Chapter 7 Artistic DNS and Active Directory This chapter includes: • Dynamic D N S (D D n s). From the perspective of Wi N D O W S and D N s administrators, a brief overview of D N S's latest dynamic update features. This section will be described in the security link problem and the domain area file clearance, and also discussed the "Waste Cleaning" problem in Wi N D O W S2 0 0 0. • Directory integration of D n s domain zones. Introducing the Dynamic Directory to store D N S domain district files, why use what services that use, and how to face decisions when using this optional feature, discuss it in detail the dynamic update security problem it provides. • Depending on the Active Directory recorded by S RV. Overview of the usage of S RV record in the Windows 2000 domain environment. In all Windows 2000 supported D N s, S RV records are required to support the active directory. • Combine the active directory with D N s (or not combined). Collect some factors from services, as well as which aspects need to make a regular decision when using this technology. The Active Directory of Windows 2000 implements the L D A P (Lightweight Directory Access Protocol) directory service. A history can help understand what this means. The initial X. 5 0 0 Directory Service Agreement is not fully realized because of the causes, thus withdrawing from the historical stage. It is particularly pointed out that it is such a complex specification that leads to a subset of its subset, that is, the L D a P protocol. Although the characteristics of the L D A P protocol are still developing, Windows 2000 now supports a fact that the existing L D A P protocol is implemented in a global positioning service, and D N s is one of them. X. 5 0 0 The initial concept is only the positioning directory structure and the ability to position in the directory structure. The implementation of the L D a P protocol is concentrated in the use of the directory structure is more likely to position it. The design of the Active Directory utilizes the location capabilities of D N S and is implemented through the moving directory. As a result, the highest level of object in the active directory looks like a D n S domain on the name. This is precisely because the domain controller objects used here represent the domain boundaries of Windows 2000. For the initial version of Windows 2000, they were originally intended to name the D n s domain and subdomains with the same structure. There is a lot of meaning here. This chapter analyzes some of this design and the ability, interaction, and defective ability, interaction, and defects from D N s that supports this design. 7.1 Dynamic DNSD D N S (Dynamic D N S) RFC 2136 details the update operation (defined new D n S) and message format that can be requested to change the D n S client (defined a new D n S) and message format. As we see, the domain content must be generated on the primary server of the domain, so dynamic D n s definition When the secondary server receives an update request, it should be transmitted to the primary server forward. If you think that these sound is easy to understand, then wait for a while, there are still many things. The update is easy, the second part is difficult to implement using the Windows 2000D N S server. The client is more dynamically updated by the positioning of the authorized domain server where the client is located (requests to N s), which can broadcast its presence by requesting address registration or arbitrary pointer record. Windows 2000 is actually querying S O A record instead of N s record, then directly registering this domain. After the client is finished, its name can be parsed, and the I P address can also be arbitrarily tested. Like the image of the resource record being manually typed. If this is very simple, any D n s administrator will be as excited like a child just have a new bicycle. As we know, it is difficult to get profit from new things. Otherwise, I did this before. 7.1.1 What is dynamic DNSRFC 2136 illustrates Dynamic update capabilities of D N S, which introduces D N s update message format.
With the update message format, the client can delete a resource record, add a resource record, or detect and maintain the previous state. R f C details the usage of records, for example, in a D n s domain, there are multiple identical names (like multiple A records) in a D n s domain. Update operations may be designed for a single resource record, a resource recordset or multiple resource records. By dynamic update, you can add resource records, or you can delete resource records and resource records. Testing a certain rule is suitable, it is possible to apply (for example, for F S 2. N q. E x a m p L E. N e t does not have a record). In these tests, some are the prerequisites that update requests can continue and must use, and some are just a simple maintenance of related operations. These maintenance uses an update message that has a test without related update operations, providing a query D n s database to determine if certain resource records or resource records exist. The D n S server informs the client maintenance test or update the output of the operation. If the update operation has related operations and necessary prerequisites, update is implemented by the D n S server. In this case, the update is carried out in a completely non-reactive manner, that is, the update operation at this time is primitive. The update message is not limited to a simple addition or deletion request for a single resource record. Update requests can delete the entire resource record set. The update operation needs to be clearly specified because the limitations of wildcard usage are limited. RFC 2136 specifies real-time designated or standard RF Caliary for implementation of an update process, but does not define a set of mechanisms for this. RFC 2137 first defines security D n s dynamic update procedures. Dynamic update security issues continue to develop, many standard R f C methods require support for public key mechanisms. In the initial version of Windows 2000, a security method that supports K E R B E R O S is implemented (see Section of this chapter). 7.1.2 Windows 2000 Client When the Uplifier of Dynamic DNS, the Windows 2000 client can go directly to the main DNS server for DNS updates, which can do this because any changes to domain data must be performed on the SOA server. . The default value of the dynamic D n s update of the client configuration of the Windows 2000 first edition is that it is tried to refresh the D n S entry every 2 hours. The subsequent chapter will be more clearly that unnecessary updates bring unnecessary overhead throughout the system. So Windows 2000 clients don't act more than they are indicated. When they are registered, they first send a update that only asserted, that is, tested whether D N S knows whether it is correct from the client's perspective. If so, you don't have to update. If the client does need to update, and the domain area is an active directory integration, it will attempt to exist any other primary servers after the registration failed. If the client still fails, the update process will retry after 5 minutes and wait for 1 0 minutes. If it is still unsuccessful, wait for 5 0 minutes before trying again. One Windows 2000 machine 70 second part uses Windows 2000 DNS Server
