ページ1に含まれる内容の要旨
Operating System
Windows 2000 DNS
White Paper
Abstract
This paper describes the Microsoft® Windows® 2000 operating system Domain Naming System
(DNS), including design, implementation, and migration issues. It discusses new features of the
Windows 2000 implementation of DNS, provides examples of DNS implementations, and describes
the architectural criteria that network architects and administrators should consider when designing a
DNS namespace for the Active Directory® service to provide reliab
ページ2に含まれる内容の要旨
© 1999 Microsoft Corporation. All rights reserved. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICRO
ページ3に含まれる内容の要旨
CONTENTS WHITE PAPER ..............................................................................1 CONTENTS....................................................................................3 INTRODUCTION............................................................................5 INTRODUCTION............................................................................5 Name Services in Windows 2000.......................................................................2 Name Services in Window
ページ4に含まれる内容の要旨
Dynamic Update...............................................................................................15 Protocol Description.....................................................................................16 Update Algorithm..........................................................................................16 Dynamic Update of DNS Records ...............................................................16 Secure Dynamic Update......................................................
ページ5に含まれる内容の要旨
Internet Access Considerations....................................................................46 Characters in Names....................................................................................55 Computer Names.........................................................................................55 Integrating ADS with Existing DNS Structure...............................................57 Deploying DNS to Support Active Directory.....................................................
ページ6に含まれる内容の要旨
ページ7に含まれる内容の要旨
The designers of the Microsoft ® Windows® 2000 operating system chose the DNS FUNDAMENTALS Domain Name System (DNS) as the name service for the operating system. Windows 2000 Server includes an IETF standard-based Domain Name System Server. Because it is RFC compliant it is fully compatible with any other RFC compliant DNS servers. Use of the Windows 2000 Domain Name System server is not mandatory. Any DNS Server implementation supporting Service Location Resource Records (SRV RRs, as described
ページ8に含まれる内容の要旨
Name Services in Windows 2000 DNS is the name service of Windows 2000. It is by design a highly reliable, hierarchical, distributed, and scalable database. Windows 2000 clients use DNS for name resolution and service location, including locating domain controllers for logon. Downlevel clients (Windows NT 3.5 and 3.51, Windows NT 4.0, Windows 95, and Windows 98), however, rely on NetBIOS which can use NBNS (WINS), broadcast or flat LmHosts file. In particular, the NetBIOS name service is used for
ページ9に含まれる内容の要旨
• Draft-skwan-gss-tsig-04.txt (GSS Algorithm for TSIG (GSS-TSIG) ) For more information on these documents, go to http://www.ietf.org/. In addition to the listed RFCs and Drafts the implementation of the ATMA DNS records is based on the “ATM Name System Specification Version 1.0”. Additional reading: • Microsoft DNS and Windows NT 4.0 White Paper (http://www.microsoft.com/windows/downloads/bin/nts/DNSWP.exe) • Designing the Active Directory Structure chapter in the Deployment Planning Guide • Ac
ページ10に含まれる内容の要旨
superceded by RFC 1034 (Domain Names–Concepts and Facilities), and RFC 1035 (Domain Names–Implementation and Specification). RFCs that describe DNS security, implementation, and administrative issues later augmented these. The implementation of DNS—Berkeley Internet Name Domain (BIND)—was originally developed for the 4.3 BSD UNIX operating system. The Microsoft implementation of DNS Server became a part of the operating system in Windows NT Server 4.0. The Windows NT 4.0 DNS Server, like most
ページ11に含まれる内容の要旨
Managed by N Registration Authority int/net/org com edu gov mil army microsoft whitehouse mit mydomain Managed by Microsoft Microsoft Di DNS and Internet The Internet Domain Name System is managed by a Name Registration Authority on the Internet, responsible for maintaining top-level domains that are assigned by organization and by country. These domain names follow the International Standard 3166. Existing abbreviations, reserved for use by organizations, as well as two- letter and thre
