[TNT1-114] KEY MESSAGE: This is session TNT SLIDE BUILDS: None

[TNT1-114] KEY MESSAGE: This is session TNT1-114. SLIDE BUILDS: None
SLIDE SCRIPT: SLIDE TRANSITION: The title for this session is…

Windows Server 2003 DNS Integración con Active Directory
KEY MESSAGE: The title of this session is Windows Server 2003 DNS Integration with Active Directory. SLIDE BUILDS: None SLIDE SCRIPT: Hello and Welcome to this Microsoft TechNet session on Windows Server 2003 DNS Integration with Active Directory. My name is [insert name]. SLIDE TRANSITION: Here is what will be covered today. Microsoft Corporation

Lo que vamos a cubrir: Instalar y administrar DNS
Integración de Active Directory Funciones y configuración de DNS DNS en bosques federados KEY MESSAGE: This is what will be covered today. SLIDE BUILDS: 4 SLIDE SCRIPT: Topics for this session are: [BUILD 1] Instalar y administrar DNS [BUILD 2] Integración de Active Directory [BUILD 3] Funciones y configuración de DNS [BUILD 4] and DNS en bosques federados SLIDE TRANSITION: Here is what you should have knowledge and experience with to get the most out of this session.

Prerrequisitos Nivel 200 Windows Server 2003
Estructura de Active Directory Conceptos de DNS KEY MESSAGE: To get the most out of this session, you should have the knowledge and experience listed on the slide. SLIDE BUILDS: 3 SLIDE SCRIPT: To get the most out of this session you should have the following knowledge and experience: [BUILD 1] Windows Server 2003 administration [BUILD 2] Estructura de Active Directory [BUILD 3] and Conceptos de DNS SLIDE TRANSITION: This is the session agenda. Nivel 200

Agenda Instalar y administrar DNS Integración de Active Directory
Funciones y configuración de DNS DNS en bosques federados KEY MESSAGE: This is the agenda for this session. SLIDE BUILDS: None SLIDE SCRIPT: This is the agenda for this session. The first on the agenda item is Instalar y administrar DNS. SLIDE TRANSITION: Let’s get started.

Instalar y administrar DNS Conceptos básicos de DNS
Sistema de nombre de dominio Protocolo de resolución de nombre para redes TCP/IP Base de datos distribuida y ordenada en forma jerárquica KEY MESSAGE: What is DNS? SLIDE BUILDS: 5 SLIDE SCRIPT: [BUILD 1] Before focusing this presentation on the features and benefits of Windows Server 2003 DNS services, the basics should be covered. What is DNS? DNS is the hierarchical, distributed database that contains mappings of domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database. [BUILD 2] DNS servers basically work in a request / response framework. The DNS client requests information from the DNS server, to which the DNS server responds to the request with either an authoritative answer or by responding that the host cannot be found. [BUILD 3] In a Zona de búsqueda directa, the client asks the IP Address with which it can communicate to a particular URL or FQDN. The DNS server answers with the proper IP Address and the client proceeds with contacting the server. [BUILD 4] Occasionally, a system may need to verify the name of a computer using a certain IP Address. Zonas de búsqueda inversa perform this service by translating IP Addresses into FQDNs. SLIDE TRANSITION: How is the DNS Namespace Organized? ADDITIONAL INFORMATION FOR PRESENTER: Zona de búsqueda directa Zona de búsqueda inversa ¿Quién es NY-CERT-01? ¿Quién es ? TCP/IP NY-CERT-01 = = NY-WXP-01

Instalar y administrar DNS Estructura de espacio de nombres
Raíz de Internet . Contoso.local Dominios de nivel alto KEY MESSAGE: The hierarchical structure of the DNS Namespace. SLIDE BUILDS: 5 SLIDE SCRIPT: [BUILD 1] The DNS domain namespace is based on a hierarchical tree of named domains. The root domain of the internet domain tree is represented by an unnamed level sometimes stated by a period at the end of the domain name. All domain names on the internet trace back to this root. [BUILD 2] Top level domains are located directly below the Internet Root. The top level domain names typically consist of two or three letters used to indicate a country, region, or the type of organization using the domain. For example, .com represents a commercial business, .org represents a non-for-profit organization, and .gov represents a US Government organization. [BUILD 3] Second level domain names of variable lengths are registered directly to individuals or organizations for use on the internet. These names are always based upon an appropriate top-level domain, depending on the type of organization. At this level, the Contoso corporation registers its company on the internet as contoso.com. [BUILD 4] Beyond the second level domain, the organization can create an unlimited number of sub-domains to partition the domain space. The actual resources can be placed in either the second level domain or in the sub-domains. [BUILD 5] Alternatively, the domain root can be separated from the internet altogether. Domains are only considered to be on the internet if they are registered and can be resolved at the top level. Isolate a domain by using a top-level domain name that is not part of the internet such as local or corp. SLIDE TRANSITION: How does the DNS server respond to a query? ADDITIONAL INFORMATION FOR PRESENTER: com Dominios de segundo nivel us.Contoso.local org gov research.Contoso.local Contoso.com WideWorldImporters.com IRS.gov us.Contoso.com research.Contoso.com Subdominios

Instalar y administrar DNS Seguir una solicitud interna de DNS
contoso.com NY-DNS-01.contoso.com NY-DNS A NY-WEB A NY-WXP A www CNAME NY-WEB-01.contoso.com KEY MESSAGE: Describe a basic internal DNS query. SLIDE BUILDS: 5 SLIDE SCRIPT: [BUILD 1] So by what process does the DNS server respond to a query. Initially, each client needs to be configured with at least one DNS server. The DNS server can be either assigned statically by the administrator or dynamically through a DHCP server. [BUILD 2] When the client needs to communicate with another computer using either a URL or a FQDN, the DNS client sends a query its configured Servidor DNS primario. In this case, the user needs to access [BUILD 3] The DNS server receives the query and checks its zone table for a record named www under the zone contoso.com. Within this zone, the server finds an CNAME or Alias name for www pointing to the host name of NY-WEB-01. [BUILD 4] The DNS server searches the zone for a record named NY-WEB-01 and finds an A or Host record pointing to [BUILD 5] Now that the DNS server has resolved the name for the client, it sends a response message back to the client with the IP address of the requested domain name. [BUILD 6] Once the client knows the IP address to use, it can communicate directly with the server representing SLIDE TRANSITION: This process demonstrates DNS internally, but how does DNS resolve queries on the internet? ADDITIONAL INFORMATION FOR PRESENTER: NY-WEB-01.contoso.com Respuesta: Solicitud: TCP/IP NY-WXP-01.contoso.com

Instalar y administrar DNS Seguir una solicitud externa de DNS
Solicitud: Respuesta: contoso.com = KEY MESSAGE: Demonstrate an external DNS query. SLIDE BUILDS: 6 SLIDE SCRIPT: [BUILD 1] The previous example demonstrated a DNS server that was authoritative for the DNS zone that was requested. When the DNS server is not authoritative for the zone being queried, it must seek outside information. [BUILD 2] So here a client in the WideWorldImporters.com domain queries its DNS server for the IP address of [BUILD 3] The DNS server searches its database for references to contoso.com but finds no matches. With recursion enabled on the server, it will query the root servers on the internet for [BUILD 4] The root server on the internet is authoritative for the .com top-level domain but not necessarily for the contoso.com domain. It doesn’t know the IP address for but it does know the IP address of the server that is authoritative for contoso.com. It responds with this information. [BUILD 5] The DNS server for WideWorldImporters.com can now send a query directly to the DNS server authoritative for Contoso.com. The Contoso DNS server resolves the CNAME “www” to the New York Web Server and response to the WideWorldImporters.com DNS server with the IP address [BUILD 6] The DNS server then responds to the original query with the IP address of The DNS server caches this result for a predetermined amount of time so when it receives the same request, it can answer immediately. SLIDE TRANSITION: Within Active Directory, not only provides resolution for hosts, but also for Active Directory Services. ADDITIONAL INFORMATION FOR PRESENTER: a.root-server.net Solicitud: Respuesta: Solicitud: Respuesta: NY-DNS-01.contoso.com TCP/IP NY-WEB-01.contoso.com WideWorldImporters.com

