As discussed earlier in this chapter, TCP/IP supports hostnames, or alphanumeric aliases corresponding to particular IP addresses. These provide a user-friendly alternative to IP addresses and can be used in most places an IP address would be accepted.
When a client attempts to access a machine via its hostname, a process called hostname resolution occurs. Name resolution is typically accomplished by two services:
DNS (Domain Name Service) for IP hostnames (fully qualified domain names, or FQDNs)
WINS (Windows Internet Name Service) for NetBIOS hostnames, used to support versions of Windows prior to Windows 2000
The following sections describe the process of designing a DNS implementation for a network, including WINS support if needed.
DNS is a standard for hostname resolution that was first developed for Unix and is defined by RFCs 1034 and 1035. DNS is the standard for name resolution on the Internet and is also used locally in many networks. Windows 2000 machines can act as DNS clients or servers.
DNS servers use zones, or databases of names and their corresponding addresses. Windows 2000’s DNS server supports three basic types of zones:
- Traditional DNS zone (primary)
Traditional zones store the zone database in a file on the computer running DNS Server. There can only be one primary zone per network, and this is the only zone that allows updates to the DNS database.
- Traditional DNS zone (secondary)
Secondary zones store a read-only copy of a primary zone’s database. They provide redundancy and can fill DNS requests, but do not allow updates to the database.
- Active Directory integrated zone
New to Windows 2000, Active Directory integrated zones store their data in the Active Directory. The data is replicated along with other Active Directory information. You can have several Active Directory zones in a network, and any of them can allow updates to the DNS database.
In addition to these types, reverse lookup zones function similarly, but translate IP addresses to hostnames instead of names to IP addresses. Any of the above zone types can also be created as a reverse lookup zone.
Which types of DNS zone you use depends on the needs of the network. The following are the basic criteria for choosing the DNS zone types to use in your network design:
Choose Active Directory integrated zones if the network is based chiefly on Windows 2000, and Active Directory is supported on the network.
Choose traditional zones if integrating with existing non-Windows 2000 DNS services (for example, Unix or Windows NT 4.0 DNS servers).
If Active Directory support is planned but not yet implemented, you can use an Active Directory integrated zone as a delegated domain. This provides the advantages of Active Directory for the Windows 2000 portion of the network and allows integration with existing DNS services.
DNS does not by itself provide a high degree of security, but you can secure it using Active Directory and normal network security. The following sections describe key security concerns for DNS servers.
In the process of DNS replication, portions of the DNS database are sent over the network. The following measures ensure that the DNS data is kept secure during this process:
Use Active Directory integrated zones if possible. These replicate using Active Directory, which encrypts its replication traffic. In addition, Active Directory authenticates all such zones to prevent unauthorized servers.
If DNS replication is performed over a VPN (virtual private network), use the strongest security levels available.
Consider using IPSec to encrypt replication traffic between DNS servers.
Windows 2000’s DNS server allows dynamic updates . For example, Windows 2000 clients can dynamically update their DNS records when they are assigned IP addresses, and the DHCP server can send updates to the DNS server as addresses are assigned.
Dynamic updates are secure when Windows 2000 is used for the DNS server, but only when Active Directory integrated zones are in use. Traditional zones can be updated automatically, but are not secure.
DNS is a vital network service, and a failed or unavailable DNS server can prevent a client from accessing other network services. The following sections introduce methods of improving the performance and availability of DNS services.
DNS server performance is measured based on the time it takes to receive a result for a DNS query and the amount of network bandwidth used. In order to improve performance beyond that of a single DNS server, you may consider one of the following strategies:
Caching-only DNS servers can be used to keep a local cache of DNS requests and their results. These are particularly useful at the remote end of a WAN link, because the cache can be used to answer many requests without requiring WAN traffic.
Consider using delegated DNS zones and separate servers to handle portions of the DNS namespace.
Windows 2000’s DNS Server supports load balancing, or dividing requests between redundant servers. This is useful in situations with extremely high DNS traffic.
A single DNS server may not always be available, due to potential hardware and network problems. The first step in improving availability is to install multiple DNS servers. You can use multiple servers in a single subnet or use separate servers for each subnet or location.
For Active Directory integrated zones, you can set up more than one replicated copy of the zone. For traditional zones, configure a primary zone and one or more secondary zones. Distant locations are typically served with secondary zones.
WINS is similar to DNS, but translates NetBIOS (network basic input/output services) names to IP addresses. NetBIOS names are not required by Windows 2000 computers, but are relied upon by previous versions of Windows.
NetBIOS includes a broadcast-based method of name resolution. Using this system, for example, a small network of Windows 98 computers can resolve each other’s names without the need for a WINS server. However, because NetBIOS broadcasts are not routable, WINS servers are needed for larger networks.
All Windows-based computers can act as WINS clients, and Windows NT Server and Windows 2000 Server include WINS server software. Clients can be supplied with the address of the WINS server with manual configuration, or the address can be issued via DHCP.
The WINS server integrates with other Windows 2000 services. The following are the most important services you may wish to configure to work with WINS:
DHCP can be integrated with WINS in the same way as DNS. The DHCP server updates the WINS server whenever a client is issued a new address.
DNS can be integrated with WINS, which allows WINS to automatically update the DNS server. Because WINS updates its database of NetBIOS names and addresses automatically, this eliminates the need to manually add them to a DNS zone.
In a small network with a single subnet and relatively few nodes, NetBIOS broadcasts prove sufficient and a WINS server is not needed. In a network with a great number of nodes or a need to reduce broadcast traffic, a WINS server can improve client response times.
Multiple WINS servers can replicate their database, and thus you can use two or more WINS servers when a single server is inadequate for a network. WINS servers can also be placed at remote subnets, so that name resolution traffic does not have to travel across WAN links.
Windows 2000 clients can be configured with as many as 12 WINS server addresses; previous versions of Windows support two addresses. If you are using one WINS server per subnet, a WINS server in a remote subnet can be used as a secondary address, to provide redundancy in cases where the primary server does not respond.
The WINS service is largely automatic and requires less configuration than DNS. Nevertheless, there are factors you can include when you plan your network design to ensure high availability and performance for WINS servers. The following sections discuss these measures.
When WINS servers are in use, clients may be hampered by a temporarily unavailable server. You can ensure WINS availability in several ways:
Always specify at least two WINS server addresses for clients and ensure that replication is configured correctly between multiple servers.
WINS replication can be used both to support redundant servers and to ensure that no data is lost.
Using the clustering features of Windows 2000 is another way to ensure availability, but only for a single server. Even if clustering is used, separate WINS servers should be used in remote locations.
The following are methods of reducing the WINS server’s response time and ensuring high performance:
Use a fast machine as the WINS server; monitor its performance to determine if CPU speed, memory, or network bandwidth are becoming a bottleneck.
Schedule push-and-pull partner replication to perform major updates during non-peak hours, but update often enough to prevent discrepancies when IP addresses change.