Docstoc

Chapter 4 Outline _409.0K_ - Parent Directory

Document Sample
Chapter 4 Outline _409.0K_ - Parent Directory Powered By Docstoc
					      Chapter 4, Creating a Domain Plan
|1|   1.   Chapter Overview
           A.   Defining domains
                1.    Identify the factors in an organization’s environment that affect its need
                      for domains.
                2.    Indicate the reasons for using multiple domains in an Active Directory
                      infrastructure.
                3.    Explain the implications of defining multiple domains.
                4.    Analyze an organization’s environment to define its domains.
           B.   Defining a forest root domain
                1.    Identify the factors in an organizations’ environment that impact the
                      definition of its forest root domain.
                2.    Indicate the reasons for using existing or dedicated forest root domains.
                3.    Discuss the benefits and implications of using a dedicated forest root
                      domain.
                4.    Analyze an organizations’ environment to define its forest root domain.
           C.   Defining a domain hierarchy
                1.    Identify the factors in an organization’s environment that affect its
                      domain hierarchy.
                2.    Indicate the reasons for using cross-link trusts.
                3.    Identify the reasons for using multiple trees.
                4.    Analyze an organization’s environment to define its domain hierarchy.
           D.   Naming domains
                1.    Identify the factors in an organization’s environment that affect its
                      domain name.
                2.    Recall the guidelins for naming domains.
                3.    Analyze an organization’s environment to name its domain.
           E.   Planning DNS server deployment
                1.    Identify the factors in an organization’s environment that affect its DNS
                      server deployment.
                2.    Plan additional zones.
                3.    Determine the existing DNS services employed on the DNS servers.
                4.    Analyze an organization’s environment to plan its DNS deployment.

|2|   2.   Steps in Creating a Domain Plan
           A.   Define domains.
           B.   Define the forest root domain.
           C.   Define a domain hierarchy.
           D.   Name domains.
           E.   Plan Domain Name System (DNS) server deployment.
      Chapter 4, Lesson 1
      Defining Domains
      1.   Understanding Domains
|3|        A.   What is a domain?
                1.   Is a partition of a forest or a partial database
                2.   Represents security boundaries
                3.   Must have a unique name
                4.   Contains centralized user accounts and group accounts maintained by
                     the domain administrator
|4|        B.   Goals for defining domains
                1.   Base domains on the geographical structure.
                2.   Minimize the number of domains.
|5|        C.   Geographical structure
                1.   Use your network architecture diagram as a guide.
                2.   Review existing infrastructures.
                     a.     DNS structure
                            (1)    Is there a current DNS structure?
                            (2)    You should probably retain the existing DNS structure.
                     b.     Microsoft Exchange structure
                            (1)    Is there a large Microsoft Exchange structure in place?
                            (2)    You should probably base your domain structure on the same
                                   model.
                3.   Consider the cost of changing existing infrastructure against potential
                     benefits.
                4.   Do not define domains on functional structures.
                     a.     Divisions, departments, or project teams are always subject to
                            change.
                     b.     A domain cannot be easily moved or renamed.
                     c.     A forest root domain can never be moved or renamed.
|6|        D    Minimize the number of domains.
                1.   Design for simplicity.
                2.   Try to limit infrastructure design to one domain.
                     a.     Administer this single domain through organizational units (OUs).
                     b.     Adding domains increases management costs.
                     c.     Adding domains increases hardware costs.
                3.   When upgrading from Microsoft Windows NT, consolidate domains.
                     a.     There is a Security Accounts Manager (SAM) limitation in Windows
                            NT of about 40,000 objects per domain.
                     b.     Each Windows 2000 domain can hold more than one million objects.
                     c.     Primary Domain Controller (PDC) availability in Windows NT
                            meant that only one computer could accept updates to the domain
                            database.



