain • Queries test.com domain name servers • test.com name returns answer • Name server returns answer to client

  9. Root hints and Forwarders • Root hints table provides IP addresses of name servers for root domain • Starting point for iterative queries • DNS server can be configured as forwarder • Queries for information about which it is not authoritative forwarded to other name servers (forwarders)

  10. Zones • Zone may contain a domain or part of a domain • A name server may be authoritative for more than one zone • Should be a minimum of two name servers for a zone (resilience) • One server is primary • “Start of authority” for zone • Others are secondaries • Updates to primary are replicated to secondaries (zone transfer) • Subsidiary zones can be delegated to other name servers

  11. DNS Records • A — host name to IP address mapping • NS — name server • MX — mailer exchange • SOA — start of authority • CNAME — canonical name (alias) • PTR — pointer (IP address to host) • SRV — service resource record (2000) • …and others

  12. DNS Overview Reference • Domain Name Service (DNS) • http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/network/deploy/confeat/domain.asp

  13. Active Directory and the DNS • Active Directory requires DNS • Used to locate services • E.g. client locating domain controller • Domain controller locating replication partners • Active Directory requires SRV record support • Active Directory prefers dynamic registration (DDNS)

  14. How does AD use the DNS • A 2000 system will attempt to register its A record in the DNS • Domain controllers will attempt to register around 20 SRV records in the DNS • Things will break if the correct records for DCs are not in the DNS

  15. Active Directory Namespace

  16. Active Directory Namespace • For the above AD forest structure to function correctly, all domains must be registered in DNS • test.com • fr.test.com • uk.test.com • sales.fr.test.com • accounts.fr.test.com

  17. Records required by DCs • About 20 SRV records required by a DC • Number determined by functions of DC • Registered in 4 subdomains of domain name • _tcp.sales.fr.test.com • _udp.sales.fr.test.com • _msdcs.sales.fr.test.com • _sites.sales.fr.test.com • One A record required • Also registered in one of these subdomains

  18. Windows 2000 Overview Reference • Windows 2000 DNS White Paper • http://www.microsoft.com/windows2000/docs/w2kdns.doc

  19. DNS Setup to support AD in Oxford • Various methods of setting up DNS for AD • Can even have different internal host names and internet host names • Oxford — chosen to integrate into existing structure • Carry on using BIND without DDNS for main DNS (security) • Delegate four subdomains for each unit to local 2000 DNS servers • http://support.microsoft.com/support/kb/articles/Q280/4/39.ASP for details of this scenario

  20. Advantages of chosen AD DNS Setup in Oxford • Main DNS remains secure (no dynamic DNS) • Host names controlled at central level • Client configuration remains unchanged • Only main DNS servers visible outside firewall • Allows dynamic DNS for DCs • DCs need this most • Can use Active Directory integrated zones • More secure • Multimaster replication

  21. Disadvantages of chosen AD DNS Setup in Oxford • Unit domain name must be identical to unit DNS name • Limited to a single domain per unit • May be seen as an advantage • Unlikely to a problem as it might have been for NT because of improvements in 2000 • NB Can still group related units together into multi-domain forest if required

  22. Configuring DNS on Domain Controllers in Oxford • http://www.oucs.ox.ac.uk/micros/oss/win2k/w2koxford.html and follow DNS Instructions link for full instructions • Generally • DNS must be configured for everything to work (e.g. replication) • DNS for first DC in forest can be configured before or after promotion to DC • DNS for subsequent DCs in forest should be configured before promotion to DC

  23. Steps to Configure DNS on the first Domain Controller • Delegate authority for subdomains from main DNS (web form or mail hostmaster) • Install DNS on first domain controller (N.B. this can be done before or after promotion to DC) • Create and configure _tcp, _udp, _msdcs and _sites subdomains; delete unit domain if you used the wizard to install • Ensure DC is configured to use itself as DNS server in TCP/IP configuration • Make sure it is all working! • If desired, tweak registry to prevent error messages

  24. Steps to Configure DNS on Subsequent Domain Controllers • Ensure the DNS setup on first DC is correct and working beforeinstalling other DCs • Disable secure updates for all subdomains on first DC • Ensure new server is configured to use only the first DC as DNS server in its TCP/IP configuration • Promote server to domain controller • Make sure that its entries are registered in DNS • Enable secure updates for subdomains on first DC • If desired, install DNS on new DC • Set as its own DNS server in TCP/IP config

  25. Hints and Caveats • NB the first DC will generally operate correctly without proper DNS setup; the second will not • May not be able to install AD on 2nd, replication may break • Always check correct registration etc. • Incorrect DNS setup can cause major problems e.g. with replication • Never install another DC with an incorrectly functioning DNS • Don’t turn off “Register this connection’s addresses in the DNS” on DCs • Stops all registrations, including SRV, for SP1 and above • http://support.microsoft.com/support/kb/articles/Q280/4/39.ASP

  26. Hints and Caveats cont. • Event log error message 5774 will be seen (sometimes also 5775) because unitname.ox.ac.uk cannot be registered • This record is unnecessary; edit registry to stop this but if so you will need to put in another required entry manually for global catalog servers • http://support.microsoft.com/support/kb/articles/Q280/4/39.ASP • http://support.microsoft.com/support/kb/articles/Q258/2/13.ASP

  27. Hints and Caveats cont. • For Active Directory-integrated zones, no configuration required for DNS servers installed on DCs after first DNS server is and configured • Zone information stored in Active Directory • May be a good idea to set DNS servers up to forward requests to Oxford DNS servers (forwarders) • Most requests likely to be for Oxford addresses • Not currently in the instructions

  28. Hints and Caveats cont. • If you initially set up a test network with no WAN connection, DNS server may be set up as root server • If so, may be missing root hints table; may be unable to access root hints and forwarders tabs • If it exists, delete root domain entry (.) • May also need to replace root hints table from sample file (unnecessary if configured to use forwarders) • http://support.microsoft.com/support/kb/articles/Q229/8/40.ASP • http://support.microsoft.com/support/kb/articles/Q249/8/68.ASP

  29. Hints and Caveats cont. • Manually adding an SRV record may not work • e.g. _rvp._tcp.unit.ox.ac.uk for netmeeting • Problem with Snap-In — use dnscmd.exe in Support Tools instead • http://support.microsoft.com/support/kb/articles/Q282/5/23.ASP • NB Above article is incorrect — dnscmd.exe is in Support Tools, not Resource Kit

  30. Hints and Caveats cont. • Netlogon service is responsible for dynamic DNS registrations • Refreshes registrations every two hours • DNS entries stored in netlogon.dns file in %systemroot%\winnt\system32\config on DCs • Root hints table is called cache.dns in %systemroot%\winnt\system32\dns • Sample copy in samples subdirectory

  31. Setup for Install/DNS Practical • ? Set up front desk PC as authoritative for ad.oucs-public.ox.ac.uk • Include zones for dom1.ad.oucs-public.ox.ac.uk etc. • Delegate _msdcs, _sites, _tcp, _udp etc. for dom1, dom2 etc. to servers • Point servers at front desk PC as DNS server

  32. Installation and DNS Practical • First server to set up DNS as per current instructions • Run dcpromo to install AD on first server • Point second server at first server for DNS resolution • Dcpromo to install AD on second server • Switch DNS on first server to AD Integrated

  33. Installation and DNS Practical • Install DNS on second server and see how it picks up the AD integrated DNS configuration • Look at different options that can be configured • Become familiar with records registered • Turn off “Register this connections addresses in DNS” on 2nd server and reboot — check effect this has