Instalar y administrar DNS Ingresar los registros del localizador de servicios
NETLOGON.dns enlista los registros SRV Registros SRV ingresados durante el inicio KEY MESSAGE: Using DNS as a locator SLIDE BUILDS: None SLIDE SCRIPT: 6 [BUILD 1] The main reason Active Directory deployments require a DNS infrastructure is as a locator mechanism for domain-wide and forest-wide services. Service locator (SRV) resource records allow multiple servers providing a similar TCP/IP-based service to be located using a single DNS query operation. Each server that hosts Active Directory services, store a file called NetLogon.dns which lists each of the services registered on the server. This list can be expansive and contains information on how records are to be replicated along with site specific information. [BUILD 2] Each time the server boots up, these records are sent to the Servidor DNS primario configured on the server. When the server is shut down properly, these records are removed from the DNS server. However, if the server fails unexpectedly, the DNS server continues to use these records which may propagate errors within the domain. [BUILD 3] The NetLogon.dns file registers four major types of resource records. LDAP records designate servers hosting the Lightweight Directory Access Protocol service, the primary access protocol for Active Directory used to query and update information in the directory. [BUILD 4] Kerberos SRV records resolve to servers able to provide authentication within Active Directory. [BUILD 5] The Kerberos Password records locate the utility used by Kerberos users to change passwords for a given identity. [BUILD 6] The final records provide access to Catálogo global server. These servers host a directory database that applications and clients can query to locate any object in a forest. SLIDE TRANSITION: Each service record contains a series of configurable settings. ADDITIONAL INFORMATION FOR PRESENTER: LDAP Kerberos Contraseña de Kerberos Catálogo global LON-DC-01.WideWorldImporters.com LON-DNS-01.WideWorldImporters.com

Instalar y administrar DNS Localizar recursos de Active Directory
Registro del localizador de servicios: RFC 2782 Propiedades del registro SRV KEY MESSAGE: Contents of the DNS Service Locator Records. SLIDE BUILDS: SLIDE SCRIPT: [BUILD 1] First, the details of the Service Locator Record are defined by the Internet Engineering Task Force (IETF) in RFC 2782. [BUILD 2] The RFC 2782 provides the specifications for the properties available for each of these records. [BUILD 3] Within the hierarchical structure of the SRV record name, the properties of the record’s service and protocol are listed. The service provides a space to select the universal symbolic name of the desired TCP/IP service to be server by the record. The protocol determines the transport protocol used by the service. TCP and UDP are the most useful values. Site specific information may also be stored in this area. [BUILD 4] The Time-to-Live setting is used by other DNS name servers and some DNS clients to determine how long they are allowed to cache information, returned from DNS, about this record measured in seconds. [BUILD 5] The record priority is a number ranging from 0 to 65535, indicating the priority or level of preference given to the host specified in the record. This number is used to indicate the host’s priority with respect to the other hosts in the domain that offer the same service and are specified by different SRV resource records. When more than one SRV resource record is present for a specific service, the host with the lowest preference number is given first to DNS clients. If this host fails or is not reachable, the SRV specified host with the next highest preference number is the next host used. [BUILD 6] The weight of the record represents a value between 1 and to be used as a load balancing mechanism. When selecting among more than one target SRV host for the type of service that use the same Priority number, this field can be used to weight preference towards specific hosts. Where several hosts share equal priority, hosts with higher weight values entered here should be returned first to DNS clients in SRV query results. Servicio Protocolo Sitio TTL Prioridad Peso Puerto Host _ldap._tcp SRV NY-DC-01.contoso.com. _kerberos._tcp 600 SRV NY-DC-01.contoso.com. _gc._tcp SRV NY-DC-01.contoso.com. _kpasswd._tcp 600 SRV NY-DC-01.contoso.com.

Registro del localizador de servicios: RFC 2782 Propiedades de registro SRV Servicio [BUILD 7] The port represents the TCP/IP server port on the host that offers the service. This number is often, but not required to be, a well-known reserved port number. Depending on which protocol, the port number used here can represent either a UDP or TCP port. [BUILD 8] The final field in the record simply specifies the fully qualified domain name of the server providing the service. SLIDE TRANSITION: When clients need to find network services, it sends a DNS query for these records. ADDITIONAL INFORMATION FOR PRESENTER: Protocolo Sitio TTL Prioridad Peso Puerto Host _ldap._tcp SRV NY-DC-01.contoso.com. _kerberos._tcp 600 SRV NY-DC-01.contoso.com. _gc._tcp SRV NY-DC-01.contoso.com. _kpasswd._tcp 600 SRV NY-DC-01.contoso.com.

NY-DC-01 y LON-DC-01 son Catálogos globales ¿Cuál es la impresora de red más cercana? KEY MESSAGE: Using DNS as a locator SLIDE BUILDS: None SLIDE SCRIPT: [BUILD 1] Here is an example of a network with three sites spread across Tilbury, London, and New York. The Sitio de Tilbury contains a DNS server, a print device and the client. The client wishes to search Active Directory for the closest network printer, which would be this one in the Sitio de Tilbury. The only available domain controllers are in the London and Sitio de Nueva Yorks. [BUILD 2] Before submitting a search of the Active Directory, the client must locate a Catálogo global. The client sends a DNS query to the local DNS server. The DNS server builds a list of available Catálogo globals by searching the applicable zone file. [BUILD 3] Since the Active Directory Integrated DNS Zone is site aware, it returns the list of Catálogo globals to the client sorted with the lowest cost link first. Services will always be accessed first within the same site but when the service does not exist in the local site, the site link costs are examined to provide the next best communication path. [BUILD 4] In this way, the client attempts communications first with the London Domain Controller to search the Active Directory and finds the printer device locally in the Sitio de Tilbury. SLIDE TRANSITION: You have seen how the DNS server responds to several request types. ADDITIONAL INFORMATION FOR PRESENTER: Solicitud: Catálogo global Respuesta: Ambos GCs TIL-DNS-01 Sitio de Tilbury Vínculo del sitio Costo 50 Vínculo del sitio Costo25 Buscar la impresora en GC NY-DC-01 LON-DC-01 Sitio de Nueva York Sitio de Londres Vínculo del sitio Costo25

Instalar y administrar DNS Configure su asistente para servidor
Interfaz de administración sencilla Administre los roles de servidor Integrado con la ayuda de Microsoft KEY MESSAGE: Installing Network Services in Windows Server 2003 SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] Microsoft has made a concerted effort to simplify installation and configuration of server roles with in the Microsoft Network. New to Windows Server 2003, the Configure Your Server Wizard along with the related Manage Your Server Wizard consolidate configuration tools and features into one place, enabling administrators to set up and manage profiles called server roles for one or more servers. [BUILD 2] Server roles can be installed and the changes are then reflected in the Manage Your Server Wizard so that administrators can change profiles as a server’s role changes. Server roles cover all aspects of server management, from print and file services to streaming media and remote access. The wizard allows administrators to install, configure, and administer up to 11 server roles. These wizards also list the current status of assigned roles. [BUILD 3] To make these wizards even more powerful for the administrator, each section of both wizards have been fully documented and linked to comprehensive help files to provide additional information for server roles. Within the help files you will also find configuration checklists, best practices and troubleshooting documents. SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