2                                                                                   Outline, Chapter 4
                                    Designing a Microsoft Windows 2000 Directory Services Infrastrucure
                            d.     All Windows 2000 domain controllers accept updates to the domain
                                   database.
                            e.     In Windows NT, domains were the smallest units of administrative
                                   delegation.
                            f.     In Windows 2000, OUs allow you to partition domains to delegate
                                   administration.

|7|    2.     Design Step: Defining Domains
              A.     Tasks
                     1.   Assess your organization’s domain needs.
                     2.   Determine the number of domains for your organization.
|8|           B.     Assessing domain needs
                     1.   Review the Business Structures Worksheet.
                          a.    Assess the current administrative structure.
                          b.    Assess the current geographical structure.
                          c.    Determine possible domain locations.
                     2.   Review the Network Architecture Worksheet.
                          a.    Assess the current network architecture.
                          b.    Determine possible domain locations.
                     3.   Review the Technical Standards Worksheet.
                          a.    Assess the current administrative standards.
                          b.    Assess the current security standards.
                          c.    Determine possible domain needs.
                     4.   Review the Hardware and Software Worksheet.
                          a.    Assess any hardware devices not compatible with Windows 2000.
                          b.    Assess any software not compatible with Windows 2000.
                     5.   Review the Windows NT Domain Architecture Worksheet.
                          a.    Assess the current domain structure.
                          b.    Determine ways to consolidate domains.
                     6.   Review the forest model.
                          a.    Assess the number of forests planned.
                          b.    Determine possible domain locations.
                     7.   Assess the changes currently planned.
                          a.    Business structure
                          b.    Network architecture
                          c.    Technical standards
                          d.    Existing domain architecture
                          e.    Ideal design specification
              C.     Determining the number of domains
|9|                  1.   Reasons to define multiple domains
                          a.    To meet security requirements
                          b.    To meet administrative requirements
                          c.    To optimize replication traffic
                          d.    To retain Windows NT domains

Outline, Chapter 4                                                                                    3
Designing a Microsoft Windows 2000 Directory Services Infrastrucure
|10|   2.   Meeting security requirements
            a.    The settings in the Account Policies subdirectory in the Security
                  Settings node of a group policy can be specified only at the domain
                  level.
            b.    Password Policy contains settings for passwords, such as password
                  history, age, length, complexity, and storage.
            c.    Account Lockout Policy contains settings for account lockout, such
                  as lockout duration, threshold, and the lockout counter.
            d.    Kerberos Policy contains Kerberos-related settings, such as user
                  logon restrictions, service and user ticket lifetimes, and enforcements.
|11|   3.   Meeting administrative requirements
            a.    Address legal or privacy concerns regarding sensitive files, such as
                  those concerning product development.
            b.    The Domain Admins predefined global group has complete control
                  over all objects in the domain, including sensitive files.
            c.    To protect sensitive files, define a separate new domain to contain
                  them.
|12|   4.   Optimizing replication traffic
            a.    Link capacity is close to maximized without replication traffic.
            b.    Link is unavailable at certain times of the day.
            c.    Replication traffic competes with other, more important traffic.
            d.    Pay-by-usage links should not be used for replication traffic.
            e.    SMTP-only links can only be used between domains, not domain
                  controllers in the same domain.
|13|   5.   Retaining Windows NT domains
            a.    In-place upgrades of Windows NT to Windows 2000 can be
                  performed.
            b.    The more domains you have, the greater the maintenance and
                  administration costs.
|14|   6.   Implications of defining multiple domains
            a.    Each domain added has a Domain Admins predefined global group
                  requiring more administration to monitor its members.
            b.    As domains are added, the likelihood that security principals will
                  need to be moved between domains becomes greater.
            c.    Group policy and access control are applied at the domain level.
            d.    Each Windows 2000 domain requires at least two secured domain
                  controllers to support fault tolerance and multimaster requirements.
            e.    If users from one domain log on in another domain, the domain
                  controller from one domain must be able to contact a domain
                  controller in the second domain. The more domains you have, the
                  more trust links and backup trust links are required.




4                                                                          Outline, Chapter 4
                           Designing a Microsoft Windows 2000 Directory Services Infrastrucure
       Chapter 4, Lesson 2
       Defining a Forest Root Domain
|15|   1.     Understanding the Forest Root Domain
              A.     Creation
                     1.   The forest root domain is the first domain you create in an Active
                          Directory forest.
                     2.   You cannot create a new forest root domain once the forest domain is
                          created.
                     3.   You cannot create a parent for the existing forest root domain.
                     4.   You cannot rename the forest root domain.
              B.     Administration
                     1.   The IT organization responsible for making domain hierarchy, naming,
                          and policy decisions must manage the forest root domain.
                     2.   The Enterprise Admins and Schema Admins predefined universal groups
                          reside only in this domain.
                     3.   The administrators in this domain are those who are key to the network
                          design.

