Contents
Overview

Module 3: Designing a
Highly Available
Network Services
Infrastructure
1

Lesson: Designing a Highly Available Active
Directory Solution
2
Lesson: Designing a Highly Available DNS
Solution

10

Lesson: Designing a Highly Available WINS
Solution
23
Lesson: Designing a Highly Available DHCP
Solution
28
Lab: Designing a Highly Available Network
Services Infrastructure
35


Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,

and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
 2001 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, BackOffice, FrontPage, Outlook,
PowerPoint, Visio, Visual Studio, Win32, and Windows Media are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.


Module 3: Designing a Highly Available Network Services Infrastructure

iii

Instructor Notes
Presentation:
180 minutes
Practices:
30 minutes
Lab:
60 minutes


This module provides students with the knowledge and skills that are needed to
design a highly available network services infrastructure. As a Web
infrastructure designer, students will be required to design a highly available
Active Directory™ directory service solution that meets their business needs
while providing flexibility and easy management of the implemented design.
The network services infrastructure design will also include basic services for
Internet Protocol (IP) networks, such as DNS and Microsoft® Windows®
Internet Name Service (WINS), to provide name resolution services, and DHCP
servers to provide address allocations. Students must ensure that these services
are correctly positioned to avoid impacting network availability.
After completing this module, students will be able to:
Design a highly available directory services solution by using
Active Directory.
Design a highly available DNS solution.
Design a highly available WINS solution.
Design a highly available DHCP solution.
Select the appropriate Microsoft technologies for designing a highly
available network services infrastructure.

Required materials

To teach this module, you need the following materials:
Microsoft PowerPoint® file 2088A_03.ppt
Delivery Guide
Trainer Materials compact disc

Preparation tasks

To prepare for this module:
Read all of the materials for this module.

Complete the practices and the lab.


iv

Module 3: Designing a Highly Available Network Services Infrastructure

How to Teach This Module
This section contains information that will help you to teach this module.
Ensure that students understand that each lesson in this module is a critical task
in the design process and that, at the end of the module, they will complete a lab
that helps to tie all of the lessons (tasks) together. This knowledge will help
students to stay focused during instruction.
The instructional strategy for this module is to provide the students with the
knowledge and skills needed to design a highly available network services
infrastructure by using Microsoft technologies.

Lesson: Designing a Highly Available Active Directory Solution
This section describes the instructional methods for teaching each topic in this
lesson.
The overview page for this lesson introduces the need for a highly available
Active Directory solution in a Web infrastructure. The instructional strategy for
this lesson divides the design of an Active Directory solution into two parts:
addressing the needs of the User Services tier and addressing those of the
Business Logic and Data Services tiers.
The topic pages for this lesson and the appropriate instructional strategies are
listed as follows:
Process for planning an
Active Directory
structure


The purpose of this page is to refresh students about the process of planning an
Active Directory structure. Much of the information presented here is
prerequisite knowledge for the students. However, tell students that they need
to provide a separate forest for the User Services tier when designing an Active
Directory solution for a Web infrastructure.

Availability of domain
controllers

This page emphasizes the importance of the availability of domain controllers
to make an Active Directory solution highly available. Students can ensure that
an Active Directory solution is highly available by creating a design that has
sufficient domain controllers to provide redundancy. Emphasize the best
practices for improving the availability of domain controllers in a Web
infrastructure.

Guidelines for designing
a highly available Active
Directory solution

The guidelines page provides students with the action steps that they must
address before they can design a highly available Active Directory solution for
a Web infrastructure. Review these action steps with the students and ensure
that they understand how these steps map to the task. Emphasize the importance
of addressing all of these requirements.

Practice: Design a Highly Available Active Directory Solution
You will divide the class into design teams. Give the students five minutes to
read carefully through the scenario and the design considerations before they

answer the questions. Tell the class that each team must be prepared to justify
their answers.