Instalar y administrar DNS Asistente para instalación de DNS
Simplifica la configuración de los roles del servidor Instala sólo los componentes requeridos Garantiza una configuración segura KEY MESSAGE: The benefits of Server Role Wizards. SLIDE BUILDS: 4 SLIDE SCRIPT: [BUILD 1] When you choose a server role within the Configure Your Server Wizard, it launches individual, custom installation wizards for each task. These wizards simplify the installation process by walking you through each required step for the specific task. [BUILD 2] The key benefit of using the wizards to install server roles lies in the fact that the wizard only installs and configures the required items of the particular service. In this way, the administrator can focus on the task at hand. Rather than trying to learn every aspect of the server role, just focus on what needs to be done. [BUILD 3] The net result of this approach ensures that the installation remains secure. By using these wizards, you reduce the attack footprint available on the server when compared to using Add/Remove Windows Components and installing the service. [BUILD 4] When you have reached the end of the wizard, a summary of actions are listed in the final window. At this point the wizard may be cancelled without any changes being made to the server. Clicking finish starts the process of installing and configuring the server role to correspond with the choices made using the wizard. SLIDE TRANSITION: Once the role is successfully installed, your attention can shift to the management of the server role. ADDITIONAL INFORMATION FOR PRESENTER:

Instalar y administrar DNS Consola de administración de DNS
Complemento de Microsoft Management Console Organiza la jerarquía de DNS Administra múltiples servidores DNS KEY MESSAGE: Using the DNS Management Console SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] After installing the DNS server role to Windows Server 2003, the DNS Management Console becomes available from the start menu’s administrative tools sub-folder. You can alternately access this tool by installing the Windows Server 2003 Support Tools located on the operating system installation media. The DNS management console is built on the framework of the Microsoft Management Console and requires administrative rights to configure most DNS settings. Security best practices suggest you log onto the machine as a normal user and open the console using the Run As service. [BUILD 2] By examining the record name fore each record in each zone, the DNS management console automatically builds the DNS hierarchy into an easy to navigate tree structure. Each container in the console tree have customized context menus from which you can add records, add zones, view properties, and launch Opciones avanzadas. Within the folder structure under each Active Directory Integrated Zone are the lists of Service Record Containers organized by record type and replication scope. [BUILD 3] One of the main benefits of using the Microsoft Management Console for the management of Windows Server 2003 server roles lies in the ability to manage multiple servers within your organization from one interface. To multiply your administrative effectiveness, you can add each DNS server you manage in the single interface to make configuration changes in real time across the enterprise. SLIDE TRANSITION: Window Server 2003 DNS supports a wide variety of DNS record types. ADDITIONAL INFORMATION FOR PRESENTER:

Instalar y administrar DNS Registros de recursos de DNS
Inicio de autoridad (SOA) Nombre del servidor (NS) Host (A) Alias (CNAME) Agente de intercambio de correo (MX) Puntero (PTR) Ubicación del servicio (SRV) KEY MESSAGE: Explain common DNS record types. SLIDE BUILDS: 7 SLIDE SCRIPT: [BUILD 1] Within each file based or Active Directory Integrated DNS zone, a minimum of two resource records must exist. The Start of Authority resource record indicated the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. It also indicates other properties of the zone such as version information and timings that affect zone renewal or expiration. These properties affect how often transfers of the zone are done between servers authoritative for the zone. The SOA resource record is always first in any standard zone and indicates the DNS server that either originally created it or is now the primary server for the zone. [BUILD 2] All DNS zones also require at least one Name Server record. DNS uses the NS record to assign authority to specified servers for a DNS Zone. DNS accomplishes this in two ways; By establishing a list of authoritative servers for the domain so that those servers can be made know to others that request information about the domain or zone and by indicating authoritative DNS servers for any sub-domain that are delegated away from the zone. [BUILD 3] Host or “A” resource records are used in a zone to associate DNS domain names of computers, or hosts, to their IP addresses. These records can be added to a zone by either adding the static IP address using the DNS Management Console or through the DHCP server that dynamically assigns an IP Address to the client. The host recource record is not required for all computers, but is needed by computers that share resources on a network. Any computer that shares resources and needs to be identified by its DNS domain name, needs to use host resource records to provide DNS name resolution to the IP address for the computer. Host resource records often server as glue records for a zone by providing resolution for other records referring to the specific host elsewhere in the zone such as SOA and NS records.

Instalar y administrar DNS Otros tipos de registros de recursos
Información del buzón (MINFO) Siguiente dominio (NXT) Clave pública (KEY) Información del Host (HINFO) Servicios bien conocidos (WKS) KEY MESSAGE: Refer to less common Resource Record Types SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 1] In all, the Windows Server 2003 DNS Server supports 25 different record types defined by individual RFCs from the IETC. Review the DNS help document titled Resource Records Reference to review a full description of each record type along with syntax and examples. SLIDE TRANSITION: Now for a look at some of these concepts in the first demonstration. ADDITIONAL INFORMATION FOR PRESENTER: Red digital de servicios integrados (ISDN) Base de datos de AFS (AFSDB) Responsable (RP) Firma (SIG) Buzón renombrado (MR) Buzón (MB) Dirección ATM (ATMA) Ruta directa (RT) Grupo de correo (MG) Host IPv6 (AAAA) X.25 (X25) Texto (TXT) Opción (OPT)

demo Instalar y administrar DNS Instalar el rol del servidor DNS
Administrar el registro de recursos de DNS KEY MESSAGE: Introduction to Demonstration 1. SLIDE BUILDS: None SLIDE SCRIPT: This demonstration shows the installation of the DNS server role using the Configure Your Server Wizard followed by an overview of the DNS Management Console. SLIDE TRANSITION:

Funciones y configuración de DNS DNS en bosques federados KEY MESSAGE: This is the agenda for this session. SLIDE BUILDS: None SLIDE SCRIPT: The next item on the agenda is Integración de Active Directory. SLIDE TRANSITION: How do standard zones operate?

Integración de Active Directory Zonas primaria y secundaria
Sitio de Londres Sitio de Seattle Servidor DNS primario Servidores DNS secundarios KEY MESSAGE: Describe standard zone replication. SLIDE BUILDS: 5 SLIDE SCRIPT: [BUILD 1] In a standard DNS zone, DNS servers can be either primary or secondary servers on the zone. Only one server can be the primary server, this server is designated the Start of Authority for the zone, and all other Name Servers in the zone must be Secondary servers. [BUILD 2] When you add a Host resource record, either statically or dynamically, the new records can only be added to the Servidor DNS primario. The Servidor DNS primario registers the new host records into its host table and increments the SOA record’s serial number. [BUILD 3] With notification enabled on the primary server’s zone transfer tab, the server notifies each secondary server that the zone database has been changed. [BUILD 4] Each Secondary server then requests the Start of Authority Serial Number and compares this number to its latest update zone database file. [BUILD 5] If the Serial Number is greater on the Servidor DNS primario, the secondary initiates a zone transfer to pull the new zone file from the primary server. The zone transfers traffic can be minimized by enabling fast zone transfers wherein only the file deltas or changes are replicated to each secondary server based on the SOA serial number. If the zone transfer scope include older BIND DNS server, fast zone transfers may need to be disabled requiring the entire zone file to be included in the zone transfers. SLIDE TRANSITION: How does Integración de Active Directory improve this porcess. ADDITIONAL INFORMATION FOR PRESENTER: Servidores DNS secundarios Servidores DNS secundarios Sitio de Nueva York Sitio de Tilbury

Integración de Active Directory Zonas integradas de Active Directory
Sitio de Londres Sitio de Seattle Servidor DNS primario Servidor DNS primarios KEY MESSAGE: Describe Active Directory Integrated Zone Replication SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] When you integrate DNS zones into Active Directory, this process becomes both more efficient and more secure. The biggest difference you notice right away is that there are no Servidores DNS secundarios. Since the DNS zone replicates within Active Directory, the DNS zone utilizes the multi-master replication structure of Active Directory. [BUILD 2] As a result, when each client registers its host record in DNS, the local DNS server can accept the resource record and add it to the zone. This process keep the DNS registration traffic local within the site rather than needing to traverse the wide area network connections. [BUILD 3] Since the DNS zone information replicates within Active Directory, zone changes propagate the network according to the defined Active Directory schedule and site cost topology. SLIDE TRANSITION: How does DNS manage the zone replication information. ADDITIONAL INFORMATION FOR PRESENTER: Servidor DNS primarios Servidor DNS primarios Sitio de Nueva York Sitio de Tilbury