       2.     Design Step: Defining a Forest Root Domain
|16|          A.     Assessing forest root domain needs
                     1.   Review the Business Structures Worksheet.
                          a.    Assess the current administrative structure.
                          b.    Locate the IT management organization.
                     2.   Review the Network Architecture Worksheet.
                          a.    Assess the current network architecture.
                          b.    Assess the domains that have been defined.
                     3.   Review the IT Management Organization Worksheet.
                          a.    Assess the current IT management organization structure.
                          b.    Analyze how the IT management organization handles decisions and
                                changes.
                          c.    Determine the location of the forest root.
|17|          B.     Choosing a forest root domain
                     1.   Overview
                          a.    Designate an existing domain as the forest root domain.
                          b.    Designate an additional, dedicated domain to serve as the forest root
                                domain.
|18|                 2.   Reasons to designate an existing domain as the forest root domain
                          a.    Your forest only contains one domain, and you want it to only
                                contain one domain.
                          b.    Your forest contains multiple domains, and you can designate the
                                domain that is the most critical to the operation of your organization
                                as the forest root domain.




Outline, Chapter 4                                                                                   5
Designing a Microsoft Windows 2000 Directory Services Infrastrucure
            c.   If your forest contains multiple domains and you designate the
                 domain most critical to the operation of your organization as the
                 forest root domain, then you cannot do the following:
                 (1)    Regulate membership in the Enterprise Admins and Schema
                        Admins universal groups in the forest root domain
                 (2)    Create a small forest root domain for easier replication
                 (3)    Avoid obsolescence of the root domain name
|19|   3.   Reasons to designate a new dedicated domain to be the forest root
            domain
            a.   You cannot select the domain that is the most critical to the operation
                 of your organization.
                 (1)    The new domain will be dedicated to the operations associated
                        with the enterprise management.
                 (2)    The new domain should not contain any user accounts or many
                        computer accounts.
            b.   You can select the domain that is the most critical to the operation of
                 your organization, but you want to be able to do one or more of the
                 following:
                 (1)    Regulate membership in the Enterprise Admins and Schema
                        Admins universal groups in the forest root domain.
                 (2)    Create a small forest root domain for easier replication.
                 (3)    Avoid obsolescence of the root domain name.

|20|   4.   Advantages of using a dedicated domain
            a.   Domain administrators in the forest root domain can regulate
                 membership in the Enterprise Admins and Schema Admins
                 predefined universal groups.
                 (1)    Restrict the membership of its enterprise-wide administrator
                        groups to only those who need enterprise-wide authority.
                 (2)    Those who require administrator capabilities for some of their
                        duties are restricted to regulating membership in administrator
                        groups at the domain level.
            b.   A dedicated forest root domain is small and can easily replicate
                 across the enterprise to protect the root from catastrophic events.
            c.   The only purpose of the forest root domain is to serve as the root, so
                 there is little chance of it becoming obsolete.




6                                                                          Outline, Chapter 4
                           Designing a Microsoft Windows 2000 Directory Services Infrastrucure
       Chapter 4, Lesson 3
       Defining a Domain Hierarchy
|21|   1.     Understanding Domain Hierarchies
              A.     Introduction
                     1.    A domain hierarchy is a tree structure of parent and child domains.
                           a.     The arrangement of domains in a hierarchy does not need to be based
                                  on the organization’s administrative structure.
                           b.     The arrangement of domains in the hierarchy determines the trust
                                  relationships between domains.
                     2.    Parent-child trusts are implicit, two-way transitive trusts.
                           a.     They are created automatically.
                           b.     They are created when a domain is added to the hierarchy.
                     3.    Domains that function as peers can have parent and child relationships
                           without affecting administrative control.
                           a.     Administrators in a parent domain can have administrative rights in
                                  the child domain.
                           b.     The administrative rights of administrators in a parent domain for a
                                  child domain are not automatic and must be explicitly set up.
                           c.     The only group that has administrative rights across domains by
                                  default is the Enterprise Admins predefined universal group.
                     4.    Group policies set in a parent domain do not automatically propagate to
                           child domains in the forest; they must be explicitly linked.
|22|                 5.    Trust paths are established.
                           a.     Trust paths are a series of trust links from one domain to another,
                                  established for passing authentication requests.
                           b.     Interdomain authentication must follow the established trust path.
                           c.     Examples of trust paths
                                  (1)    If a user in Domain M requests access to a resource located in
                                         Domain P, the domain controller in Domain M must follow the
                                         trust path to communicate with the domain controller in
                                         Domain P.
                                  (2)    Windows 2000 attempts to locate the resource in Domain M. If
                                         the resource is not located, the domain controller in Domain M
                                         refers the client to the domain controller in Domain L.
                                  (3)    Windows 2000 attempts to locate the resource in Domain L. If
                                         the resource is not located, the domain controller in Domain L
                                         refers the client to the domain controller in Domain K.
                                  (4)    This process continues up the left side of the hierarchy from
                                         Domain K to the top at Domain J and down the right side of
                                         the hierarchy until Domain P is reached.
|23|          B.     Cross-link trusts
                     1.    A means for improving query response performance
                     2.    A two-way transitive trust that you explicitly create between two
                           Windows 2000 domains