Module 3: Designing a Highly Available Network Services Infrastructure

v

Lesson: Designing a Highly Available DNS Solution
This section describes the instructional methods for teaching each topic in this
lesson.
The overview page for this lesson introduces the need for a highly available
DNS solution in a Web infrastructure. The instructional strategy for this lesson
divides the design of a DNS solution into two parts: addressing the needs of the
User Services tier and addressing those of the Business Logic and Data Services
tiers.
The topic pages for this lesson and the appropriate instructional strategies are
listed as follows:
A highly available DNS
solution

The purpose of this page is to introduce the characteristics of a highly available
DNS solution and the criteria that affect its design. You must emphasize the
importance of using at least two DNS servers to service client requests. Explain
to the students why it is recommended to use two Active Directory integrated
DNS servers inside the firewall and to use a minimum of two external
secondary DNS servers hosted by an Internet service provider.

DNS services in the User
Services tier


This page explains the different DNS zone types and the criteria for choosing a
zone when designing DNS services for the User Services tier. Explain the best
practices to provide highly available DNS services for the User Services tier.

DNS services in the
Business Logic and
Data Services tiers

This page tells students the reason for using Active Directory integrated DNS
zones for the Business Logic and Data Services tiers. Explain the best practices
to provide highly available DNS services for the Business Logic and Data
Services tiers.

Active Directory in a
DNS solution

The purpose of this page is to explain the characteristics of Active Directory
integrated DNS zones and how they compare with traditional DNS zones.
Explain to students the best practices for using Active Directory in a highly
available Web solution.

Guidelines for designing
a highly available DNS
solution

The guidelines page provides students with the action steps that they must
address before they can design a highly available DNS solution. You should
review these action steps with the students and ensure that they understand how
these steps map to the task. Emphasize the importance of addressing all of these

requirements.

Practice: Design a Highly Available DNS Solution
You will divide the class into design teams. Give the students five minutes to
read carefully through the scenario and the design considerations before they
answer the questions. Tell the class that each team must be prepared to justify
their answers.


vi

Module 3: Designing a Highly Available Network Services Infrastructure

Lesson: Designing a Highly Available WINS Solution
This section describes the instructional methods for teaching each topic in this
lesson.
The overview page for this lesson introduces the need for a highly available
WINS solution in a Web infrastructure. The instructional strategy for this lesson
is to explain to students that they need to design a highly available WINS
solution if their Web infrastructure includes server clusters because the network
names associated with virtual servers are registered with WINS.
The topic page for this lesson and the appropriate instructional strategy are
listed as follows:
Guidelines for designing
a highly available WINS
solution

The guidelines page provides students with the action steps that they must
address before they can design a highly available WINS solution for a Web
infrastructure. Review the action steps with the students and ensure that they

understand how these steps map to the task. Emphasize the importance of
addressing all of these requirements.

Review: Designing a Highly Available WINS Solution
Give the students five minutes to read carefully through the questions before
they answer them. Tell students that they must be prepared to justify their
answers.

Lesson: Designing a Highly Available DHCP Solution
This section describes the instructional methods for teaching each topic in this
lesson.
The overview page for this lesson introduces the need for a highly available
DHCP solution in a Web infrastructure. The instructional strategy for this
lesson is to explain to students that they can use DHCP to automate IP address
management and reduce manual administrative tasks.
The topic page for this lesson and the appropriate instructional strategy are
listed as follows:
A highly available DHCP
server architecture

This page introduces the characteristics of a highly available DHCP server
architecture. Emphasize both the importance of using multihomed DHCP
servers to ensure the availability of DHCP services and why DHCP servers
must always run Microsoft Windows 2000 in an Active Directory domain.
Explain to students how to provide highly available DHCP services by using
multihomed domain controllers with interfaces located on each separate
network segment.

DHCP lease duration


The purpose of this page is to explain that students must specify a lease
duration that is short enough that the rate of failed host replacement does not
exhaust the address pool specified for the subnet. Also, stress the importance of
specifying lease duration that is long enough that temporary failures of the
DHCP servers will not affect the management of existing clients, but short
enough to ensure that changes to scope options are rolled out in a timely
manner.