Integración de Active Directory Estructura de la zona integrada de AD
NY-DNS-01 Zonas de búsqueda directa KEY MESSAGE: Explain the folder structure of an Active Directory Integrated Zone SLIDE BUILDS: 5 SLIDE SCRIPT: [BUILD 1] The DNS Server Service integrates into the design and implementation of Active Directory. The Active Directory provides an enterprise-level directory for organizing and managing resources in a network and DNS provides the method to locate these resources. By integrating zones into Active Directory, you can take advantage of DNS features such as secure dynamic updates and record Caducidad y borrado to improve DNS security. [BUILD 2] The standard DNS server manages folders similar to this structure, with forward and Zonas de búsqueda inversa on the server. Zone files reside either under the Zona de búsqueda directas or the Zonas de búsqueda inversa folders. This would be the complete folder structure for a standard zone managing contoso.com. [BUILD 3] With the zone integrated into Active Directory, the folder structure becomes more complicated to define site, protocol, and replication information. When each domain controller in the forest boots, it registers a set of forest-wide records that end in _msdcs.<DNS-forest-name>. These forest-wide records are of interest to clients and domain controllers from all parts of the forest. For example, the Catálogo global server locator records, and the records used by the replication system to locate replication partners, are included in the forest-wide domain controller records. For any two domain controllers to replicate with each other, including two domain controllers from the same domain, they must be able to look up forest-wide locator records. For a newly created domain controller to participate in replication, it must be able to register its forest-wide records in the DNS _msdcs sub-domain, and other domain controllers must be able to look up these records. For this reason, it is vital that forest-wide locator records be available to every DNS server in every site. Contoso.com _msdcs _sites Contoso.com _tcp _udp DomainDnsZones ForestDnsZones Zonas de búsqueda inversa

Integración de Active Directory Estructura de la zona integrada de AD
NY-DNS-01 Zonas de búsqueda directa [BUILD 4] Remember that each server registers the records within the NETLOGON.dns file each time the server boots. These records contain the service locator records matching the server roles installed on the server. These server locator records contain information specifying site and protocol information. These records are sorted into _sites, _tcp, and _udp folders to provide a logical resolution path used by the DNS server when responding to queries. [BUILD 5] Windows Server 2003 introduces the concept of the Application Directory Partition. The application directory partition stores application-specific data that can be dynamic, subject to TTL restrictions. The replication scope of an application directory partition can be configured to include any set of domain controllers in the forest. Window Server 2003 DNS utilizes this technology through the creation of two default directory partitions, DomainDNSZones and ForestDNSZones. The records in these zones replicate to all DNS servers in the domain and forest, respectively. Windows Server 2003 also allows you to create additional partitions within active directory to provide additional replication control. When setting the replication scope for an Active Directory Zone, the options include replicating to all domain controllers in the domain, all DNS servers in the domain, all DNS server in the forest, or all DNS servers defined in a specific application directory partition. This folder structure represents each of these options. SLIDE TRANSITION: Now take a look at the partitions of Active Directory. ADDITIONAL INFORMATION FOR PRESENTER: Contoso.com _msdcs _sites Contoso.com _tcp _udp DomainDnsZones ForestDnsZones Zonas de búsqueda inversa

Integración de Active Directory Particiones del directorio
DC=WideWorldImporters,DC=com KEY MESSAGE: Show Active Directory partitions. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] The Active Directory Replication Monitor tool, available in the Windows Server 2003 installation disk, provides a graphical representation of the divisions and replication scope of Active Directory. In Windows 2000, Active Directory consisted of the root domain with containers for Configuration and Schema information and sub-domains built off of the root. [BUILD 2] In Windows Server 2003, the additional application directory partitions provide a storage container for DNS information that is not replicated to forest-wide Catálogo globals, giving administrators greater control over forest-wide or domain-wide DNS replication. [BUILD 3] Additional DNS directory partitions can be created using DNSCMD command-line utility found in the Windows Server 2003 Support Tools. The information in this partition only replicates to those domain controllers enrolled in the partition. DNSCMD provides the ability to create, enlist, enumerate, unenlist, and delete directory partitions from Active Directory. SLIDE TRANSITION: Now to review the types of DNS zones available on Windows Server 2003. ADDITIONAL INFORMATION FOR PRESENTER: CN=Configuration,DC=WideWorldImporters,DC=com CN=Schema,CD=ConfigurationDC=WideWorldImporters,DC=com DC=DomainDnsZones,DC=WideWorldImporters,DC=com DC=ForestDnsZones,DC=WideWorldImporters,DC=com DC=Intranet,DC=WideWorldImporters,DC=com

Integración de Active Directory Zonas de búsqueda directa
Almacena todos los registros de recurso para la zona Traduce FQDN en direcciones IP AD lo requiere para localizar servicios KEY MESSAGE: The purpose of the Zona de búsqueda directa. SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 1] The Active Directory Installation Wizard automatically creates a DNS Zona de búsqueda directa if the zone is not already available on the network for the specified domain name. The Zona de búsqueda directa stores all resource records for the zone. Active Directory requires the Zona de búsqueda directa to find objects and services within the domain and forest. This zone provides the ability to resolve domain names into IP addresses used by the TCP/IP protocol. SLIDE TRANSITION: The reverse lookup zone provides similar functionality. ADDITIONAL INFORMATION FOR PRESENTER:

Integración de Active Directory Zonas de búsqueda inversa
Almacena todos los registros PTR para la zona Resuelve las direcciones IP para FQDN Seguridad de aplicación KEY MESSAGE: The purpose of the Reverse Lookup Zone. SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 1] The reverse lookup zone provides the method by which DNS clients can resolve domain names from IP Addresses. The Active Directory Installation wizard does not automatically add a reverse lookup zone and PTR resource records, because it is not required by Active Directory. You might want to add a reverse lookup zone to your server if no other server controls the reverse lookup zone for the hosts listed in your Zona de búsqueda directa. Zonas de búsqueda inversa and PTR resource records are not necessary for Active Directory to work, but you need them if you want clients to be able to resolve FQDNs from IP addresses. Also, PTR resource records are commonly used by some applications to verify the identities of clients. SLIDE TRANSITION: Windows Server 2003 DNS also provides the use of Zonas de rutas internas. ADDITIONAL INFORMATION FOR PRESENTER:

Integración de Active Directory Zonas de rutas internas
Zona de rutas internas: research.contoso.com Zona padre: contoso.com SOA: research.contoso.com NS: DNS01.research.contoso.com A: NS: DNS02.research.contoso.com DNS01.contoso.com KEY MESSAGE: The purpose of Zonas de rutas internas. SLIDE BUILDS: 1 SLIDE SCRIPT: [BUILD 1] A Zona de rutas internas is a copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for that zone. A Zona de rutas internas is used to keep a DNS server hosting a Zona padre aware of the authoritative DNS server for its Zona hija and thereby maintain DNS name resolution efficiency. The Zona de rutas internas consists of the Start of Authority, Name Server and Glue Host records for the delegated zone. The Zona de rutas internas also stores the IP address of one or more master servers that can be used to update the Zonas de rutas internas resource records. The master servers for a Zona de rutas internas are one or more DNS servers authoritative for the Zona hija, usually the DNS server hosting the primary zone for the delegated domain name. When a DNS client performs a recursive query operation on a DNS server hosting a Zona de rutas internas, the DNS server uses the resource records in the Zona de rutas internas to resolve the query. The DNS server sends an iterative query to the authoritative DNS servers specified in the NS resource records of the Zona de rutas internas as if it were using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers in its Zona de rutas internas, the DNS server hosting the Zona de rutas internas attempts standard recursion using its root hints . The DNS server will store the resource records it receives from the authoritative DNS servers listed in a Zona de rutas internas in its cache, but it will not store these resource records in the Zona de rutas internas itself; only the SOA, NS, and glue A resource records returned in response to the query are stored in the Zona de rutas internas. The resource records stored in the cache are cached according to the Time-to-Live (TTL) value in each resource record. The SOA, NS, and glue A resource records, which are not written to cache, expire according to the expire interval specified in the Zona de rutas internas's SOA record, which is created during the creation of the Zona de rutas internas and updated during transfers to the Zona de rutas internas from the original, primary zone. SLIDE TRANSITION: Zone delegation is another way to offload the DNS workload to another server. ADDITIONAL INFORMATION FOR PRESENTER: Zona de transferencia Zona hija: research.contoso.com SOA: research.contoso.com NS: DNS01.research.contoso.com A: MX: mail.research.contoso.com SRV: _ldap._tcp.research.contoso.com SRV: _kerberos._tcp.research.contoso.com NS: DNS02.research.contoso.com DNS01.research.contoso.com

