I've been reading up on DNS, and I've been quite interested on custom application directory partitions. Active-Directory uses them, but, as a developer, how can I extract the most out of them? What possible applications and real-world scenarios could I address and solve using custom application directory partitions? What problems can be solved, or are better solved, using them? I ask this from an architecture's point of view.
我一直在读DNS,我对自定义应用程序目录分区很感兴趣。 Active-Directory使用它们,但作为开发人员,我如何从中获取最多的东西?我可以使用自定义应用程序目录分区解决和解决哪些可能的应用程序和现实场景?使用它们可以解决或更好地解决哪些问题?我从架构的角度来问这个问题。
Or maybe there aren't any, and they should be used for Active Directory only. I doubt it, but I would like some perspectives and ideas on the matter.
或者可能没有,它们只应用于Active Directory。我对此表示怀疑,但我想就此事提出一些看法和想法。
Thanks
2 个解决方案
#1
I’m an AD Consultant. I’ve done a bit of work with DNS application partitions in the past and am presently looking to utilise them in my current environment. I wanted to find out where others are using them and stumbled across your question. Maybe writing this will help consolidate my thinking too!
我是AD顾问。我以前在DNS应用程序分区方面做了一些工作,目前我正在寻找在当前环境中使用它们。我想知道其他人在哪里使用它们并偶然发现你的问题。也许写这个也有助于巩固我的想法!
Imagine you are part of a large corporate AD domain with internal DNS name resource.coporate.local. Your organisation is geographically spread out with offices all over the world and your security polices for patch management, antivirus, proxy usage are all the same across the world. Your user base travels around quite a bit and their laptops have static mappings or paths to resources (Internet proxy; Login scripts; AV update servers; Windows update servers etc) which would be too far too reach and thus slow to access when on the other side of the world. By utilising DNS application partitions and creating one application partition per site, country or continent (whatever detail you can afford to administer) you can in a way ‘con’ the workstation into thinking that it is accessing the same host as if it were at it’s home location (the server/resource name is statically specified after all). Whereas in fact it is accessing a resource at your site of visit known by the same ‘name’ (It’s just a Host to IP mapping after all). A good application partition design works hand in hand with DHCP scope option 15 or the GPO setting for DNS Suffix Search List.
想象一下,您是具有内部DNS名称resource.coporate.local的大型企业AD域的一部分。您的组织在地理位置分散在世界各地的办事处,您的安全策略用于补丁管理,防病毒,代理使用在全球范围内都是相同的。您的用户群经常出差很多,而且他们的笔记本电脑有静态映射或资源路径(Internet代理;登录脚本; AV更新服务器; Windows更新服务器等),这些内容太宽,因此在另一方面访问速度很慢世界的一面。通过利用DNS应用程序分区并为每个站点,国家或大陆创建一个应用程序分区(无论您能负担得起的任何细节),您都可以“让”工作站认为它正在访问同一个主机,就像它在它的位置一样home location(服务器/资源名称毕竟是静态指定的)。实际上,它正在访问您所访问的站点上的资源,该资源以相同的“名称”(毕竟它只是一个主机到IP映射)。良好的应用程序分区设计与DHCP范围选项15或DNS后缀搜索列表的GPO设置密切配合。
A practical example: I work in the London office of a large corporate. My laptop has a Group Policy applied to it which tells it to get all Windows Updates from a server with IP 10.10.10.1, A-hosted in DNS with name: ‘WSUS01’ (which exists in the london.resource.corporate.local DNS application partition).