Module 3: Designing a Highly Available Network Services Infrastructure

Guidelines for designing
a highly available DHCP
solution

vii

The guidelines page provides students with the action steps that they must
address before they can design a highly available DHCP solution for a Web
infrastructure. Review these steps with the students and ensure that they
understand how these steps map to the task. Emphasize the importance of
addressing all of these requirements.

Review: Designing a Highly Available DHCP Solution
Give the students five minutes to read carefully through the questions before
they answer them. Tell students that they must be prepared to justify their
answers.

Lab: Designing a Highly Available Network Services Infrastructure
In this lab, students will design a highly available network services

infrastructure to meet the needs of the Government Portal scenario. Their
design will include components that meet directory services requirements, name
resolution requirements, and IP address configuration requirements of the given
scenario. The students will then make appropriate high availability
recommendations for the design where required. As with the practices, you will
divide the class into design teams. Give the students 30 minutes to read
carefully through the scenario and the design considerations before they answer
the questions.
If white board space is available, require that each team put their design on the
board. If Microsoft Visio® is available and the students are comfortable using it,
you could have them forward their design to you for display on the screen. Each
team must be prepared to justify their answers.
Depending on team experience, the Web infrastructure designs can be relatively
simple or quite complex. You may also discover that some features of their
Web infrastructure design may be incomplete or wrong because they do not
have the prerequisite knowledge. You must only focus on the part of the design
that addresses the lesson component being taught.
You can allow other teams to critique each design, but it is important that you
explain to the students that there are no wrong or right answers. What they must
take from this exercise is the opportunity to practice their design ideas and get
peer review in a lab environment. Depending on business requirements, their
actual designs may vary.



Module 3: Designing a Highly Available Network Services Infrastructure

1

Overview

Designing a Highly Available Network
Services Infrastructure

Start

End

Designing a Highly Available
Active Directory Solution
Designing a Highly Available DNS
Solution
Designing a Highly Available
WINS Solution
Designing a Highly Available
DHCP Solution

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

This module introduces the Microsoft technologies that you can use to design a
highly available network services infrastructure for your Web solution. To
design a highly available network services infrastructure, you must design a
highly available Active Directory™ directory service solution that meets your
business needs and provides flexibility and easy management of the
implemented design.
Your design must also include basic services for both Internet Protocol (IP)
networks, such as DNS and Microsoft® Windows® Internet Name Service
(WINS), to provide name resolution services, and DHCP servers to provide
address allocations. You must ensure that these services are positioned correctly
to avoid impacting network availability.


Objectives

After completing this module, you will be able to:
Design a highly available directory services solution by using Active
Directory.
Design a highly available DNS solution.
Design a highly available WINS solution.
Design a highly available DHCP solution.
Select the appropriate Microsoft technologies for designing a highly
available network services infrastructure.


2

Module 3: Designing a Highly Available Network Services Infrastructure

Lesson: Designing a Highly Available Active Directory
Solution
Designing a Highly Available Active Directory Solution

Process for Planning an Active Directory Structure
Availability of Domain Controllers
Guidelines for Designing a Highly Available Active
Directory Solution

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

The need for enhanced security and better manageability of your Web

infrastructure can make the availability of Active Directory essential in your
Web infrastructure. You can also use Active Directory to store user information
if your Web infrastructure has a separate domain in the Business Logic and
Data Services tiers for your Web applications.
To design a highly available Active Directory solution for a Web infrastructure,
you must be familiar with the process for planning an Active Directory
structure. In addition, you need to know both the best practices for improving
the availability of domain controller in a Web infrastructure and the guidelines
for designing a highly available Active Directory solution.

Lesson objectives

After completing this lesson, you will be able to:
Describe the process for planning an Active Directory structure.
Describe the considerations for improving domain controller availability.
Design a highly available Active Directory solution for a Web
infrastructure.