Integración de Active Directory Delegación de autoridad
Divida el espacio de nombres en zonas adicionales Delegue la administración de DNS Divida zonas de DNS para distribuir el tráfico Amplíe el espacio de nombres KEY MESSAGE: SLIDE BUILDS: SLIDE SCRIPT: [BUILD 1] DNS provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones: A need to delegate management of part of your DNS namespace to another location or department within your organization. A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment. A need to extend the namespace by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site. [BUILD 2] For example, the contoso.com administrators have decided that the research sub-domain should be separated from the rest of the forest for its DNS resolution structure. The research division has grown to the point that it can now be somewhat autonomous. To achieve this goal, the enterprise administrators in contoso.com delegate the entire research.contoso.com DNS zone to the DNS server located in the research domain. [BUILD 3] The zone delegation adds two records within the root DNS zone. The name server record directs resolution for the research.contoso.com domain to the dns1.research.contoso.com and the host or glue record follows this to resolve the DNS server name to the proper IP address. SLIDE TRANSITION: Now for the second demonstration. ADDITIONAL INFORMATION FOR PRESENTER: Registros de delegación y adherencia agregados research.contoso.com NS dns1.research.contoso.com dns1.research.contoso.com A NS contoso.com búsqueda dns1.research.contso.com registra SOA para la zona delegada. europa asia eua

demo Integración de Active Directory Crear un subdominio delegado
Asegurar una zona de DNS KEY MESSAGE: Introduction to Demonstration 2. SLIDE BUILDS: None SLIDE SCRIPT: In this demonstration, you will create a delegated sub-domain and secure the delegated DNS zone in Active Directory. SLIDE TRANSITION:

Funciones y configuración de DNS DNS en bosques federados KEY MESSAGE: This is the agenda for this session. SLIDE BUILDS: None SLIDE SCRIPT: The next item on the agenda is DNS Features and Configuration. SLIDE TRANSITION: Dynamic update is the first item to be covered.

Funciones y configuración de DNS Actualizaciones dinámicas
Actualizan dinámicamente los registros de recursos Definidas por RFC 2136 KEY MESSAGE: Describe the process of Dynamic Updates SLIDE BUILDS: SLIDE SCRIPT: [BUILD 1] Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address. [BUILD 2] The DNS Client and Server services support the use of dynamic updates, as described in Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server configured to load either a standard primary or directory-integrated zone. DNS update security is available only for zones that are integrated into Active Directory. Once you directory-integrate a zone, access control list (ACL) editing features are available in the DNS console so you can add or remove users or groups from the ACL for a specified zone or resource record. Once a zone becomes Active Directory-integrated, DNS servers running Windows Server 2003 default to allowing only secure dynamic updates. When using standard zone storage, the default for the DNS Server service is to not allow dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to allow all dynamic updates which permits all updates to be accepted. [BUILD 3] By default, computers that are statically configured for TCP/IP attempt to dynamically register host and pointer resource records for IP addresses configured and used by their installed network connections, based on the computers fully qualified domain name. DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. Also, clients use a default update policy that permits them to attempt to overwrite a previously registered resource record, unless they are specifically blocked by update security. Actualización dinámica de DNS del nombre del Host (A) y del nombre del Puntero (PTR). Actualización dinámica de DNS del nombre del Puntero (PTR). Solicitud de arrendamiento de IP Servidor de DHCP Respuesta de arrendamiento de IP Actualización dinámica de DNS del nombre del Host (A). Client01.contoso.com = Servidor DNS Window 2000, XP, 2003 Pre-Windows 2000

Funciones y configuración de DNS Transferencias de zonas
Aplica sólo a zonas de DNS estándar Disponibilidad y tolerancia a fallas Transferencia inicial completa (AXRF) Transferencia de zona incremental (IXRF) KEY MESSAGE: Explain the Zone Transfer Process SLIDE BUILDS: 7 SLIDE SCRIPT: [BUILD 1] Zone transfers are the method by which zone information propagates for standard zones. As you have seen, Active-Directory Integrated Zones replicate within Active Directory. Standard zones on the other hand are file based and require established methods for zone information to update. [BUILD 2] Because of the important role that zones play in DNS, it is intended that they be available from more than one DNS server on the network to provide availability and fault tolerance when resolving name queries. Otherwise, if a single server is used and that server is not responding, queries for names in the zone can fail. For additional servers to host a zone, zone transfers are required to replicate and synchronize all copies of the zone used at each server configured to host the zone. [BUILD 3] When a new DNS server is added to the network and is configured as a new secondary server for an existing zone, it performs a full initial transfer of the zone to obtain and replicate a full copy of resource records for the zone. For most earlier DNS server implementations, this same method of full transfer for a zone is also used when the zone requires updating after changes are made to the zone. For DNS servers running Windows Server 2003, the DNS service supports incremental zone transfer, a revised DNS zone transfer process for intermediate changes. [BUILD 4] When incremental transfers are supported by both a DNS server acting as the source for a zone and any servers that copy the zone from it, it provides a more efficient method of propagating zone changes and updates. In earlier DNS implementations, any request for an update of zone data required a full transfer of the entire zone database using an AXFR query. With incremental transfer, an alternate query type (IXFR) can be used instead. This allows the secondary server to pull only those zone changes it needs to synchronize its copy of the zone with its source, either a primary or secondary copy of the zone maintained by another DNS server. Iniciar el proceso de transferencia de zona Solicitud SOA para zona Respuesta a la solicitud SOA (estado de la zona) FYI: Nueva información de DNS disponible. Solicitud IXFR o AXFR para zona Servidor DNS secundario Servidor DNS primario Respuesta a la solicitud IXFR o AXFR (transferencia de zona)

Funciones y configuración de DNS Caducidad y borrado
Elimina registros de recursos obsoletos No siempre se eliminan las actualizaciones dinámicas Problemas causados por registros obsoletos Mayor tamaño de la zona Respuestas de DNS inexactas Rendimiento degradado Conflictos de nombre KEY MESSAGE: Descript the Caducidad y borrado Mechanisms SLIDE BUILDS: 9 SLIDE SCRIPT: [BUILD 1] DNS servers running Windows Server 2003 support Caducidad y borrado features. These features are provided as a mechanism for performing cleanup and removal of stale resource records which can accumulate in zone data over time. [BUILD 2] With dynamic update, resource records are automatically added to zones when computers start on the network. However, in some cases, they are not automatically removed when computers leave the network. For example, if a computer registers its own host record at startup and is later improperly disconnected from the network, its host record might not be deleted. If your network has mobile users and computers, this situation can occur frequently. [BUILD 3] If left unmanaged, the presence of stale RRs in zone data might cause some problems. If a large number of stale RRs remain in server zones, they can eventually take up server disk space and cause unnecessarily long zone transfers. [BUILD 4] DNS servers loading zones with stale resource records might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network. [BUILD 5] The accumulation of stale RRs at the DNS server can degrade its performance and responsiveness. [BUILD 6] In some cases, the presence of a stale RR in a zone could prevent a DNS domain name from being used by another computer or host device. To solve these problems, the DNS Server service provides several features.