ページ12に含まれる内容の要旨
Description Class TTL Type Data Start of Authority Internet (IN) Default TTL is SOA Owner Name, 60 minutes Primary Name Server DNS Name, Serial Number, Refresh Interval, Retry Interval, Expire Time, Minimum TTL Host Internet (IN) Zone (SOA) A Owner Name (Host DNS TTL Name), Host IP Address Name Server Internet (IN) Zone (SOA) NS Owner Name, TTL Name Server DNS Name Mail Exchanger Internet (IN) Zone (SOA) MX Owner Name, TTL Mail Exchange Server DNS Name, Preference Number Canonical Name Internet
ページ13に含まれる内容の要旨
• A need to delegate management of a DNS domain to a number of organizations or departments within an organization • A need to distribute the load of maintaining one large DNS database among multiple name servers to improve the name resolution performance as well as create a DNS fault tolerant environment • A need to allow for host’s organizational affiliation by including them in appropriate domains The NS RRs facilitate delegation by identifying DNS servers for each zone. They appear in all fo
ページ14に含まれる内容の要旨
The changes made to the primary zone file are then replicated to the secondary NEW FEATURES OF THE zone file. WINDOWS 2000 DNS As mentioned above, a name server can host multiple zones. A server can therefore be primary for one zone (it has the master copy of the zone file) and secondary for another zone (it gets a read-only copy of the zone file). The process of replicating a zone file to multiple name servers is called zone transfer. Zone transfer is achieved by copying the zone file informa
ページ15に含まれる内容の要旨
or a successful response. Resolvers typically make recursive queries. With a recursive query, the DNS server must contact any other DNS servers it needs to resolve the request. When it receives a successful response from the other DNS Server(s), it then sends a response to the client. The recursive query is typical for a resolver querying a name server and for a name server querying its forwarder (another name server configured to handle requests forwarded to it). When a DNS server processes a r
ページ16に含まれる内容の要旨
www.whitehouse.gov: • Recursive query for www.whitehouse.gov (A RR) • Iterative query for www.whitehouse.gov (A RR) • Referral to the gov name server (NS RRs, for gov); for simplicity iterative A queries by the DNS server (on the left) to resolve the IP addresses of the Host names of the name servers returned by other DNS servers have been omitted. • Iterative query for www.whitehouse.gov (A RR) • Referral to the whitehouse.gov name server (NS RR, for whitehouse.gov) • Iterative query for www.wh
ページ17に含まれる内容の要旨
• Incremental Zone Transfer (IXFR) • Dynamic Update and Secure Dynamic Update • Unicode Character Support • Enhanced Domain Locator • Enhanced Caching Resolver Service • Enhanced DNS Manager Active Directory Storage and Replication Integration In addition to supporting a conventional way of maintaining and replicating DNS zone files, the implementation of DNS in Windows 2000 has the option of using the Active Directory services as the data storage and replication engine. This approach provides
ページ18に含まれる内容の要旨
Each Active Directory service object has attributes associated with it that define particular characteristics of the object. The classes of objects in the Active Directory service database as well as each object’s attributes are defined in the Active Directory service schema. In other words, the schema contains definitions for each class object available in Active Directory service. The following are examples of the Active Directory service class objects: • User • Group • Organizational Unit • D
ページ19に含まれる内容の要旨
Note: Only DNS servers running on domain controllers can load DS integrated zones. The Replication Model Since DNS zone information is now stored in Active Directory service, whenever an update is made to a DNS server, it simply writes the data to Active Directory and continues performing its usual functions. Active Directory service is now responsible for replicating the data to other domain controllers. The DNS servers running on other DCs will poll the updates from the DS. Because Active Dire
ページ20に含まれる内容の要旨
Note that only DNS server supports the Secure Dynamic Updates for the DS- integrated zones. Windows 2000 implementation provides even finer granularity allowing per-name ACL specification. More details we consider ACLs and specific Administrative groups later in “Controlling Update Access to Zones and Names.” Incremental Zone Transfer To reduce latency in propagation of changes to a DNS database, an algorithm has to be employed that actively notifies name servers of the change. This is accomplis