Module 3: Designing a Highly Available Network Services Infrastructure

3

Process for Planning an Active Directory Structure
Active Directory Planning Process:
Creating a forest plan
Creating a domain plan for each forest
Creating an organizational unit plan for each domain
Creating a site topology plan for each forest
Defining cross-forest trusts between the User Services forest and the forest(s)

in the other tiers
Front-end
Front-end
forest
forest

User Services Tier
User Services Tier

Back-end
Back-end
forest
forest

Business Logic and
Business Logic and
Data Services Tiers
Data Services Tiers

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

To plan an Active Directory structure for your Web infrastructure, you must
create a planning document for each component of the structure and record
decisions and justifications throughout the design process. These planning
documents then serve as a starting point for your implementation of Active
Directory.
It is recommended that you provide a separate forest for the User Services tier,
where you may be required to hold client account identification information and
use trusts from the forest(s) in the other tiers.



4

Module 3: Designing a Highly Available Network Services Infrastructure

Process for planning an
Active Directory
structure

The following table outlines the steps in each phase of the Active Directory
planning process.
Planning phase

Steps

Creating a forest plan

1. Determine the number of forests.
2. Create a change control policy for each forest.

Creating a domain plan for each
forest

1. Determine the number of domains.
2. Choose a forest root domain.
3. Assign a DNS name to each domain.
4. Plan DNS server deployment.
5. Optimize authentication with shortcut trusts.


Creating an organizational unit
plan for each domain

1. Determine the organizational units to delegate
administration in the domain.
2. Determine the organizational units to hide
objects in the domain.
3. Determine the organizational units for applying
Group Policy in the domain.

Creating a site topology plan for
each forest

1. Define sites and site links.

Defining cross-forest trusts
between the User Services forest
and the forest(s) in the other tiers

1. Determine the number of required trusts.

2. Size and place servers into sites.

2. Define the direction for each required trust.


Module 3: Designing a Highly Available Network Services Infrastructure

5


Availability of Domain Controllers
Create at least two domain controllers per domain
Configure domain controllers to be DNS
servers with Active Directory integrated zones
and secure dynamic updates

Store the forest root domain zone
as a secondary zone on domain
controllers for child domains

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

If you use directory services for server authentication and application access
control, they are critical to your Web infrastructure and therefore must be
highly available. You can ensure that directory services are highly available by
creating a design that has sufficient domain controllers to provide redundancy.
In any highly available solution, Active Directory replication is important
because Active Directory provides multimaster replication for redundancy. To
ensure that Active Directory replication is not disrupted, you must ensure that
domain controller communications are reliable. The reliability of domain
controller communications is dependent on the availability of DNS locally on
the domain controllers.

Best practices

You can use the following best practices for improving the availability of the
domain controllers in your Web infrastructure:
Create at least two domain controllers per domain for redundancy.
The presence of multiple domain controllers improves the availability of the

domain’s directory services because if one domain controller fails, the other
domain controller will service the requests.
Configure each domain controller to be a DNS server with an Active
Directory integrated zone and secure dynamic updates.
Configuring domain controllers as DNS servers will improve the availability
of Active Directory in your Web infrastructure by running the DNS service
locally on each domain controller. As a result, domain controllers will not
have to depend on connecting to an external DNS server for name
resolution.
Store the forest root domain zone as a secondary zone on domain controllers
for child domains.
Child domains need DNS entries in the forest root DNS zone. A local copy
of this data makes Active Directory more highly available.


6

Module 3: Designing a Highly Available Network Services Infrastructure

Guidelines for Designing a Highly Available Active Directory
Solution
Configure all of the internal computers as members of a
domain to utilize mutual Kerberos authentication
Use a Group Policy with No Override to enforce security
policies such as IPSec continually
Create a forest with a single domain for the servers in
the User Services tier
Create a separate forest with up to three domains to
support the back-end infrastructure
Create trusts between the User Services tier domain and

the appropriate domains in the back-end forest
Make the domain controllers in the Web infrastructure
highly available

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

If you plan to use Active Directory for enhanced security and better
manageability of your Web infrastructure, you must design an appropriate
Active Directory solution for the internal network.

