A multitude of applications rely on DNS for name resolution in multiplatform environments. A robust design should include at least two internal DNS servers for every set of users the DNS servers should be distributed throughout the company as a load balancing strategy and using performance monitor you should identify the segments that need their own DNS servers.
Furthermore if the segments are separated by WAN links it will be advisable to have a DNS server at each side to prevent clients from traveling over slow WAN links to resolve domain names.
This simple strategy not only spread the risk of a central DNS server going down but also speeds up resolution. It is a good idea to spread your DNS servers over different subnets as an interesting lesson can be learnt from a historical attack on Microsoft's DNS servers in the last 5 years. When designing the DNS system it becomes important that security is hard coded into the design. This method of configuration ensures that if policies are not followed failsafe strategies are in place to protect the organizations best interest.
Internal servers only contain internal DNS entries and the external server only contains external entries respectively. Intruders look for DNS servers that are not split and expose internal hosts to the Internet by reflecting internal IP addresses that the intruder can directly address.
This information is then used to plot the networks coordinative points and is used like a tool to find the weak spot where the intruder can gain entry.
Prior to implementing any new network service such as DNS a structured security policy must be implemented. Policies and procedures are written to ensure a high level of security and compliance and this system quality assures that the level of security does not decrease on any occasion. Your DNS policy should include a few facts that I have stated below.
After writing the policy it is up to your IT department to enforce it. A comprehensive policy and procedure is all very well. To ensure that it is applied to the DNS server as part of the security strategy is another matter. Organizations occasionally fail to see the value in following a comprehensive policy with points such as log monitoring and performance checks. This is the main reason that those same organizations are down for several days due to "technical faults".
To ensure that your organization does not fall into the same painful trap ensure that your DNS documentation is holistic and always updated. It is not stressed enough that without a fully functional DNS structure active directory will not function as intended.
In many cases the leverage is in the how the DNS has been designed a secured. Note recommendations are made through out this white paper and in order to follow them through, part of the process undertakes the task of running with the recommendation in a test lab environment.
This quality assurance process should shadow your production system closely. After you are happy with the process of the recommendation then it is up to you to transfer the application of the theory onto your production environment. Resolving Internet names can be accomplished by the Internal DNS server without compromising security.
This host record is an "A" record in Advanced view. Configure the DNS client settings on the domain controller to point to a DNS server that is authoritative for the zone that corresponds to the domain where the computer is a member. Up-time and bandwidth determine reliability.
On Windows Server and Windows Server member servers, Microsoft recommends that you configure the DNS client settings according to these specifications:. If you do so, you may experience issues when you try to join the Windows based or Windows Server based server to the domain, or when you try to log on to the domain from that computer.
If you have servers that are not configured to be part of the domain, you can still configure them to use Active Directory-integrated DNS servers as their primary and secondary DNS servers. If you have non-member servers in your environment that use Active Directory-integrated DNS, they do not dynamically register their DNS records to a zone that is configured to accept only secure updates.
For more information about DNS client-side name resolution, click the following article number to view the article in the Microsoft Knowledge Base:. Windows Servers More Need more help? Expand your skills. Get new features first. Was this information helpful? Yes No. Thank you! Any more feedback? The more you tell us the more we can help. Can you help us improve? Resolved my issue. Clear instructions. Easy to follow. One approach is to use an iterative methodology, where once you select several logical models and identify their physical implications, you can start discarding some models in favor of a few that will be selected in the project's detailed design phase.
As you identify several models, the team can assess the pros and cons of each and choose an ideal model. You can use specific criteria to select logical models, such as business, geographical, political and physical replication considerations.
The logical models provide a potential structure for your Active Directory structure. But it isn't possible to determine how effective they will be in the new infrastructure before analyzing their physical implementation. In order to effectively examine the physical model of the Active Directory, you'll need information concerning the available bandwidth between the various physical locations and the amount of people working at those locations.
As the big picture comes together, important aspects, such as the implementation of Exchange , will drive the replication topology requirements for the Active Directory. Exchange , for example, stores routing information and its Global Address List in the Active Directory, so each Exchange server requires a Global Catalog nearby. Physical high-level design also includes placing specific servers and asking important questions about disaster recovery.
For example, if a server unexpectedly shuts down, what would the implications be? Where would the users be redirected for authentication needs? In some cases, placing a second domain controller in a site can alleviate this risk and ensure the availability of the Active Directory if something were to happen to one of the servers.
Once you understand the current environment and your vision of the future infrastructure takes form, you can turn your attention to the steps required to implement Windows It's at this point that you define your migration strategy. That, in a nutshell, is the big picture. Next time, I'll talk about creating the detailed design for your migration project, whether you're restructuring or doing an in-place upgrade.
I'll also share some practical advice that comes from my experiences as a consultant performing Windows migrations. Micky Balladelli is a fellow at Avanade Inc. Sophia Antipolis, France focusing on Windows services. He is a speaker at various Microsoft and Windows related conferences and has worked with multiple companies on the design of their Windows infrastructures.
0コメント