Funciones y configuración de DNS Opciones avanzadas
Deshabilitar recursividad Secundarios de BIND Error en la carga si la fecha de la zona es incorrecta Habilitar operación por turnos Habilitar orden de máscara de red Caché seguro contra contaminación KEY MESSAGE: Advanced DNS Zone Options. SLIDE BUILDS: 6 SLIDE SCRIPT: [BUILD 1] Recursion is the process in which a query is made to a DNS server in which the requester asks the server to assume the full workload and responsibility for providing a complete answer to the query. The DNS server will then use separate iterative queries to other DNS servers on behalf of the requester to assist in completing an answer for the recursive query. When you Deshabilitar recursividad on a server, the server accepts only iterative queries where the server only answers with information for which it is authoritative. Disabling recursion also disables the use of forwarders. [BUILD 2] When transferring a zone between two Windows DNS servers, the DNS Server service always uses a fast transfer method that uses compression. This method includes multiple resource records in each message sent to complete the transfer of the zone between servers. For DNS servers running Windows Server 2003, this is the default method used when initiating transfer with other DNS server implementations. If necessary, DNS servers running Windows Server 2003 can be configured to transfer a zone using the slower uncompressed transfer format. This enables successful zone transfers to be made with DNS servers that do not support the faster transfer method, such as BIND servers prior to version When you select the Secundarios de BIND check box in advanced server properties, no fast transfers are made between any server. [BUILD 3] By default, the DNS server service logs data errors, ignore any erred data in zone files, and continue to load a zone. The fail on load if bad option can be configured to prevent the zone from being loaded if an error condition occurs. [BUILD 4] Round Robin determines whether the DNS server rotates and reorders a list of resource records if multiple resource records exist of the same type for a query. This option provides DNS based load balancing for web servers, for example.

Funciones y configuración de DNS Resolución de nombre por pistas de raíz
Servidor DNS Solicitud: Respuesta: com está delegado al servidor com KEY MESSAGE: Name Resolution Process using Root Hints. SLIDE BUILDS: 6 SLIDE SCRIPT: [Build 1] Recursive name resolution is the process by which a DNS server uses the hierarchy of zones and delegations to respond to queries for which it is not authoritative. First the client sends a recursive query to its DNS server to request the IP address that corresponds to the name A recursive query indicates that the client wants a definitive answer to its query. The response to the recursive query must be a valid address or a message indicating that the address cannot be found. [Build 2] In some configurations, DNS servers include root hints, a list of names and IP addresses, which enable them to query the DNS root servers. Root hints enable any DNS server to locate the DNS Root Servers. After the DNS server locates the DNS root server, it can resolve any query for that namespace. [Build 3] Because the DNS server is not authoritative for the name and does not have the answer in its cache, the DNS server uses root hints to find the IP address of the DNS root server. The DNS server uses an iterative query to ask the DNS root server to resolve the name An iterative query indicates that the server will accept a referral to another server in place of a definitive answer to the query. Because the name ends with the label com, the DNS root server returns a referral to the com server that hosts the com zone. [Build 4] The DNS server uses an iterative query to ask the com server to resolve the name Because the name ends with the name contoso.com, the com server returns a referral to the server that hosts the contoso.com zone. [Build 5] The DNS server uses an iterative query to ask the Contoso server to resolve the name Since this server is authoritative for the contoso.com zone, it responds with the IP address that matches the www record. Zona “.” Solicitud: Delegación Respuesta: contoso.com está delagado a el servidor contoso.com Respuesta: Solicitud: Solicitud: Respuesta: Zona com Delegación Zona contoso.com Cliente que realiza la solicitud

Funciones y configuración de DNS Resolución de nombre por reenvío
Servidor DNS interno Servidor DNS DMZ KEY MESSAGE: Name Resolution Process using Forwarding. SLIDE BUILDS: SLIDE SCRIPT: [Build 1] In the previous example, the forwarder tab for the local DNS server’s properties contained only one entry instruction the server to refer All Other DNS Domains without a defined IP address to forward queries. This configuration tells the server to use root hints to start the recursive resolution process. [Build 2] To protect the internal DNS server from being accessed from the internet, the All Other DNS Domains option can be configured with the IP address of a DNS Server located in the network’s DMZ. [Build 3] The Internal DNS server sends the recursive query for to the DMZ DNS Server, called a forwarder. Since the forwarder is not authoritative for the name and does not have the answer in its cache, it uses root hints to find the IP address of the DNS root server. Once the name is resolved, the forwarder replies to the Internal DNS server which in turn replies to the client. [Build 4] Alternatively, certain situations may allow you to create a forwarder to a specific domain name. This process is referred to a Conditional Forwarding. On the forwarder tab for the DNS server’s properties, you can add a specific domain name and link it to the IP Address of DNS server that is authoritative for the DNS zone. [Build 5] The local DNS server can then query the authoritative server directly, thus improving DNS responsiveness. This configuration is suggested during mergers, partnerships, or when multiple forests are used within a single organization. SLIDE TRANSITION: Debug logging is new in Windows Server 2003. ADDITIONAL INFORMATION FOR PRESENTER: Zona “.” Solicitud: Zona com Zona contoso.com Cliente que realiza la solicitud

Funciones y configuración de DNS Registro de depuración
Registro avanzado – Registro más allá del evento Dirección de los paquetes Contenido de los paquetes Protocolo de transporte Tipo de paquete Filtro basada en la dirección IP Extremadamente intensiva en recursos KEY MESSAGE: Review the Advanced Debug Logging Features. SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD 1] By default, all debug logging options are disabled. When selectively enabled, the DNS server can perform additional trace-level logging of selected types of events or messages for general troubleshooting and debugging of the server. The options available for logging allow you to have granular control over the type of communication to capture. [BUILD 2] These options include the Directory of Packets, Contents of Packets, Transport protocol, type of packet (either request or response). You may also apply Filtering based on IP address. [BUILD 3] Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, it should only be used temporarily when more detailed information about server performance is needed. SLIDE TRANSITION: There are several tools you can use to manage DNS. ADDITIONAL INFORMATION FOR PRESENTER:

Funciones y configuración de DNS Herramientas de DNS
Consola de administración DNS Utilidades de línea de comando Nslookup DNScmd Ipconfig Utilidades de supervisión de eventos Utilidades de supervisión de rendimiento Instrumentación de administración de Windows Kit para el desarrollador de software de plataforma KEY MESSAGE: Introduce tools for managing DNS. SLIDE BUILDS: 5 SLIDE SCRIPT: [Build 1] There are a number of utilities for administering, monitoring and troubleshooting DNS servers and clients. The primary tool used to manage DNS servers is the DNS Management Console, which can be found in the Administrative Tools folder. The DNS console can be used to manage both local and remote DNS servers in your organization. Using this console, you can perform maintenance on the server, monitor the contents of the server cache, tune advanced server options, and configure Caducidad y borrado of stale resource records stored on the server. [Build 2] The command-line utilities can be used to manage and troubleshoot DNS servers and clients. NSlookup performs query testing of the DNS domain namespace. The DNSCMD utility provides command-line functionality of the DNS Management Console. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. IPconfig is used to view and modify IP configuration details used by the computer. Additional command-line options are included with this utility to provide help in troubleshooting and supporting DNS clients. [Build 3] Windows Server 2003 includes two options for monitoring DNS servers. DNS server event messages are separated and kept in their own system event log, the DNS server log, which can be viewed using the DNS console or Event Viewer. To receive additional information about the DNS server, the Debug Logging feature can be enabled. [Build 4] Performance monitoring for DNS servers can be done using additional service-specific counters that measure DNS server performance. These counters can be accessed through System Monitor, which is provided in the Performance Console.

demo Funciones y configuración de DNS Propiedades de una zona de DNS
Caducidad y borrado de DNS Propiedades de un servidor DNS Registro de depuración avanzado Estructura del registro para una zona de Active Directory KEY MESSAGE: Introduction to Demonstration 3. SLIDE BUILDS: None SLIDE SCRIPT: In this demonstration, you will review the zone and server configuration options available on Windows Server 2003 DNS. SLIDE TRANSITION:

Funciones y configuración de DNS DNS en bosques federados KEY MESSAGE: This is the agenda for this session. SLIDE BUILDS: None SLIDE SCRIPT: The last item on the agenda covers using DNS en bosques federados. SLIDE TRANSITION:

DNS en bosques federados Mejores prácticas para implementar DNS
Utilice registros de alias esporádicamente Estandarice sus prácticas DNS Zona de duplicación dentro de Active Directory Tome en cuenta las zonas secundarias Revise los documentos RFC Ingrese la información del contacto para el administrador de zona = admin.contoso.com KEY MESSAGE: Discuss DNS best practices. SLIDE BUILDS: 8 SLIDE SCRIPT: [BUILD 1] Now to review some of the best practices for the deployment of DNS in your enterprise. Each of these items will help improve DNS efficiency while helping to reduce administrative problems. First, be conservative in adding alias records to zones. Avoid using CNAME resource records where they are not needed to alias a host name used in a host resource record. Also, ensure that any alias names you use are not used in other resource records. DNS allows an owner name of a CNAME resource record to be used as the owner name of the other types of resource records, such as NS, MX, and TXT resource records. [BUILD 2] When designing your DNS network use standard guidelines and, wherever possible, follow preferred practices for managing your DNS infrastructure. DNS was designed to provide a level of fault tolerance for resolving names. If possible, you should have at least two name servers hosting each zone. [BUILD 3] If you are using Active Directory, use directory-integrated storage for your DNS zones for increased security, fault tolerance, simplified deployment and management. By integrating zones, you can simplify network planning. For example, domain controllers for each of your Active Directory domains correspond in a direct one-to-one mapping to DNS servers. This can simplify planning and troubleshooting DNS and Active Directory replication problems because the same server computers are used in both topologies. If you are using directory-integrated storage for your zones, you may select from the different replication scopes that replicate your DNS zone data throughout the directory. If your DNS infrastructure must support Windows 2000 DNS servers, you will use the directory-integrated storage method that replicates DNS zone data to all domain controllers in a domain. If your DNS infrastructure is composed of DNS servers running Windows Server 2003 only, you may also select from replication scopes that replicate your DNS zone data to all DNS servers in the Active Directory forest, all DNS servers in a specified Active Directory domain, or all domain controllers specified in a custom replication scope.

DNS en bosques federados Asegurar la infraestructura de DNS
Utilice reenviadores para la zona de Internet Filtre el tráfico de DNS en el firewall Limite el tráfico de DNS por dirección IP Recursividad cuando sea aplicable Proteja el caché contra la contaminación de nombres Configure el DNS interno con sugerencias internas de raíz KEY MESSAGE: How to secure the DNS Infrastructure SLIDE BUILDS: 6 SLIDE SCRIPT: [BUILD 1] The rest of this presentation focuses on how to secure your DNS infrastructure. Try to design each of these suggestions into your DNS resolution design and only deviate from these guidelines with good reason. You can find this checklist in the Windows Server 2003 Help File. First, to prevent anyone outside of your company from obtaining internal network information, use separate DNS servers for internal and Internet name resolution. Your internal DNS namespace should be hosted on DNS servers behind the firewall for your network. Your external, Internet DNS presence should be managed by a DNS server in a perimeter network, or DMZ (demilitarized zone) or screened subnet. To provide Internet name resolution for internal hosts, you can have your internal DNS servers use a forwarder to send external queries to your external DNS server. [BUILD 2] To prevent anyone outside of your company from obtaining information about your internal DNS namespace, configure your external router and firewall to only allow DNS traffic between your internal and external DNS servers. For the DNS servers in your network that are exposed to the Internet, restrict DNS zone transfers to either DNS servers identified in the zone by Nombre de servidor (NS) resource records or to specific DNS servers in your network. If you are using Microsoft Internet Security and Acceleration (ISA) Server, then you may use block filters to define the traffic allowed through the ISA Server. [BUILD 3] If the server running the DNS Server service is a multi-homed computer , then restrict the DNS Server service to only listen on the interface IP address used by its DNS clients and internal servers. For example, a server acting as proxy server may have two network interface cards, one for the intranet and one for the Internet. If that server is also running the DNS Server service, you can configure the service to only listen for DNS traffic on the IP address used by the intranet network interface card.

DNS en bosques federados Asegurar la infraestructura de DNS
Utilice zonas integradas de Active Directory Proteja el servicio DNS mediante ACLsDisable Edite permisos de archivo para zonas estándar <systemroot>\System32\DNS Proteja las claves de registro de DNS HKLM\System\CurrentControlSet\Services\DNS KEY MESSAGE: Securing the DNS Infrastructure SLIDE BUILDS: 4 SLIDE SCRIPT: [BUILD 1] If the server running DNS Server service is a domain controller, then use Active Directory access control lists (ACLs) to secure access control of the DNS Server service. [BUILD 2] Use Active Directory-integrated DNS zones. DNS zones stored in Active Directory can take advantage of Active Directory security features, such as secure dynamic update and the ability to apply Active Directory security settings to DNS servers, zones, and resource records. [BUILD 3] If a DNS zone is not stored in Active Directory, then secure the DNS zone file by modifying permissions on the DNS zone file or on the folder where the zone files are stored. The zone file or folder permissions should be configured to only allow Full Control to the System group. By default, zone files are stored in the systemroot \System32\Dns folder. [BUILD 4] Secure the DNS registry keys . The DNS registry keys can be found in the following registry location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\ SLIDE TRANSITION: Now for the final demonstration for this session. ADDITIONAL INFORMATION FOR PRESENTER:

demo DNS en bosques federados Establecer una ruta de DNS
Establecer confianzas entre los bosques Administrar centralmente DNS a través de los bosques Dar prioridad a las subredes locales KEY MESSAGE: Introduction to Demonstration 4. SLIDE BUILDS: None SLIDE SCRIPT: In this final demonstration, you will manage the creation of a federated forest by establishing a DNS pathway and creating the forest wide trust. This demonstration will also show how to centrally manage DNS across the enterprise. SLIDE TRANSITION:

Resumen de la sesión Instale roles del servidor utilizando los asistentes Utilice la consola de administración de DNS Integre zonas de DNS en Active Directory Configure el reenvío Actualizaciones dinámicas Caducidad y borrado Mejores prácticas – Administración de DNS Mejores prácticas – Seguridad de DNS KEY MESSAGE: It’s important to take this information away from this session. SLIDE BUILDS:0 SLIDE SCRIPT: [BUILD 1] In this session, you have learned how to manage the installation of server roles using the Configure Your Server Wizard and Installation Wizards. [BUILD 2] Manage the DNS implementation using the DNS Management Console. [BUILD 3] The importance of integrating the DNS zones into Active Directory and the benefits of doing this. [BUILD 4] You have learned when and why to use DNS forwarders. [BUILD 5] The administrative benefits of using dynamic updates along with the security settings available for dynamic updates. [BUILD 6] The reasons to use Caducidad y borrado to clean up records not properly removed by dynamic updates. [BUILD 7] Finally, this presentation finished with a listing of best practices for DNS Management [BUILD 8] and DNS security. SLIDE TRANSITION: For more information… ADDITIONAL INFORMATION FOR PRESENTER:

Para mayores informes…
Sitio Web principal de TechNet en Los recursos adicionales para dar soporte a esta página de la sesión se pueden encontrar en KEY MESSAGE: For more information on this session see these web sites. SLIDE BUILDS:0 SLIDE SCRIPT: For more information on this session see the main TechNet Web site at Additional resources to support this Session page can be found at SLIDE TRANSITION: For additional information on the technologies used, see these links.