Design guidelines

When designing a highly available Active Directory solution for a Web
infrastructure, apply the following guidelines:
Configure all of the internal computers as members of a domain to utilize
mutual Kerberos authentication. Although all of these computers are behind
the Internet firewall, you must configure them as securely as possible to
reduce the risk of a security breach.
For example, it is recommended that all computers communicate over the
network by using only Internet Protocol security (IPSec). The use of IPSec
greatly reduces the threat of external attackers altering network data packets.
Scale your solution appropriately to include the processor and network
overhead inherent in IPSec.
Use a Group Policy with No Override to enforce security policies such as
IPSec continually. If different security applies to different types of servers,
such as cluster servers, create organizational units for each security type and
assign a specific Group Policy to each organizational unit. In addition, use
the Group Policy computer loopback feature to prevent any Group Policy
objects (GPOs) that are assigned to the interactively logged on user from

affecting the servers.
Create a forest with a single domain for the servers in the User Services
tier. Create separate organizational units in this domain to hold user
accounts and computer accounts for the User Services tier. The servers in
the User Services tier are the front line of defense against any attacks that
come through the firewall. Therefore, to reduce your system’s exposure to
risks, store a minimal amount of data in this forest and do not include any
corporate information.


Module 3: Designing a Highly Available Network Services Infrastructure

7

Create a separate forest to support the back-end infrastructure that
comprises the Business Logic and Data Services tiers. A back-end
infrastructure forest is recommended because it minimizes the amount of
Active Directory data exposed on the front-end. In addition, a separate
forest, along with a firewall, provides an additional layer of security.
You may need to create up to three domains in the back-end infrastructure
forest:
• Create a primary domain that contains the computers for the back-end
(with the exception of server cluster nodes) and the necessary user and
group accounts to manage the application.
• Create a second domain if your application uses Active Directory to
store client information, such as a user account for each client. Having a
separate domain from the primary administrative domain provides
isolation between application data and infrastructure data. In addition,
having a separate domain may reduce the network traffic that Active
Directory replication causes.

• Create a third domain if server clusters are implemented. Configure each
node in each cluster as both a domain controller and a DNS server. By
using DNS servers, you eliminate the dependency on an external domain
controller and DNS server for authentication, thereby increasing the
domain controller availability. In addition, by making each node of the
server cluster a domain controller of a dedicated domain, called a
domainlet, you reduce replication traffic. The domainlet will not contain
any additional user or group objects, with the exception of the cluster
service account(s).
To reduce replication traffic and processor load on the cluster(s) further,
do not make any of the nodes global catalog servers. A global catalog
server is required to enumerate universal group membership for
authentication. Because contacting an external global catalog server
would be a potential point of failure, configure the domain controllers to
ignore global catalog logon failures.
Create trusts between the domain in the User Services tier and the
appropriate domains in the back-end forest depending on the authentication
needs of the application. To allow administrators that were created in the
primary domain in the back-end forest to log on to Web servers in the User
Services tier domain, create a trust between the User Services tier domain
and the back-end primary domain.
If the Web servers need to authenticate users stored in the application
domain in the back-end forest, create a trust between the User Services tier
domain and the application domain in the back-end forest.
Make the domain controllers in the Web infrastructure highly available.
• Place at least two domain controllers in each domain.
• Configure each domain controller to be a DNS server with an Active
Directory integrated zone with secure dynamic update.
• Make the DNS servers in child domains as secondary DNS zones for the
forest root DNS zone.



8

Module 3: Designing a Highly Available Network Services Infrastructure

Practice: Design a Highly Available Active Directory Solution
In this practice, you will:
Design a highly available Active Directory
solution based on a given business scenario

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Scenario

You are a consultant retained to design a Web infrastructure for a commercial
Web site. Your initial research determines that the Microsoft Windows 2000
operating system is used exclusively throughout the organization. You have
also determined that Active Directory is used on both the internal network and
the Web site for security and user control.