After being set to dynamically update D N s, it will be unremittingly let himself know. Chapter 1 5 discusses the ability of the Windows 2000 DHCP (Dynamic Host Configuration Protocol) server on behalf of the client to register. It can be set in a variety of ways, but the default value of the Windows 2000 client is to process A records, and the default value of the D H C P server is to process P T r records. Windows NT DHCP server does not have this ability. D h c p can be set to both registered record types, but also perform this registration for non-Windows 2000 clients. This is all achieved by upgrading security measures and registration cleaning (see subsequent chapters). 7.1.3 Question What Since Dynamic DNS can free DNS administrators from the heavy labor of the maintenance domain area file, and in the RFC file in April 1 99, then why is it rarely use? Or, what do you need to know before using dynamic D n s? 1. Answer security for the previous question, use a word to: security issues. If anyone can register, a lot of changes between deception and robbery almost changed. For example, for W w w. E x a m p L E. N e t, or more, a point of domain name server N s. E x a m p L e. N e t. If the machine or what machine is not allowed to update which record is controlled, D N s will be like an extreme movement - only bravely try. Microsoft has implemented the protection of dynamic update processes through the integration of the domain area through the Active Directory. Integration features will be the next major topic of this chapter. 2. Service Broadcasting In the domain area, you will notice that the new S RV service record begins to appear. The activity directory relies on the use of S RV record to locate its necessary services. For example, it is expected to be in the future _ h t t p. _ T c p and _ f T p. _ T cp will be implemented with S RV records. This may be a problem for your environment. So it is necessary to clear the WINDOWS 2000 large ship is fully ready and allows S RV record to upload to its maximum load. 3. Another aspect of the domain area cleanup security update is to update conflicts and domain cleaning. If the update operation, the delete operation that should be allowed is rejected, and the record will become isolated. For example: If the client fails when allowing the registered record, and after a while, it will refuse to move by the security mechanism, then Who will clear these records? Suppose the DNS server refuses to register an update for a record that has been used in the domain or the corresponding IP address, then consider the DHCP client attempt to register its existing name or other machines will be resolved to it. The situation in the IP address. This is just two concepts of issues caused by expiration records. If there is no security issue for the update process, these issues will disappear. When the client tries to update, he will succeed, then the client can perform query and update operations to eliminate potential conflicts and old records to ensure the correct execution of the update. A significant choice provided by D N S is to get security under the cost of sacrifice cleaning. But the problem is that the old record will become an obstacle to the availability of the entire machine. In the default operation of Windows 2000, only D n s administrators are allowed to delete this record. Therefore, if you register a recorded client to abandon this record, it will continue to keep it in the D n s database until other operations are executed and remove it. One motivation registered with the D h c P protocol is: clearing the old records of the old records can be ported to a more stable D h c P server. Don't forget that the client can change and often change their actions. Chapter 7 Authentic DNS and Active Directory 71
7.1.4 Service affects the use of dynamic D n s also brings new influences to domain zone behaviors, which also brings new methods for completing work. For example, the registration of the D N S is recorded by D N s provides a standard replacement of the earliest W i N S integration. For example, when the dynamic D n s and the S RV record class, dynamic D n s provides service broadcast capabilities, which can only be obtained by N e t b i o N name in the Wi N D O W S system. Dynamic domains refers to a domain area that is constantly changing (at least possible). Not only is required to introduce the domain transfer mechanism, but also bring some new problems. How does the domain delivery provide a copy of the domain area? How do D n s administrators edit a domain area file and how to load when there is no version serial number? You may say: "Why do you want to edit manually? Dynamic D N s has released us from that heap change method." Yes. But what about the regional area? Windows 2000 tries to consider these issues in advance. The D n S server locks the domain area during the transfer process to prevent changes, however, for transmission, the first priority of the defense is to use the advertisement options that are incremented. Secondly, it is designed according to the size of the domain zone to make it easy as possible (because of the locked) when performing complete transmission. The change log of the D n S server is such a "deep", so some i x f R request will bring a x f R transmission when the requested incremental change exceeds the registered changes in the log. Active Directory Integration Domain Area Avoiding this possible problem between primary services, but it has not been avoided when transmitting to auxiliary server. For a new D n S administrator, the first thing to do is to learn the use of new tools provided by Windows 2000. Especially to D N s c m d. E X E is familiar (see Chapter 1 2 and Chapter 1 3). The D n S object of the system monitor contains many new counters that should be viewed (see Chapter 11). These counters allow you to handle dynamic update features. In D N s management interface, some when you really want to spend some overhead. Time to perform log characteristics for some details questions. 7.2 DNS Record Cleanup Characteristics The Windows 2000 provides a tendency to deal with the dynamic zone to become increasingly worse. Without the active directory integration, Windows 2000 has no ability to update dynamic D n s update. Active Directory integration brings security updates, but also necessary to clean up. Subsequent sections will be discussed in this chapter. This section looks at the cleaning characteristics used to control the consequences. Windows 2000 cleaning strategy is not so easy to understand. Instead, it is a characteristic that is most difficult to understand before use. Before achieving cleanup, it is wise until you have a certain understanding of its behavior and influence it in specific server settings. 7.2.1 Cleaning the function to clean up the old record according to the adjustment interval, whether it is dynamically or static. Suppose a record is considered to be old according to rules, then no matter whether it is old or necessary, it will be deleted. So before you delete, you want to do what you have to do. Deleting a required record will obviously bring trouble. After a record is deleted, dynamically update allows any machine registration record to overwrite this record. The cleaning function deletes non-current records, which is determined by them from the last time being refreshed. In a dynamic D N S update request, if the updated resource record data is identified, it will be refreshed. This means that the static type of resource record will be removed by the cleaning function because they are not refreshed. As mentioned earlier, 72 second part uses Windows 2000 DNS Server