一个实际的例子:我在一家大公司的伦敦办公室工作。我的笔记本电脑应用了一个组策略,告诉它从IP 10.10.10.1的服务器获取所有Windows更新,在DNS中托管,名称为:'WSUS01'(存在于london.resource.corporate.local DNS中)应用程序分区)。
I then travel to Syndey. A day later the Windows Update GPO kicks in and I need to apply 10 updates each at 1MB each. Providing my machine has been told to look at the correct application partition via DHCP or DNS Suffix Search List, my machine will attempt to contact the host WSUS01 within my local DNS application partition, in this case hopefully configured to be sydney.resource.corporate.local. Thus making the download much quicker because I’m accessing a local resource. Also works well with proxies. Can you imagine travelling to Sydney and sitting in the office using an Internet proxy which is in the London office. All this to access a website based in Australia itself! Hopefully you get my point! ;)
然后我去了Syndey。一天后,Windows Update GPO开始运行,我需要分别应用10个更新,每个更新1MB。提供我的机器已被告知通过DHCP或DNS后缀搜索列表查看正确的应用程序分区,我的机器将尝试联系我本地DNS应用程序分区中的主机WSUS01,在这种情况下希望配置为sydney.resource.corporate。本地。因此,由于我正在访问本地资源,因此下载速度更快。也适用于代理。你能想象到伦敦办公室使用互联网代理去悉尼和坐在办公室。这一切都是为了访问一个位于澳大利亚的网站!希望你明白我的意思! ;)
Regards, Nadim Janjua
此致,Nadim Janjua
#2
That isn't my understanding of an application partition, from what I understand of custom application partitions, you would use them when there are excessive DNS inquries to a particular domain. If you have a forest root domain xyz.net, a global child domain zxy.net and another domain within the same forest named findme.net and lets say that findme.net is always resolving dns inquiries on the zxy.net dns servers. Well in order for that to happen, all of the traffic has to go through the forest root because of transitive trust, the dns servers send the information back through the forest root to the client in the findme.net domain. Now this causes excessive traffic that doesn't need to take place, so you would create a custom application directory partition and enlist the dns servers in the zyx.net domain and the dns servers in the findme.net domains. You would then change your replication scope for that partition to only the dns servers enlisted in your new partition, thus eliminating the need to traverse the forest root and causing unnecessary traffic.
这不是我对应用程序分区的理解,根据我对自定义应用程序分区的理解,当特定域存在过多的DNS问题时,您将使用它们。如果你有一个林根域xyz.net,一个全局子域zxy.net和同一个域中名为findme.net的另一个域,让我们说findme.net总是在zxy.net dns服务器上解析dns查询。好吧,为了实现这一点,由于传递信任,所有流量都必须通过林根,dns服务器通过林根将信息发送回findme.net域中的客户端。现在这会导致不需要发生的过多流量,因此您将创建一个自定义应用程序目录分区,并在zyx.net域和findme.net域中的dns服务器中登记dns服务器。然后,您可以将该分区的复制范围更改为仅在新分区中登记的dns服务器,从而无需遍历林根并导致不必要的流量。
From what I read in your message, I think that configuring the dhcp option 006 for dns would resolve your issue in being assigned an dns server locally for name resolution. This would allow dhcp to assign locally placed dns servers attached to configured subnets and if those DC's running the DNS Service ever fail, they will revert to other DNS Servers to prevent DNS Outage.
从我在您的消息中读到的内容,我认为为dns配置dhcp选项006将解决您在本地分配dns服务器以进行名称解析的问题。这将允许dhcp分配连接到已配置子网的本地放置的DNS服务器,如果那些运行DNS服务的DC发生故障,它们将恢复到其他DNS服务器以防止DNS中断。
#1
I’m an AD Consultant. I’ve done a bit of work with DNS application partitions in the past and am presently looking to utilise them in my current environment. I wanted to find out where others are using them and stumbled across your question. Maybe writing this will help consolidate my thinking too!
我是AD顾问。我以前在DNS应用程序分区方面做了一些工作,目前我正在寻找在当前环境中使用它们。我想知道其他人在哪里使用它们并偶然发现你的问题。也许写这个也有助于巩固我的想法!
Imagine you are part of a large corporate AD domain with internal DNS name resource.coporate.local. Your organisation is geographically spread out with offices all over the world and your security polices for patch management, antivirus, proxy usage are all the same across the world. Your user base travels around quite a bit and their laptops have static mappings or paths to resources (Internet proxy; Login scripts; AV update servers; Windows update servers etc) which would be too far too reach and thus slow to access when on the other side of the world. By utilising DNS application partitions and creating one application partition per site, country or continent (whatever detail you can afford to administer) you can in a way ‘con’ the workstation into thinking that it is accessing the same host as if it were at it’s home location (the server/resource name is statically specified after all). Whereas in fact it is accessing a resource at your site of visit known by the same ‘name’ (It’s just a Host to IP mapping after all). A good application partition design works hand in hand with DHCP scope option 15 or the GPO setting for DNS Suffix Search List.