Questions

1. Name the four phases of the Active Directory planning process and
sequence them in the correct order.
Creating a forest plan.
Creating a domain plan for each forest.
Creating an organizational unit plan for each domain.
Creating a site topology plan for each forest.

2. What guidelines will you follow to design a highly available Active

Directory solution for the proposed Web infrastructure?
Configure all internal computers as members of a domain to use mutual
Kerberos authentication.
Use a Group Policy with No Override to continually enforce security
policies.
Create a forest with a single domain for the User Services tier.
Create a separate forest to support the back-end infrastructure
comprising the Business Logic and Data Services tiers.
Create trusts between the domain in the User Services tier and the
appropriate domains in the back-end forest.
Configure the domain controllers in the Web infrastructure for high
availability.


Module 3: Designing a Highly Available Network Services Infrastructure

3. What are the considerations for making domain controllers highly available
in a Web infrastructure?
Create at least two domain controllers per domain for redundancy.
Configure each domain controller to be a DNS server with an Active
Directory integrated zone and secure dynamic updates.
Store the forest root domain zone as a secondary zone on domain
controllers for child domains.

9


10

Module 3: Designing a Highly Available Network Services Infrastructure


Lesson: Designing a Highly Available DNS Solution
Designing a Highly Available DNS Solution

A Highly Available DNS Solution
DNS Services in the User Services Tier
DNS Services in the Business Logic and Data Services
Tiers
Active Directory in a DNS Solution
Guidelines for Designing a Highly Available DNS
Solution

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

When you design a highly available DNS solution, you must decide on the
number of DNS servers required, their locations in your Web infrastructure, and
the appropriate architecture, which must provide DNS services for both a
private internal and public external network.
An Internet name authority can assign you a DNS domain name and make sure
that a parent DNS zone includes a delegation to the DNS server that is
authoritative for that DNS domain.
As part of your Web solution, it is recommended that you use an internal
namespace that only users in your organization can access. The internal
namespace prevents unauthorized users from accessing the names and IP
addresses of the computers in your private network. In addition, if you want
your Web site available to your external clients, you must create an external
public namespace that anyone on the Internet can resolve.
For external clients on the public network who connect to your Web site,
configure DNS resolution to resolve a fully qualified domain name (FQDN)

into an IP address. For your private internal network, use DNS to resolve
FQDN for services and computers in your solution. If you plan to have both an
internal and an external namespace, you must configure your DNS servers to
enable internal clients to resolve names in both namespaces.
Note You can achieve the highest security by ensuring that the external DNS
namespace and the internal DNS namespace are not the same. By using
different namespaces, you reduce configuration problems and administrative
overhead.
When using DNS and Active Directory, you must ensure that the namespaces
are separate Active Directory integrated DNS zones. By positioning the Active
Directory integrated DNS server for the external namespace inside the firewall
that protects your infrastructure, you can use the same DNS servers for both
internal and external DNS namespaces.


Module 3: Designing a Highly Available Network Services Infrastructure

Lesson objectives

After completing this lesson, you will be able to:
Identify the features of a highly available DNS services solution.
Plan the positioning of the DNS servers in the User Services tier.
Plan the positioning of the DNS servers in the Business Logic and Data
Services tiers.
Plan the positioning of Active Directory in your DNS solution.
Design a highly available DNS solution for the internal and external
networks.

11



12

Module 3: Designing a Highly Available Network Services Infrastructure

A Highly Available DNS Solution

ISP A
ISP A

Domain controllers
Domain controllers
with Active Directory
with Active Directory
integrated DNS
integrated DNS

Secondary
Secondary
DNS
DNS
Firewall
Firewall
Secondary
Secondary
DNS
DNS

Firewall
Firewall


Active Directory
Active Directory
integrated zone
integrated zone
transfers
transfers

ISP B
ISP B
Zone transfers from DNS servers in the
Zone transfers from DNS servers in the
User Services tier to the DNS servers of
User Services tier to the DNS servers of
ISPs
ISPs

User Services Tier
User Services Tier

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

To make the DNS service highly available for your external clients, you must
have at least two DNS servers available to service client requests.