The Windows 2000 system with dynamic update D N s function is configured to update the resource record every 24 hours. When the cleaning function is not allowed, the record is added to the standard domain area without time signs. As a result, these records cannot be cleaned even if it has been moved into the active directory to store and allow the cleaning function. D N s c m d. E x e Tool provides a way to add time signs to these records. 7.2.2 Cleaning when and how to clean the use of many time interval parameters. There are two default values in the server layer for seven days. Note that seven days is also the default period of DH C P protocol, which is not coincident. In the domain area, there are two time intervals, and the value of the server layer is the default value set by the domain area. Select the setting of the server layer in the Server context menu or "A C T I O N (Action)" menu to locate the settings of the server layer. For the domain area, the "A g i n g (aging) button in the" G E R N E R (General) tab in the domain area server properties is used. Chapter 11 discusses the positioning of these menus and the options thereof. Figure 7 - 1 shows the domain area "A g i n g / s c a v e n g i n g" attribute dialog box for the domain area layer. The server layer dialog is named as the server "A G i N g / s c a v e n g i n g" attribute and except that there is no domain area cleaning date / time this is the same as the domain area. Figure 7-1 Cleaning settings in the Domain Area Properties dialog These time intervals are shown below: • No-refresh Interval. It sets the time for a resource record refresh request being rejected. A resource record may be updated, but it is not allowed to have no change to update, that is, refresh operation. This ban reaches the same effect as the limiter, avoiding the useless repetition of the domain data, and makes it possible to reduce overhead without the behavior of the client. Reduce this value will cause the page conflict of the domain area and the repeated overhead of the directory. • Refresh Interval (Refresh Interval). The length of time being cleaned is not allowed to be refreshed based on the free refresh interval defined by the free refresh interval but does not allow the length of the cleaner. A record as its time flag shows it to "old" than the free-free interval, it will be refreshed at any time. If the time flag shows it than the two time intervals and "old", it will also be cleaned. When a record is refreshed or changed, it has a new time sign. In the domain area that allows the record cleaning, this is not implemented with dynamically updated, but manually creates a record implementation. Although the Microsoft document specifies the time sign of zero, the chapter 7 dynamic DNS and the activity directory 73
Use, but still as if not use any time sign. The cleanup algorithm does not involve the record of the zero time sign. However, "DELETE THIS Record When IT Becomes Stale" DELETE THIS THIS THEN IT "" "DELETE THIS THIS" "" DELETE THIS IT "" "DELETE THISTRY" Item still has a check box to allow cleanup features. After a buffer time, it is allowed to clean up, which is a supplement to the sense of interval. Before the cleaning begins, the domain area must continuously support dynamic updates within the time equal to the refresh interval. This ensures that the client has a sufficient opportunity to refresh it before the record is cleaned. The "A D V a N C E D (Advanced)" tab can start cleaning up by the "A D V a N C E D (Advanced)" tab of the server attribute (see Figure 11 - 4), or can also start from the server context menu. If the server layer is allowed, the cleaning will start at a certain bit after a buffer time. Cleaning will occur at the same time that the primary domains are allowed and dynamically updated. In such a regional area, the record "old" record with the non-zero time is displayed. It has not been fully refreshed recently (once each two adjustment intervals), they may be cleaned up. 7.3 Active Directory in DNS Domain Area can listen to the cheers on the sales market to allow a person to believe that the activity directory is a good luck to all things. Maybe this sounds exaggerated, but it has brought very timely, the Windows 2000 policy is safe to dynamically update. Safety D N S Dynamic Update Specification (RFC 2137) and dynamic update specification are introduced together, but research is continuing, new efforts clarify how public key add-end surgery is used for D n s. In any case, Microsoft has chosen a technology to ensure the security of dynamic D n s behavior, this dynamic D N S acts support the appropriate design work for the active directory. View Appendix B "R f C related to D N S", drafted some suggestions. These recommendations detail the steps of developing early G s S - a P i (RFC 2078) encoded. As it is shown, the activity directory integration of domain zone data not only provides a safe problem with cleanliness problems discussed in the previous section, but also provides in transactions A deepest balance. 7.3.1 It is very simple from a work domain data integration to an active directory. Domain zone data is only transmitted to the second part of the target 74 uses Windows 2000 DNS Server
Figure 7-2 Domain area data book listed in the Active Directory. All things in the domain area are an object, and they need to be sorted in order to use the directory. After the domain area is integrated, in the "Active Directory User and Computer" controller (must allow "A DVANCED" mode), in read-only mode (refer to the writable security descriptor) it is for administrators. It is visible. The resource record is listed in the "Microsoft DNS" node of the console (shown in Figure 7 - 2). To achieve integration, only click on a switch in the properties of the server, this switch is shown in Figure 11 - 4, which briefly discusses changes from file storage to the active directory storage in Chapter 11. Use the "C H A N G E" button in the "G E N E R a L" control in the "Properties" control in the domain area (see Figure 11-7) to change the storage mode of the primary area. The first primary area that changes to the active directory store will trigger a change in server properties. In addition to administrators, there is no other way to change the storage mode. 7.3.2 Activated feature After the domain zone data is stored as a directory object, there will be some immediate results. Some are directly generated by the continuous storage characteristics of the active directory, such as security attributes; some are the results of data that exist in the form of support services that can be used in the active directory, such as replication technology. This discussion briefly reviews these two "supported" exceptions, and it also leads to a relatively long and complex explanation of domain data security issues, including dynamic update security and its default settings. 7.3.3 Replication Active Directory uses multi-dominant design to make most of its responsibility, any other D c in the same domain in the same domain is completely equal. Because each D C is far from the distance, a potential communication is inherently in the propagation of the domain zone data to the target transformation of objects in the directory. In the site, the default installation limits the delay within 1 5 minutes; between the site, the delay is usually a function of the site connection. This potential communication means that two DP updates may conflict, because the update is not executed in a distributed environment, but each D c believes that its own data is current, replication technology supports this multi-dominant design. The replication technology uses a "last-winning" algorithm that uses the "combined cut" strategy for conflict resolution. Essentially, it is a tightly connected system. The D c in the system is not always equal, and in many cases they seem to be exactly the same clone, bringing close connection. However, because the independent changes and replication algorithms, the content of the active directory is successful, because any special changes may fall back, so it is a loose combination. Anything stored in the active directory through this technology automatically all D C in the domain zone. Thus, like the standard domain transmission, in the active directory integration domain area, there is a period of time, two different DNS servers authorized to the same domain area may give different queries. Answer. 7.3.4 Multi-master main server Because all domain data is only the content of the active directory (or is replicated in all D c), it is very natural to change the D n S server in most cases. The result is that when domain data is integrated into the active directory, D N S is also running in Multi-mode. One domain area may exist in multiple equality main D n s settings, each D C has such settings (because only D c contains the active directory). This is also possible for standard secondary servers, but there are multiple primary servers. Of course, these primary servers specify a server as the "primary" server in a certain rule. For example, how do someone know the primary server? Or Chapter 7 Authentic DNS and Active Directory 75