Outline, Chapter 4                                                                                   7
Designing a Microsoft Windows 2000 Directory Services Infrastrucure
                       a.  Created between two Windows 2000 domains that are in the same
                           forest but that are logically distant from each other
                       b.  Created to optimize the interdomain authentication process
                 3.    Known also as shortcut trusts

       2.   Design Step: Defining a Domain Hierarchy
|24|        A.   Assessing domain hierarchy needs
                 1.   Review the Information Flow Worksheet to analyze which domains need
                      access to resources in other domains.
                 2.   Review the Architecture Worksheet to assess current network
                      architecture, including the domains defined and the location of the forest
                      root domain.
                 3.   Review the DNS Environment Worksheet to assess current domain
                      structure to determine existing DNS names that might require separate
                      tree structures.
                 4.   Assess changes currently planned to information flow or network
                      architecture to address growth, flexibility, and the ideal design
                      specifications of the organization.
|25|        B.   Determining a domain hierarchy
                 1.   Determine the number of domain trees.
                      a.     A tree
                             (1)     A grouping or hierarchical arrangement of one or more
                                     Windows 2000 domains with contiguous names
                             (2)     Created by adding one or more child domains to an existing
                                     parent domain
                      b.     A forest can have one or more trees.
                      c.     One tree per forest is ideal because it requires fewer administrative
                             activities.
                 2.   Understand the implications of using multiple trees.
                      a.     Each tree requires a separate DNS name, so your organization will be
                             responsible for maintaining more DNS names.
                      b.     Each tree requires a separate DNS name, so you must add these
                             names to the proxy client exclusion list or proxy autoconfiguration
                             (PAC) file.
                      c.     Non-Microsoft LDAP clients might not be able to perform a global
                             catalog search and instead might need to perform an LDAP search of
                             subtree scope that searches each tree separately.
|26|             3.   Determine which domains will serve as tree root domains.
                      a.     The tree root domain is the highest-level domain in the tree.
                      b.     The tree root domain should be the one that is most critical to the
                             operation of the tree.
                      c.     The tree root domain can also be the forest root domain.
                 4.   Arrange the subdomain hierarchy.
                      a.     Domains do not need to be arranged based on administrative
                             structure.



8                                                                                     Outline, Chapter 4
                                      Designing a Microsoft Windows 2000 Directory Services Infrastrucure
                            b.    Arrange domains in a manner that takes advantage of the implicit
                                  two-way transitive trust between parent and child domains.
                            c.    Keep your domain tree hierarchy shallow.
                                  (1)    One level per domain tree is ideal.
                                  (2)    For best performance, restrict the levels to three or four.
|27|                 5.     Plan cross-link trusts.
                            a.    Use the Information Flow Worksheet to determine which domains
                                  need to access resources in other domains.
                            b.    Determine whether the domains that need to access resources in other
                                  domains are near to each other in the hierarchy.
                            c.    Optimize the trust relationships by planning cross-link trusts where
                                  needed.