Reduce server failure

To reduce server failures that are caused by power failures, position DNS
servers that are connected directly to the Internet in different geographical

locations. An ISP provides this service and can also provide the high
availability needed to meet your business requirements.
It is recommended that you use two Active Directory integrated DNS servers
inside the firewall to provide highly reliable internal primary DNS services.
Configure the Active Directory integrated DNS servers to perform zone
transfers to the external servers. Zone replication data will travel along a zone
transfer path from an Active Directory integrated DNS server positioned inside
your solution.
You must also use a minimum of two external DNS servers hosted by your ISP.
To retain administrative control of the records being stored on these DNS
servers, you must configure them as secondary servers. These secondary DNS
servers will service all of the DNS requests from your Internet-based clients,
which will conserve wide area network (WAN) bandwidth.


Module 3: Designing a Highly Available Network Services Infrastructure

Name resolution

13

While designing a network, particularly one to be accessed from the Internet,
you must identify reliable solutions for name resolution to locate computers and
resources on your network. The following table includes some of the criteria
that affect your DNS design.
Design criteria
Number of locations

The number of locations determines the minimum
number of DNS servers, because each location

typically will have at least one DNS server.

Required redundancy level for
your design

If your solution is geographically dispersed, you
may need to position DNS servers with the same
geographical dispersion as your resource servers.

Internal and external name
resolution

It is recommended that you isolate Internet-based
address resolution from internal private name
resolution for security purposes. Isolating the
address resolution requires multiple DNS servers
that are positioned to provide services while
maintaining required security levels.

Existence of any prior DNS
servers, such as UNIX or DNS
servers running Microsoft
Windows NT® version 4.0

Deploying DNS

Considerations

Existing DNS servers may limit the use of DNS
features, such as incremental zone transfers and the

use of dynamic updates.

If you do not already have DNS servers running on your public network, it is
recommended that you deploy the DNS service that is provided with Microsoft
Windows 2000 Server.
If you have existing DNS servers, then the servers that are authoritative for the
locator records must meet certain requirements to support Active Directory. The
DNS servers that are authoritative for the locator records must support the
service resource record type. Also, it is recommended that the DNS servers that
are authoritative for the locator records and are the primary master servers for
those zones should support the DNS dynamic update protocol as defined in
Request for Comments (RFC) 2136.

Integrating DNS service

You can integrate the DNS service in Windows 2000 with other products that
are based on the Internet Engineering Task Force (IETF) standards. DNS
provides compatibility with DNS servers on other operating systems by
complying with Berkeley Internet Name Domain (BIND) version 8.2.2 and
later. Crucial BIND compatibility includes:
Incremental zone updates that are supported by BIND version 8.2.1 and
later.
A dynamically updated DNS zone database that is supported by BIND
version 8.1.2 and later.
Support for the service (SRV) resource record that is supported by BIND
version 4.9.6 and later.


14


Module 3: Designing a Highly Available Network Services Infrastructure

DNS Services in the User Services Tier
DNS zone types
Active Directory integrated
Primary
Secondary
Delegated domain
Best practices
Minimize the updates to the externally available zone
Avoid the use of round robin DNS entries unless the individual
resources are cluster servers with reliable IP addresses
Avoid the use of reverse lookup zones
Have at least two servers hosting the zone to provide for redundancy
Use Active Directory integrated zones to minimize administration
Host primary zones and Active Directory integrated zones locally

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

In the User Services tier, DNS is required to allow name resolution services for
Internet-based clients. To reduce the potential for network security breaches, it
is recommended that you use separate namespaces for your Web infrastructure
and your private network.
The DNS zone type influences the placement and number of DNS servers in a
name resolution design. Each zone type solves a specific name resolution
requirement within a design. For example, if your design uses an Active
Directory integrated zone (primary zone) in your site, and it replicates zone
information to a secondary zone on a DNS server at a remote location, this
configuration will improve name resolution redundancy if a portion of the

Internet routing fails.