When cleaning, if all D n s servers delete old records, it will be stupid and invalid (unless they share the task). So which server initially deleted and spread it to other servers? Some similar issues are immature than available information, and other issues such as cleaning initiative issues are managed by the registry within the registry. It can be said that the D N S is used to store the Active Directory Storage to obtain multiple domains. The main result is to eliminate the Easy Againstability of the Standard D N S architecture (the main server is the only failed). If the secondary server is configured to use multiple root primary domain servers, all D n s services on all D c on the domain area continue to reject a secondary domain data in the domain. A more far-reaching benefit is that dynamic updates to the main D N S server in the domain do not need to be transferred to a single, sometimes far away. 7.3.5 Security issues before talking about this topic, unless the D n s domain area is an active directory integration, otherwise, Wi N D O W S2 0 0 0 does not provide security to dynamic update. Generally speaking, dynamic D N S updated security issues are a fairly complicated thing in any environment. The same is true for implementation and use of safe dynamic update capabilities in the Windows 2000 interface. The goal is to control who or what machine allows to register or modify and delete existing registrations to D n s. 7.3.6 Safety Dynamic DNS Procedure Windows 2000 Client Use a protocol to establish a secure context to the D n S server, and turn this security context when the D n S server is trying to write to the D n s database. The client establishes this security context by using T K E Y. T k E Y exchange attempts to use K E R B E R O S as the provider of security. If successful, actually use T S Ig to send tagged update requests to the D n S server, and the response client. The D N S server is updated based on the established security context using the L D A P protocol. Windows 2000 clients can be configured to always try unaffected updates, or always try to have a guaranteed update, or try to have no guarantee updates, then if necessary, try to have a guaranteed update. The last one is the default configuration, the default configuration dynamic update is logically followed: 1) The client tries to not guarantee updates. 2) If it is not successful, the client negotiates a safety method. 3) After agreed to use K E R B E R O S, the client has established its "eligibility certificate" to its D n S server. 4) The client uses this qualification certificate request update. 5) D N S server imitation client uses this qualification certificate to establish a L D A P conversation. 6) DNS server uses the L D a P method to attempt to update requests to D N s data. T S I g and T K E Y found T S I g and T K E Y in R F C, but reference "D R A f T-S K W a N - G S -T S I g - 0. T x T", RFC 2078 points to their relationship, and RFC 2535 points out their difference. Appendix B provides a reference for RFC. The specific details are more complicated, including the update request, and provide an authorized return result. Interesting is that K E R B E R O S is used as a security provider, and the D n S server updates the active directory using the usual L D A P method. D N S servers act as a client to perform L D A P update, allowing the existing activity directory security mechanism to use a security mechanism suitable for the client. Because Wi N D O W S client wants to use this security dynamic update method, they can only use Windows 2000 DNS Server to the Windows 200076 second part of WINDOWS 200076
D N S server negotiated security dynamic D n s update. If you use other D n S services to support Windows 2000, it is very likely that you cannot get D N s servers that support this security update method. The client configuration is not provided with the client configuration with the RFC 2137 and RFC 2535 compatible methods in the initial version of Windows 2000. Dynamic D n s without using the Windows 2000 DNS server is temporarily meant to ensure that the update is guaranteed during the update, but techniques such as I P S E C communications can be used to ensure security. 7.3.7 Access Control Layer Security Settings For D N s management, the real problem using Windows 2000DNs for security updates is the success or failure of the L D A P protocol for D N s record. It is important to understand how Wi N D O W s security license and ownership function is standardized because they have mastered the success or failure of updates. If it is understood that the default settings of the domain zone and the domain zone data and how the default is adjustable, it may be dynamically updated outside the default configuration. This section tries to make this problem as simple as possible, and assume that the foregoing content has a certain background knowledge, which has a general understanding of Wi N D O W s security concept, including approximately understanding of access control lists and ownership. Default O U T - O F - T H E - B O X Configuration Enables any member of the authorized user group to create records in any domain, such as a record or P T R record. When a record is present, it can be accessed by any member of the "E V E R Y O N e" group, but may only be creative, or by different types of administrators, or by the system itself. In many cases, this change and delete "created" restrictions that have existing directories provide a desirable behavior, but it will bring problems and generate old records. Figure 7 - 3 shows the default security settings of an integrated domain area. Note Figure 7 - 3 gives a domain area instead of a resource record. The "e Veryone" group is high brightness, indicating that this group is granted special configuration allowed, and the "Authenticated User" group located directly above indicates that it is allowed to create all sub-objectives (this is resource record ). The privilege assignment to the "E V E R Y O N e" group is given the area of the domain itself, including the list right. Figure 7 - 4 shows the same domain area, using the D n S server management controller instead of the active directory user and computer controller in Figure 7-3. Figure 7 - 4 The editor opens the security settings specified to the "E V E R Y O N e" group display details. This detail can be provided by any manager interface. Before studying these more deeply, pay attention to the group named "DNS Admins" in Figure 7 - 3, which is a group pre-configured in the active directory. By making a general user a member of this group, an administrator can grant this user a license for a D n S administrator, as you guess. A "DNS Admins" member has sufficient ability to configure D N s on all D N s servers that run on the domain controller, but there is no management right to other features unless these features are independently granted by other groups. Therefore, the previous paragraph is that any client records can be created as a client that can be negotiated with D N S as an approved statement (authorized user member). When a non-secure update is negotiated, the D N S server provides an updated context. Figure 7 - 5 shows a security guarantee created by the default to A. The "E V E R Y O N e" group is authorized "R e a d (read)" license. If you want to go deep into a little bit, as shown in Figure 7 - 4, you can find the same authorized "R E A D" license, but in this case, it is for a resource record. As seen above, it should be pointed out that authorizing users can create objects in the domain zone. Although this type of creating objects will be restricted. But how to create creation is not limited.