Outline, Chapter 4                                                                                   9
Designing a Microsoft Windows 2000 Directory Services Infrastrucure
       Chapter 4, Lesson 4
       Naming Domains
|28|   1.   Understanding Domain Names
            A.   Introduction
                 1.    A domain name is a name given to a collection of networked computers
                       that share a common directory.
                 2.    Active Directory uses the Domain Name System (DNS) as its domain
                       naming and location service.
                       a.     Using DNS allows for interoperability with Internet technologies.
                       b.     When requesting logon to the network, Active Directory clients query
                              their DNS servers to locate domain controllers.
                 3.    Windows 2000 domain names are also DNS names.
                 4.    In DNS, names are arranged in a hierarchy and can be partitioned
                       according to the hierarchy.
                       a.     The name of the child domain is designated by the name of the parent
                              domain preceded by a label.
                       b.     A domain’s name identifies its position in the hierarchy.

|29|   2.   Design Step: Naming Domains
            A.   Assessing domain naming needs
                 1.   Review the domain hierarchy diagram to assess the position of domains
                      in the hierarchy to determine the appropriate DNS names.
                 2.   Review the DNS Environment Worksheet to determine existing DNS
                      names.
                 3.   Assess changes currently planned for domain names and hierarchies to
                      address growth, flexibility, and the ideal design specifications of the
                      organization.
|30|        B.   Choosing domain names
                 1.   Introduction
                      a.     Nearly impossible to change any domain names
                      b.     Impossible to change the forest root domain name
                      c.     Important to select the correct domain name
                 2.   Guidelines
                      a.     Use only Internet standard characters.
                             (1)    A–Z, a–z, 0–9, and the hyphen (-).
                             (2)    Windows 2000 DNS supports almost any Unicode character in
                                    a name, but not all versions of DNS support these characters.
                      b.     Differentiate between internal and external namespaces.
                             (1)    Use an external root domain for public resources.
                             (2)    Use a different internal root domain for private resources.
                             (3)    Prevent unauthorized users from accessing resources on the
                                    internal network.
                      c.     Base the internal DNS name on the external DNS name.
                      d.     Never use the same domain name twice.

10                                                                                    Outline, Chapter 4
                                      Designing a Microsoft Windows 2000 Directory Services Infrastrucure
                            e.     Use only registered domain names.
                                   (1)    Register all second-level domain names with InterNIC or other
                                          authorized naming authority.
                                   (2)    Register all second-level domain names, whether they are
                                          internal or external namespaces, to ensure access from outside
                                          the corporate firewall.
|31|                        f.     Use short, distinct, and meaningful names that are easy to use and are
                                   representative of your organization’s identity.
                            g.     Use names that have been reviewed internally to ensure they are not
                                   derogatory or offensive in another language.
                            h.     Use names that will remain static, and choose names that are generic
                                   rather than specific.
                            i.     Use the International Organization for Standardization (ISO)
                                   standards for names that include countries and U.S. states.
                                   (1)    ISO defines two-letter country codes.
                                   (2)    ISO defines two-letter U.S. state codes.
                                   (3)    Review ISO 3166 at
                                          http://www.din.de/gremien/nas/nabd/iso3166ma/.

       Chapter 4, Lesson 5
       Planning DNS Server Deployment
|32|   1.     Understanding DNS Servers
              A.     Overview of DNS servers
                     1.   DNS servers resolve names to IP addresses, and they resolve IP
                          addresses to names for host devices contained within a portion of the
                          namespace.
                     2.   A DNS server responds to client queries in one of three ways:
                          a.    Provides the name or IP address
                          b.    Refers the client to another DNS server
                          c.    Indicates that it cannot fulfill the request
                     3.   DNS servers are also known as DNS name servers.
                     4.   DNS servers use information stored about zones to handle name
                          resolution.
                     5.   Each DNS server can store information for no zones, one zone, or
                          multiple zones.
|33|          B.     Overview of zones
                     1.   A zone is a contiguous portion of the DNS namespace that is
                          administered separately by a DNS server.
                     2.   The DNS namespace represents the logical structure of your network
                          resources, and DNS zones provide physical storage for these resources.
                     3.   Zones can encompass a single domain or a domain and subdomains.
                     4.   Each zone contains a zone database file.
                          a.    A zone database file is a text file.
                          b.    A zone database file contains resource records for the zone.