Module 3: Designing a Highly Available Network Services Infrastructure

Zone types

15

When placing DNS servers within a design, you need to consider the DNS zone
type. The following table lists the DNS zone types and when you must select
them.
DNS zone types

Use this zone when you need to create a DNS server that

Active Directory
integrated

Is any server in a design based on Active Directory.

Primary

Is the first DNS server in a design based on traditional DNS.
Has a read/write copy of the zone information.
Can administer zone information separately.

Secondary

Improves the availability of primary zones by providing a

complete copy of the primary zone.
Has a read-only copy of the zone information.
Improves performance at local and remote locations by
providing a local copy of a primary zone.
Is placed in screened subnets and accessed by Internet-based
users.

Delegated domain

Contains a subset of the domain namespace in an Active
Directory integrated zone or a primary zone.
Improves performance by reducing the number of
searchable records to a subset of the namespace.


16

Module 3: Designing a Highly Available Network Services Infrastructure

Best practices

You can use the following best practices to provide highly available DNS
services for the User Services tier:
Minimize the updates to the externally available zone by ensuring that IP
addresses for resources are reliable and not subject to change. For example,
the virtual IP addresses that Network Load Balancing uses are reliable
because there are multiple servers in a fault tolerant cluster.
Avoid the use of round robin DNS entries unless the individual resources
are cluster servers with reliable IP addresses.
Avoid the use of reverse lookup zones to minimize the amount of

information that is vulnerable to attacks against the site.
Make sure that you have at least two servers hosting the external zone to
provide redundancy.
If you are using Active Directory, use directory-integrated storage for your
zones to minimize administration.
If you are not using Active Directory, you must use standard primary zones
to create and manage zones in your external DNS namespace. In this case, a
single-master update model applies, where one DNS server is designated as
the primary server for a zone. Only the primary server can process an update
to the zone information.
It is recommended that you host primary zones and Active Directory
integrated zones locally and use secondary zones for DNS servers that are
located off-site to maintain local administration control.
Locate local DNS servers so that access is still possible when local network
path failures occur.
Locate servers off-site where resolution requests for client names will not
impact bandwidth to the site.
Note When controlling access to your Web infrastructure by IP address, be
aware that many Web users will pass through a proxy server or a firewall. The
incoming connection to your Web server will appear to have originated from
the proxy server or firewall and not the client’s computer. If you are performing
restrictions based on the client domain name, Microsoft Internet Information
Services (IIS) must be able to perform a reverse DNS lookup.


Module 3: Designing a Highly Available Network Services Infrastructure

17

DNS Services in the Business Logic and Data Services Tiers

DNS zone types
Use Active Directory integrated zones in the Business Logic and
Data Services tiers
Best practices
Avoid using the same zone that was used for the User Services tier
Create Active Directory integrated zones on a local Active Directory
domain controller that is not a part of the corporate Active Directory
structure
Have at least two servers hosting the zone to provide for
redundancy
Locate local DNS servers (and domain controllers) so that access
is still possible when local network path failures occur

*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction

DNS is required to allow name resolution services for the Business Logic and
Data Services tiers when the FQDNs are used to reference computers and
services in the tiers. The namespace used by the FQDNs can be part of the
external namespace that you use for your Web infrastructure, but it is usually
separate from both the external namespace and your private DNS namespace to
reduce the potential for private network security breaches.

Zone types

It is recommended that you use Active Directory integrated DNS zones for the
Business Logic and Data Services tiers. By utilizing multiple domain
controllers in your Web solution, you make your DNS services highly
available.


Best practices

You can use the following best practices to provide highly available DNS
services for the Business Logic and Data Services tiers:
Avoid using the same zone that you used for the User Services tier unless
your applications require it.
Create Active Directory integrated zones on a local Active Directory
domain controller that is not part of your corporate Active Directory
structure, that is, the domain controllers are in separate forests. There can be
trusts to the corporate forest if your design requires it.
Make sure that you have at least two servers hosting the zone to provide
redundancy.
Locate local DNS servers (and domain controllers) so that access is still
possible when local network path failures occur.