If the user uses a direct L D a P method as an authorized user, it seems that there is no need to involve D N S servers, in other words, any legal users in the domain can create records, and can even be created directly. Chapter 7 Dynamic DNS and Active Directory 77 Figure 7-3 Advanced ACL Security Settings in the Active Directory Figure 7-4 Security Settings for "Everyone" in the domain In order to change the license for the creation record, The inheritance license of the directory container and the domain area can be changed. In general, the actual demand is very complicated; the prototype or the object class for the created object type is also licensed, and these licenses will also be applied when new records are created. Whether it is a domain or resource record, in the "Out - Of - the - Box" settings, mode-like DNS Z One and DNS N ODE provide authorization licenses for newly created domain or resource records, Figure 7 - 6 give The default security descriptor for DNS N ODE classes for resource records. D N S Z O N e Class is similar, and it also gives a license to create a child object on an authorized user. If we go deep into the way, in Figure 7 - 4 (record a resource record), we will find that the read 78 of E V E R Y O N e uses the Windows 2000 DNS server.
The license is exactly the same as Figure 7-3, which is obvious because the content in Figure 7 - 4 is from Figure 7-3, which is not inherited from the domain zone ACL, and the ACL of the domain area Most changes will not affect the reading of the new resource records in the domain area. Figure 7-5 a Safety setting of the record, what happened so far? A protocol defines the security context used by D N s servers when dynamic D n s update. Any authorized user can create a new record. E V E R Y O N E Groups of each group can read a record and list a domain area. After the record is created, it can only be changed by an administrator or system or a account that creates this record. The license operation may change the default license for the newly created resource record in the included domain or D N S N O D E chart object. Finally, please, how to pre-determine the security A C L which generates a new record from dynamic D n s. Any new activity directory object without explicitly providing ACL is created, it gets an ACL, which contains secure licenses inherited from their containers or security descriptors from object prototypes unless it is at least There is a specially specified license. When a specified license appears in a container, the license of the prototype is not used. Therefore, when the new record is created, it is not prohibited from being licensed from the prototype, and the license of D N S N o D E is obtained, and any available inheritance license for the recorded domain area recorded is created. Let's take a look at the specified license to use prototype license. If the container has any inheritance license specified to the created object type, the default security descriptor of such prototypes will not be accepted by the new object, and the new object only accepts the inheritance license obtained from the container. Therefore, if the domain zone has inherited license and has been applied to the resources record (D N s N o D E-class object), the new resource record in the domain area will only accept the permit inherited in the domain area. The "Active Directory Programmer Guide" in the current M s D n provided by Microsoft, indicates the method of default security measures that override an active directory subject to the documentation. However, because in the initial version of Windows 2000, there is no key prerequisites in the administrator interface, so default security measures from D N S N o D E and D N S Z O N e will not be banned. No specified licenses are provided without the domain or resource recording object. If you have any prototype security measures, you have to avoid using licenses when you want to use the license or if you don't want to use it, you have to clear this. Here is a preventive action: After a domain area is created, change its license to prevent the default security descriptor (in Chapter 7 Authentic DNS and Active Directory 79)
D N s N o D E-prototypes are added to new resource records. This may be expected, may not be expected. Without application of prototype default security, you must ensure that there is a permitted license in the domain area to provide a desired portion (disabled) in the default security measures in prototype. It can be seen that the license in the domain area can control the new security measures that contain objects (resource records), which must be done carefully. And there are two aspects to consider: The default license of the inheritance of the domain area and the default license from prototype (DNS N ODE), not mentioned, the change of security measures to DNS N ODE prototype is an influence of the active directory. The behavior of each domain (for example, if the read right of Everyone is too headed). Not just doing this, but it must also understand why e v e r y o n is given this license and why it is still difficult to cover some extent. If the accessible fact can be accepted can be accepted, the permission of D N S N O D E is the simplest method of completing a change like this. However, there is no change in any architectural layer to be easily changed. Figure 7-6 The default security measures for new resource records After a domain area is created, the addition of licenses that can be created any sub-objects will change the license for resource records that will be created in the domain area. Because D N S Z O N E and D N S N O D e Class specified E V E R Y O N E Group and Authorized User Groups have a read domain area data and created licenses, respectively. As indicated before, there is really no added to the license. Therefore, the change of prototype safety measures suggests that O U T - O F - T H E - B O X setting is not suitable for your environment. This in turn means a license for architectural changes, as well as licenses for the expected part of the prototype or domain area. Some experiments make this easier to understand. If Microsoft or by extended third parties, the specified permissions of a qualified resource record can be applied to the domain area, then there is nothing. From the test version of Windows 2000 to the final version, the method of using the default security description of the application architecture class has been used. However, there is a gold code, and it seems that something has changed but has not been specified as a document. An example of some of the previously optional object classes is now no applicable. Because security is a big problem, the complexity is not small, it is likely to provide amendment information and expectations, just like implementing the Windows 2000 network environment. It is necessary to improve the improvement information of how to change the domain area data security from Microsoft. Now, at the last moment before these printed, the default value of the prototype needs to be organized, and the default value of the prototype is changed to the least public permission set and when more than the least public permission set is added to the domain area. Inheritance 80 second part Using Windows 2000 DNS Server