MS Press Información interna para profesionales de informática
KEY MESSAGE: MS Press books SLIDE BUILDS: 1 SLIDE SCRIPT: You can find some informative books on the Microsoft Press site such as: Microsoft Windows Server 2003 Administrator’s Pocket Consultant, William Stanek – ISBN Number Introducing Microsoft Windows Server 2003, Jerry Honeycutt – ISBN Number Microsoft Windows Server 2003 Deployment Kit, Microsoft Corporation – ISBN Number Microsoft Windows Server 2003 Administrator’s Companion, Sharon Crawford, Charlie Russel, Jason Gerend – ISBN Number Microsoft Encyclopedia of Security, Mitch Tulloch – ISBN Number SLIDE TRANSITION: Here are some titles available from third-party booksellers. Para encontrar los títulos más recientes, visite

Publicaciones de terceros Complementarias para los Profesionales de informática
KEY MESSAGE: Books from 3rd party vendors SLIDE BUILDS: 1 SLIDE SCRIPT: Check your favorite bookseller for these titles: Microsoft Windows Server 2003 Delta Guide, Don Jones, Mark Rouse – ISBN Number Windows Server 2003: Best Practices for Enterprise Deployments, Danielle Ruest, Nelson Ruest – ISBN Number X DNS on Windows Server 2003, Robbie Allen, Matt Larson, Cricket Liu – ISBN Number Windows Server 2003 in a Nutshell, Mitch Tulloch – ISBN Number Windows Server 2003: The Complete Reference, Kathy Ivens, Rich Benack, Christian Branson – ISBN Number SLIDE TRANSITION: Here is some more information on Microsoft Learning Estos libros se pueden encontrar y adquirir en todas las librerías de prestigio y tiendas al menudeo en línea

Evalúe su preparación Evaluación de habilidades de Microsoft
¿Qué es la Evaluación de habilidades de Microsoft? Una herramienta de aprendizaje de auto estudio para evaluar la preparación respecto a las soluciones de productos y tecnología, en lugar de roles de trabajo (certificación) Windows Server 2003, Exchange Server 2003, Windows Storage Server 2003, Visual Studio .NET, Office 2003 Sin costo, en línea, sin supervisión y disponibles para cualquiera Responde a la pregunta: “¿Estoy preparado?” Determina las diferencias en habilidades y proporciona planes de estudio con cursos de Microsoft Official Curriculum Coloque su Calificación más alta para ver cómo se compara con los demás Visite KEY MESSAGE: Skills assessment SLIDE BUILDS: SLIDE SCRIPT: Microsoft Skills Assessment is a free online learning tool. It’s an easy way for IT professionals to check your skills. You can quickly check your skills for implementing or managing Microsoft product or business solutions. Just take a short, 30 question assessment and see how well you know your stuff. The Skills Assessment include a Personalized Learning Plan, which includes links to Microsoft Official Curriculum, specific TechNet articles, Press books, and other Microsoft learning content. There’s also a way to measure how well you did compared with others who took the same assessment. Microsoft Skills Assessment is an expanding learning platform. Available now are assessments for Windows Server 2003 including security and patch management, Exchange Server 2003, Windows Storage Server, Office 2003, and Visual Studio .NET. SLIDE TRANSITION: If you want to take your skills assessment to the next level, there are a number of Certification programs available.

Conviértase en un Microsoft Certified Systems Administrator (MCSA)
¿Qué es la certificación MCSA? Para los Profesionales de informática que administran y mantienen redes y sistemas basados en Microsoft Windows Server ¿Cómo me convierto en un MCSA de Microsoft Windows Server 2003? Apruebe 3 exámenes básicos Apruebe un examen opcional o 2 certificaciones CompTIA ¿Dónde obtengo mayores informes? KEY MESSAGE: MCSA Certification SLIDE BUILDS: SLIDE SCRIPT: The Microsoft Certified Systems Administrator (MCSA) certification is designed for professionals who implement, manage, and troubleshoot existing network and system environments based on Microsoft Windows® Server Implementation responsibilities include installing and configuring parts of the systems. Management responsibilities include administering and supporting the systems. For more information about the MCSA certification, please visit: SLIDE TRANSITION: The MCSE Certification is also available.

Conviértase en un Microsoft Certified Systems Engineer (MCSE)
¿Qué es la certificación MCSE? Certificación Premier para los Profesionales de informática que analizan los requisitos, diseñan, planean e implementan la infraestructura para las soluciones empresariales con base en Microsoft Windows Server System ¿Cómo me convierto en un MCSE en Microsoft Windows 2003? Apruebe 6 exámenes básicos Apruebe 1 examen opcional de una amplia lista ¿Dónde obtengo mayores informes? KEY MESSAGE: MCSE Certification SLIDE BUILDS: SLIDE SCRIPT: The Microsoft Certified Systems Engineer (MCSE) credential is the premier certification for professionals who analyze the business requirements and design, plan, and implement the infrastructure for business solutions based on the Microsoft Windows Server System integrated server software. Implementation responsibilities include installing, configuring, and troubleshooting network systems. For more information about the MCSE certification, please visit: SLIDE TRANSITION: Here are some other certifications available.

¿Qué es TechNet? Pone las respuestas correctas a su alcance
TechNet es la colección completa de recursos que ayuda a los implementadores de informática a planear, implementar y administrar de manera exitosa los productos de Microsoft Suscripción a TechNet Actualizaciones mensuales proporcionadas en DVD o CD El recurso definitivo para ayudarle a evaluar, implementar y mantener los productos de Microsoft KEY MESSAGE: TechNet information SLIDE BUILDS: SLIDE SCRIPT: While the monthly subscription software is the most obvious component of TechNet, there’s also much more. The TechNet web site gives subscribers access to valuable information as well as threaded discussion pages and online seminars. Many subscribers use the web as frequently as they use the software. In the subscribers only section, subscribers can access the Online Concierge Chat Support service-a Microsoft support special can help them locate technical information quickly and easily. TechNet Plus subscribers also get access to our Managed Newsgroup Support Service. You can post questions in over 90 IT related public newsgroups and Microsoft will ensure that you get a response within 72 hours TechNet Flash is a bi-weekly newsletter subscribers can register for-it gives them up to date information on the latest postings to the web site TechNet Events-TechNet subscribers have access to free events that explain how to use Microsoft products and technologies at a technical level SLIDE TRANSITION: Here is where you can get TechNet. Sitio Web de TechNet Se accede en Recursos y comunidad en línea Servicios en línea sólo para suscriptores TechNet Flash Boletín de noticias electrónico quincenal Actualizaciones de seguridad, nuevos recursos y ofertas especiales Eventos TechNet y Webcasts Resúmenes informativos sobre los productos y tecnologías más recientes de Microsoft Información práctica Comunidades TechNet Grupos de usuarios Grupos de noticias administradas

¿Dónde puedo obtener TechNet?
Visite TechNet en línea en Regístrese para TechNet Flash en /technet/abouttn/subscriptions/flash_register.mspx Únase al foro TechNet online en Conviértase en un suscriptor de TechNet en Asista a más eventos TechNet o vea en línea KEY MESSAGE: Where to get TechNet. SLIDE BUILDS: SLIDE SCRIPT: There is one place you should go to start: There is one communication you should subscribe to: TechNet Flash. Twice monthly for the IT Pro community - focuses on news, information, resources and events. Post questions on the discussion forum. Subscribe online Look for TechNet branded events - feature SLIDE TRANSITION: [Last slide, close however you want]

KEY MESSAGE: Tag line. SLIDE BUILDS: SLIDE SCRIPT: Your potential. Our passion. SLIDE TRANSITION:

Créditos de sesión Autor: Kevin E. Carbray, 3 Leaf
Productor/Editor: Alan Le Marquand Especialistas técnicos Aaron Clutter Bob Carver KEY MESSAGE: Credits SLIDE BUILDS: SLIDE SCRIPT: SLIDE TRANSITION:

[TNT1-114] KEY MESSAGE: This is session TNT SLIDE BUILDS: None

Presentaciones similares

Presentación del tema: "[TNT1-114] KEY MESSAGE: This is session TNT SLIDE BUILDS: None"— Transcripción de la presentación:

Presentaciones similares

Sobre el proyecto

Feedback

Iniciar la sesión

Autorizarse a través de una red social:

[TNT1-114] KEY MESSAGE: This is session TNT SLIDE BUILDS: None

Presentaciones similares

Presentación del tema: "[TNT1-114] KEY MESSAGE: This is session TNT SLIDE BUILDS: None"— Transcripción de la presentación:

Presentaciones similares

Sobre el proyecto

Feedback