Outline, Chapter 4                                                                                    11
Designing a Microsoft Windows 2000 Directory Services Infrastrucure
|34|   C.   Overview of resource records
            1.   Resource records contain information used to process client queries.
            2.   There are many types of resource records.
                 a.    Host (A)—Lists the host-name-to-IP-address mappings for a forward
                       lookup zone.
                 b.    Alias (CNAME)—Creates an alias, or alternate name, for the
                       specified host name.
                       (1)     You can use a Canonical Name (CNAME) record to use more
                               than one name to point to a single IP address.
                       (2)     For example, you can host a File Transfer Protocol (FTP)
                               Server, such as ftp.microsoft.com, and a Web server, such as
                               www.microsoft.com, on the same computer.
                 c.    Host Information (HINFO)—Identifies the CPU and operating
                       system used by the host. Use this record as a low-cost resource-
                       tracking tool.
                 d.    Mail Exchange (MX)—Identifies the CPU and operating system used
                       by the host. Use this record as a low-cost resource-tracking tool.
                 e.    Name Server (NS)—Lists the name servers that are assigned to a
                       particular domain.
                 f.    Pointer (PTR)—Points to another part of the domain namespace. For
                       example, in a reverse lookup zone, it lists the IP-address-to-name
                       mapping.
                 g.    Service (SRV)—Identifies which servers are hosting specific
                       services. For example, if a client needs to find a server to validate
                       logon requests, the client can send a query to the DNS server to
                       obtain a list of domain controllers and their associated IP addresses.
                 h.    Start of Authority (SOA)—Identifies which name server is the
                       authoritative source of information for data within this domain. The
                       first record in the zone database file must be the SOA record.
|35|   D.   Zone replication
            1.   The synchronization of DNS data between DNS servers within a given
                 zone
            2.   Benefits of replicating zones include:
                 a.    Fault tolerance—If a DNS server fails, clients can still direct queries
                       to other DNS servers.
                 b.    Query load distribution—Query loads can be balanced among DNS
                       servers.
                 c.    WAN traffic reduction—DNS servers can be added in remote
                       locations to eliminate the need for clients to send queries across slow
                       links.
|36|        3.   Two methods
                 a.    Standard zone replication
                 b.    Active Directory zone replication
                 c.    The use of Active Directory zone replication is strongly
                       recommended.
            4.   Standard zone replication

12                                                                               Outline, Chapter 4
                                 Designing a Microsoft Windows 2000 Directory Services Infrastrucure
                            a.    Primary and secondary zones and primary and secondary DNS
                                  servers handle zone replication.
                                  (1)     A primary zone is the master copy of a zone stored in a
                                          standard text file on a primary DNS server.
                                  (2)     A primary DNS server is the authoritative server for a primary
                                          zone.
                                  (3)     You must administer and maintain a primary zone on the
                                          primary DNS server for the zone.
                                  (4)     A secondary zone is a read-only replica of an existing standard
                                          primary zone stored in a standard text file on a secondary DNS
                                          server.
                                  (5)     A secondary DNS server is a backup DNS server that receives
                                          the zone database files from the primary server in a zone
                                          transfer.
                            b.    Zone transfer is the process by which DNS servers interact to
                                  maintain and synchronize authoritative name data.
                            c.    A zone can have multiple secondary servers, and a secondary server
                                  can serve more than one zone.
                            d.    There are three types of zone transfers.
                                  (1)     Full zone transfers
                                  (2)     Incremental zone transfers
                                  (3)     Transfers that use the DNS Notify process
|37|                        e.    Full zone transfers (AXFR query)—The primary DNS server
                                  transmits the entire zone database file for the primary zone to the
                                  secondary DNS server.
                            f.    Incremental zone transfers (IXFR query)—The servers track and
                                  transfer only incremental resource record changes between each
                                  version of the zone database file.
|38|                        g.    Transfers that use the DNS Notify process—The Primary DNS server
                                  initiates the zone transfer.
                                  (1)     The zone on a primary DNS server is updated, which updates
                                          the serial number on the SOA resource record in the primary
                                          zone.
                                  (2)     The primary DNS server sends a notify message to the
                                          secondary DNS servers (specified by an administrator) as part
                                          of its notify set.
                                  (3)     When the secondary DNS servers in the notify set receive the
                                          notify message, they initiate an AXFR or IXFR zone transfer.
|39|                 5.     Active Directory zone replication
                            a.    Active Directory–integrated zones and domain controllers handle
                                  zone replication.
                            b.    Each domain controller (DC) functions as a primary DNS server.
                            c.    Domain controllers use Active Directory to store and replicate
                                  primary zone files.
|40|                        d.    It has the following advantages over standard zone replication:



Outline, Chapter 4                                                                                    13
Designing a Microsoft Windows 2000 Directory Services Infrastrucure
                              (1)  Replication planning is simplified because DNS resource
                                   records are part of Active Directory and are replicated to each
                                   domain controller, so it is no longer necessary to maintain
                                   zone database files or use zone transfer.
                             (2)   Replication is multimaster; updates to zones are allowed at
                                   every DNS sever/domain controller rather than just the
                                   primary DNS server.
                             (3)   Replication is efficient. Because Active Directory zone
                                   replication is processed at the property level, it generates less
                                   replication traffic than standard zone replication.
                             (4)   Replication provides for delegation of administration.
                                   Administration for directory-integrated zone data can be
                                   delegated for users for each resource record.
|41|        E.   Existing authoritative DNS server requirements
                 1.    Must support service (SRV) resource records, as described in RFC 2052
                 2.    Must support dynamic update, as described in RFC 2136
                 3.    Recommend you run Windows 2000 DNS service
                       a.    Meets requirements
                       b.    Provides Active Directory–integrated zones
                       c.    Provides secure dynamic updates

|42|   2.   Design Step: Planning DNS Server Deployment
            A.   Introduction
                 1.    Assess the organization’s current DNS server environment.
                 2.    Determine the placement of the DNS servers.
|43|        B.   Assessing the DNS server environment
                 1.    Review the IT Management Organization Worksheet.
                       a.    Assess the current IT management organization structure.
                       b.    Determine whether it’s necessary to delegate management of part of
                             the DNS namespace to another department or location within the
                             organization.
                 2.    Review the DNS Environment Worksheet to assess the current DNS
                       server environment.
                 3.    Assess changes currently planned for DNS server environments to
                       address growth, flexibility, and the ideal design specifications of the
                       organization.
|44|        C.   Determining Placement of DNS Servers
                 1.    Plan additional zones.
                       a.    Delegate management of part of the DNS namespace to another
                             department or location within the department.
                       b.    Divide a large zone into smaller zones.
                             (1)    Distribute traffic loads among multiple servers.
                             (2)    Improve DNS name resolution performance.
                             (3)    Create a more fault-tolerant DNS environment.




14                                                                                     Outline, Chapter 4
                                       Designing a Microsoft Windows 2000 Directory Services Infrastrucure
                            c.   Extend the namespace by adding numerous subdomains at once, as in
                                 accommodating the opening of a new branch or site.
                     2.     Determine existing DNS services.
                            a.   Is your organization running a DNS service other than Windows
                                 2000 DNS?
                            b.   Is the DNS service supported?
                                 (1)    DNS Bind version 8.1.2 or later is supported.
                                 (2)    Windows NT 4 DNS is supported.
                            c.   Can you upgrade DNS service to Windows 2000 DNS service?
                                 (1)    Upgrade DNS Bind version 4.x to DNS Bind version 8.1.2,
                                        and then upgrade to Windows 2000 DNS Service.
                                 (2)    Upgrade DNS Bind version 8.1.2 to Windows 2000 DNS
                                        Service.
                                 (3)    Upgrade Windows NT 4 DNS to Windows 2000 DNS Service.
                            d.   Should you create a delegated subdomain?
                                 (1)    If you cannot upgrade your DNS servers to Windows 2000
                                        DNS, create a delegated subdomain.
                                 (2)    A delegated subdomain is a separate Windows 2000 DNS
                                        subdomain set up in the established DNS namespace.
                                 (3)    The DNS server in the Windows 2000 DNS subdomain is
                                        authoritative for that subdomain.
                                 (4)    You can add child domains to the subdomain as needed.
                     3.     Determine the zone replication method.
                            a.   If you are going to run Windows 2000 DNS service, use the Active
                                 Directory implementation and all domain controllers will function as
                                 primary DNS servers.
                            b.   If you are using BIND version 8.1.2 or later, you must use standard
                                 zone replication and specify primary and secondary DNS servers and
                                 zones.
                            c.   If you are using Windows NT 4, you must use standard zone
                                 replication and specify primary and secondary DNS servers and
                                 zones.

|45|   Chapter Summary
              A.     Determine the number of domains to define.
              B.     Explain the implications of defining multiple domains.
              C.     Select a forest root domain.
              D.     Define and optimize zone hierarchies.
              E.     Name domains.
              F.     Plan DNS server deployment.




Outline, Chapter 4                                                                                 15
Designing a Microsoft Windows 2000 Directory Services Infrastrucure

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:3/5/2014
language:simple
pages:15