Permissions is a means of use. Changing the architectural class can be done by an active directory architecture management controller (SCHMMGM T. MSC), the change of the domain area can be implemented through the active directory user and computer control management (DSA. MSC), or managed by DNS server The console (DNSMGT MSC) is implemented. Now look at another aspect of D N s data security, audit. Figure 7 - 7 shows the default values for the records created by a domain zone to make them auditing functions. Figure 7-7 A check box in an audit ACL figure in a record indicates what actions will trigger an audit. They are displayed as gray because these settings are inherited from higher layers. When the audit begins, these settings will cause all accesss except for reading of records to be written to an audit record. If returned to Fig. 7 - 4, you can notice that the read permissions of "E V E R Y O N E" is displayed. This is because the permissions originating from D N S Z O N e are directly applied to resource records. This indicates that if you want to change the permissions given in this way, it is best to change the control settings before all objects are created. After the object exists, the change is changed only to change these permissions, you need to separately access each resource recording object. 7.3.8 DHCP and DNS Update Agent Group In order to reduce complexity, Microsoft maps a route that uses a pre-setting of the D h c P protocol. It is no longer the ownership of the client to get the resource record and makes their behavior independent, but let D h c P executes registration. Thus, D h c p is owner and can modify and clear resource records. This is very good, but still some small problems. If the default D H C P behavior is used, Windows 2000 ends the ownership of the A record, and D H c P has ownership of the P T r on its I P protocol. This is very reasonable because the client has a name, and D h c P has an I P protocol. If the client changes its name or re-joining the domain, then it abandoned a record in the domain, and the client of non-Wi NDOW S2 0 0 0, DHCP may register both the name and register IP, so it will have at the same time Two records, then bring a problem when multiple DHCP servers are configured to share a subnet, because only one server can change A record, and any of them may have this record (note Usually each server has a unique IP pool, chapter 7 Authentic DNS and Active Directory 81
So the P T r record does not have this issue). To resolve these issues, Windows 2000 defines a special group in advance, namely D N S update the agent group. When a machine becomes a member of this group, it creates a new DNS record. This record is slightly different than the semantics of the records already discussed, not the owner of the creator automatically recorded, and is updated by D ns. Agent member The created record has been successfully updated or refreshed with the account. Although this tried to solve some problems, there is another problem. A very important thing is that machines such as using the D h c P protocol will become one of this group, so all records of all machine dynamics will have new semantics. If a machine is registered with any records, the records will apply new semantics by using D h c p or registered with customers. This is not a small problem when a machine, such as a domain controller performs many dynamic updates (see the next section). D N s Update Agent Group Try to use the D H C P server as a member, allowing them to register a record on the customer, and get ownership of those records from the client when they try to update the record. Any record of dynamically registered by the machine running DHCP, including its own record or when N ETLOGON is also created when a domain controller is created, when this machine is a D NS update agent member, will be deprived of ownership . The solution is of course not using such a machine as a domain controller, and the D N s update agent group members typed D N s entry. 7.3.9 DNS Safety Summary This chapter involves some basic knowledge. Active Directory Integration allows access to D N s data to be controlled and updated with a safe approach. Without this integration, Windows 2000 cannot provide any D N s security measures. The updated protection is achieved by Microsoft versions of the method specified by RFC 2078, and today, this method is unique to Microsoft. Windows 2000 clients need to extend to use third-party D n s servers, which uses security measures based on R F C2 1 3 7 and 2 5 3 5. The protected dynamic update process supports K E R B E R O S as a security provider in Windows 2000. D N s When updating D n s data on behalf of the client, it is used to use the L D a P method. When D N s data stores an active directory, you should accept the usual A C L permission verification. The default value is provided to the ability to authorize the user group to create resource records, and the E V E R Y O N e set the ability to read the domain area and read resource records. These privileges are derived from D N S Z O N E and D N S N O D E-architectural objects, and in the initial version of Windows 2000, these two architectures can only be changed here, or they are changed in the resource record after they are created. Resource Records are created by creating its account, unless the account is a member of the D N S update the agent group. In this case, an account for the first successful update or refreshing of the new record will become its owner. For security dynamic updates, the initial framework of the Microsoft Policy is configured for the active directory integration D n s domain area. It has good aspects, and there is a bad way. Before severely criticized, first consider this is a pioneer and a pioneer of dynamic D n s new territory. There is no other commercial operating system to achieve this road on this road in security and dynamic D n s, which should be correct. The implementation of most of them has to be balanced between the time limit of the product, the necessary functions, and complex R f C standards. Now they have some standardized, there are some yet. The latest R f C pairs D N s data security and update depend on the public key mechanism being established, but Windows 2000 is already prepared. How to use dynamic D n s in Wi N D O W S2 0 0 0 0 must be carefully considered carefully on dynamic D n s.
7.4 Active Directory Dependent on SRV Retribution Contemporary Operational Directory Directory Dependent on Client Ability and Server Express 82 in the Domain for Composition Active Directory Use Windows 2000 DNS Server
Positioning key service capabilities. D N S is a way to complete most of the above work. For example, when a domain member machine is started, it must communicate with the domain server of the domain, and when the first area controller cannot include a global directory, it has to communicate with another domain controller. Or then, when you raise an example, when a client proposes a request for resources of different domains in the active directory of the branch, the domain controller is decided to have a role in the acceptance or rejecting the customer request. . When the resources already located in the domain,, for example, when the client opens a shared folder in its own domain, the D N S is not required. However, this positioning service is often required, in the Windows 2000 architecture, it is used to achieve this positioning with D N s. In order to make these processes as efficient as possible, Windows 2000 maintains a fairly complex S RV record and CNANE record set. The N etlogon process on the domain controller is responsible for it, and uses dynamic update to establish it, and is considered to be not Remove when legal. 7.4.1 Domain Locator Services A Windows 2000 client can use three types of information about the domain to try to find a domain controller: domain name (ie the DNS field in the initial version); a globally unique identification number ID (GUID) ), The only name inside one domain; a site identifier identifier. When trying to position D c (because most of the key services are on D C), the client passes this information to the domain locator service. Active directory can be divided based on sites that are used to represent network topologies. A single domain can exist in multiple sites, and a site may also be included in multiple domains, that is, a machine from multiple domains may have in a site. When there is a possibility of a query service, the site is used to accelerate network communication between the "Local" machine. Windows 2000 Domain Locator can all use all of the three types of information that can be provided by the client to get the I P address as efficiently to a query as efficiently. If the client knows which site is located and requests a special service such as an LDAP service in a specified domain, the first step may be the query specified to the _lDap._tcp srv record of the requested domain and site, if the locator has Knowing a DC in the domain, it can also send an LDAP query to the DC to verify the information that has been returned to the client at the time. The locator service uses the knowledge of the domain name in the D n s database. As mentioned above, the N e t L O G O N service on D C establishes and maintains registration of these dynamic updates. When the dynamic update is disabled, it becomes impossible, and the effective operation of this lookup process becomes the responsibility of certain unlucky people. However, when D c and site topology is static and available, this is not a fearful task as it looks like. 7.4.2 Structural SRV N E T L O G O N Registered many different levels of records. Figure 7 - 8 shows an extended portion of this structure of a single small domain activity directory when only one D c is present. In other words, this is the easiest way to explain the problem. First, you have to remember that in a large environment, there will be multiple records of different I P addresses, or some registration has the same I P address. When the client queries a special name, all match records are used to determine the returned I P address. In such an environment, you can also see more entries for each domain, as well as a larger entry set below the active directory root (root field) domain. The content shown in Fig. 7 - 8 is the impression of a sub-domain structure in the D n S server management console. In fact, this structure is logically a name field recorded in S RV instead of the domain word Chapter 7 Automatic DNS and Active Directory 83
Created in the segment (see Figure 7 - 1). Figure 7-8 A simple SRV record set by Netlogon maintained next to the records of the L D A P, G C, K E R B E R O S and K P A Ss W D service. L D a P is used for L D A P service, which is always on D C in Windows 2000. G c is used for global directory services, but also in D C, but not all, in Windows 2000, the K E R B E R O S Server and K E RB E R O S password change the server is always on the domain controller. All records use the T C P protocol, in addition to the service related to K E R B E R O S, can also use the U D P protocol. This can be seen in the _ T C P and _ U D P in the S RV record protocol part. The entry of the limit word in the name is used to partition according to their location in the active directory topology, because the special DC used to specify the site does not necessarily mean that this machine is physically in this site, or Just logically as a member of the site member to define in the active directory site topology. When a site does not have a local provider for a special service, N etlogon registers it considers the most suitable domain controller. The members in this site should first try its services, and N ETLOGON is based on site topology decision not DNS problem. This is not involved in this book. It is important to remember that when N e T L O G O N can use dynamic D n s update to adjust the S RV record, the functionality of the active directory is more optimized. This structure has further detailed the available services in detail by a record-like _ M s D CS. There must be a special broadcast in these services, just a D c defined as a broadcast representative domain of P D C, working like the PDC emulation program of the low-level client like NT 4. The entries are copied by each domain. In addition, in the case where only the root domain of the active directory is known, the entry for positioning within the active directory will be described in detail below the top D n s domain of the active directory. If you need to manually maintain this structure, it is recommended that you find all available current information. Your entire operation will benefit from this precise reflection of the structure of the activity directory. 7.4.3 SRV entry without dynamic DNS is forbidden to use dynamic D n s update, you must perform domain data management with manual methods. This includes not only the intended note 84 second part uses Windows 2000 DNS Server
The type of type -A, P T r, C N a M e, N s, and the like, further comprising the S RV and C N a M e record provided by N E T L O G O N. As already described, the S RV record is in the core part of the domain locator service in the active directory architecture. When running D C P R O MO to form a domain controller, create a minimum list N e t l o g o n. D N S (program list 7 - 1) and stored at% W i N D i r% / s y g. Despite this, only this non-hierarchical list does not express all the impact of manual maintenance S RV records. Program List 7-1 A N e t L o g o n. D n s file For example, if you study this file example, it will notice that it has established a logical structure that needs to be created correctly. This part is secondary, because these records provide a complete description and can be pasted directly into the domain zone file. It has not been mentioned that the impact of the N e T L O G O N service is allowed to maintain the S RV structure in D N s. This structure uses to help clients, thereby also helping service, fast and efficient location of key services in designing core locations. This S RV structure more supports direct query instead of a series of queries. This structure is also used to provide a pointer to the most "good" or "most" provider of different services, which is based on the knowledge of the domain, especially the site in which the client is located. When dynamic updates are not allowed, this structure needs to be adjusted accordingly as the environment changes, otherwise, it does not reach the most chapter 7 dynamic DNS and active directories 85
Excellent performance. This is likely to be specifically applied to the domain name G u d (the uncharacted label number of the length of 1 2 8) and is used to optimize and directly locate the query. If the condition allows, it is recommended to use the delegate authorized domain to maintain these structures in the Windows 2000D N s that allows dynamic updates, just like using the update security. When the entire DNS domain cannot be authorized to list the host and client, these configurations related to S RV are not listed, if the existing DNS is configured to accept the underscore, consider the authorization _ msdcs, _ sites, _ TCP and _ UDP .7.5 combine the active directory with DNS (or not combined) Some selection topics have been described in detail so far. If it is considered too much in the information, there is too little on a simple answer, it is best to read the following information. A Windows 2000 domain environment O U T - O F - T H E - B O X network is aiming at Microsoft D N S dominates all domain environments. All domain environments here include: Active Directory integration and enable dynamic D n s environments, serving the client's environment with D h c P, using a secure dynamic update environment, and an enabled environment that is protected by the Active Directory. When any one of these directions is away from the design points, there is a new problem to be solved. In order to better illustrate this, this section collects some observation information, some are the latest mention, some of the previously discussed, in accordance with the sequence of relevant factors. 7.5.1 Active Directory and DNS Topology Windows 2000's first version, the writing of all public documents is from one view, that is, between the domain structure of the active directory and the domain structure used for DNS. One correspondence. In fact, Microsoft and some collaborators are committed to manufacturing this stringent identity in two domain names, which is for more convenient for new network environments, rather than meeting all network environments. It is possible to obtain D n s consistency between the client and the server between the differential directory names in the domain. Many usually operations are possible but not completely no problem. Between the determination of the Beta 2 version and the final code of the retail version, a considerable change is made to support the independence of this domain name space. Just like the independence of N e T B I O S, but more. Another point here is that the RF C 2 6 7 2 "Non-Terminal D N S" (defined D N a M e record) obtained a standard orbit before the final code is fixed. This record allows an alternative to a branch of D N s domain space to make it still aware of different D n s domain names, and it creates an alias for domain branches, just like c n a m e is the same as the ordinary hostname. XYZ. CoM to an existing DNS branch, such as AS. Corp. COM, by DNAME. XYZ. COM). We look forward to seeing a large change in documentation in next year. Currently, the domain name spatial identity This pen is straight but narrow road accepts a large number of network environment tests and has a guidance of documentation. It is most likely that there is no problem. It is very likely that the vendor provides documentation is adjusted to meet the reality of the existing T c P / I P mechanism that is dispersed to a wide range of Windows 2000 Active Directory. Currently, if you want to go this way or need to leave this path, you should keep in touch with Microsoft Consulting services and make some common preparations. 7.5.2 DNS Server and DC Placement Matching Topology In addition to the network in transmission and the exception of the machine load, D N S's activity directory integration seems to bear some difficult work. These tassels should be involved in what position is required to be placed in a business D c. This decision is equally important to the consideration of the Place D N S service. 86 Part II WINDOWS 2000 DNS Server
Even when I have decided that this site needs a D C, one or another cache server mode is still a reasonable problem for a site. If the placement of D C does even rely on the needs of Windows 2000-domain environment availability under network crash, it is also necessary to specify a copy of the positioning domain zone. Consider where the client or D h c P sends an update request, when D N s is not integrated, these requests are transmitted to a primary server in the domain area, no matter where it is. With the provision of the local DC on the local DC, this is just a copy of a copy load because DC already has a large workload (manage LDAP and K Erboros and copy work), and DNS dynamic update load The local auxiliary server and cache server relying on the client is worth considering. As these local auxiliary servers receive transmission from their local D c, the main D n s domain zone in D c automatically becomes a bridge head server between the site. These D c processes additional loads from D N S, which are caused by registration, refresh, change replication, and transmission to the secondary server. The local auxiliary server handles D N s load from the client query and the answer cache obtained by the forward server. 7.5.3 Domain Environment Pre-defined group When running a Windows 2000 network service in a domain, the server is a participant in an active directory, which means there are some pre-defined groups available. In the initial version of Windows 2000, there is no group of groups to contact the network service, see Table 7 - 1. It can be considered to use these groups to help administratively authorize administrator responsibility, or when D N S update the agent, the problem is generated using D h c P for dynamic D n s update. Table 7-1 Pre-defined Network Service Group Name Name Description DNS Update Proxy This group of members cannot automatically becomes the domain local group of owners D Nsadmins created by dynamic DNS, and its members can DNS server DHCP Administrators in the management domain, this domain local group, its members can manage DHCP servers in the domain, pay attention to the required enterprise administrator member to authorize a domain local group of DHCP server DHCP users, its members can check the domain The DHCP server sets WINS USERS this domain local group, and its members can check the WINS server settings in the domain 7.5.4 DNS domain data usability When the information is available to the LDAP query when the information is available in the active directory. . Only one security mechanism is an active directory, which is used to control update and read access. Since the nature of the domain data determines that it must be available, the resource record allows unconditional reads. It is currently not used to prevent people who can get the security context that allows L D a P sessions from listening to the entire domain area data set. An empty security context can be used depending on the limit applied to E V E R Y O N E group and empty or anonymous L D A P connection. This last is the topic of some conversion in the initial version. Currently, it is the best way to solve the problem with a firewall, but doing so as if exposed the domain data data, the legitimate users of any activity directory can list them. It is a bit a bit left here, but any authorized user has the ability to create and own resource records. 7.5.5 Directory Service Guide and DNS Load This chapter begins with the top top of how to design D n s to the active directory topology. Did not mention the traditional L D A P in a directory service structure navigation through an indication process. If a client at the fourth layer attempts to access the chapter 7 Authentic DNS and Active Directory 87