想象一下,您是具有内部DNS名称resource.coporate.local的大型企业AD域的一部分。您的组织在地理位置分散在世界各地的办事处,您的安全策略用于补丁管理,防病毒,代理使用在全球范围内都是相同的。您的用户群经常出差很多,而且他们的笔记本电脑有静态映射或资源路径(Internet代理;登录脚本; AV更新服务器; Windows更新服务器等),这些内容太宽,因此在另一方面访问速度很慢世界的一面。通过利用DNS应用程序分区并为每个站点,国家或大陆创建一个应用程序分区(无论您能负担得起的任何细节),您都可以“让”工作站认为它正在访问同一个主机,就像它在它的位置一样home location(服务器/资源名称毕竟是静态指定的)。实际上,它正在访问您所访问的站点上的资源,该资源以相同的“名称”(毕竟它只是一个主机到IP映射)。良好的应用程序分区设计与DHCP范围选项15或DNS后缀搜索列表的GPO设置密切配合。
A practical example: I work in the London office of a large corporate. My laptop has a Group Policy applied to it which tells it to get all Windows Updates from a server with IP 10.10.10.1, A-hosted in DNS with name: ‘WSUS01’ (which exists in the london.resource.corporate.local DNS application partition).
一个实际的例子:我在一家大公司的伦敦办公室工作。我的笔记本电脑应用了一个组策略,告诉它从IP 10.10.10.1的服务器获取所有Windows更新,在DNS中托管,名称为:'WSUS01'(存在于london.resource.corporate.local DNS中)应用程序分区)。
I then travel to Syndey. A day later the Windows Update GPO kicks in and I need to apply 10 updates each at 1MB each. Providing my machine has been told to look at the correct application partition via DHCP or DNS Suffix Search List, my machine will attempt to contact the host WSUS01 within my local DNS application partition, in this case hopefully configured to be sydney.resource.corporate.local. Thus making the download much quicker because I’m accessing a local resource. Also works well with proxies. Can you imagine travelling to Sydney and sitting in the office using an Internet proxy which is in the London office. All this to access a website based in Australia itself! Hopefully you get my point! ;)
然后我去了Syndey。一天后,Windows Update GPO开始运行,我需要分别应用10个更新,每个更新1MB。提供我的机器已被告知通过DHCP或DNS后缀搜索列表查看正确的应用程序分区,我的机器将尝试联系我本地DNS应用程序分区中的主机WSUS01,在这种情况下希望配置为sydney.resource.corporate。本地。因此,由于我正在访问本地资源,因此下载速度更快。也适用于代理。你能想象到伦敦办公室使用互联网代理去悉尼和坐在办公室。这一切都是为了访问一个位于澳大利亚的网站!希望你明白我的意思! ;)
Regards, Nadim Janjua
此致,Nadim Janjua
#2
That isn't my understanding of an application partition, from what I understand of custom application partitions, you would use them when there are excessive DNS inquries to a particular domain. If you have a forest root domain xyz.net, a global child domain zxy.net and another domain within the same forest named findme.net and lets say that findme.net is always resolving dns inquiries on the zxy.net dns servers. Well in order for that to happen, all of the traffic has to go through the forest root because of transitive trust, the dns servers send the information back through the forest root to the client in the findme.net domain. Now this causes excessive traffic that doesn't need to take place, so you would create a custom application directory partition and enlist the dns servers in the zyx.net domain and the dns servers in the findme.net domains. You would then change your replication scope for that partition to only the dns servers enlisted in your new partition, thus eliminating the need to traverse the forest root and causing unnecessary traffic.
这不是我对应用程序分区的理解,根据我对自定义应用程序分区的理解,当特定域存在过多的DNS问题时,您将使用它们。如果你有一个林根域xyz.net,一个全局子域zxy.net和同一个域中名为findme.net的另一个域,让我们说findme.net总是在zxy.net dns服务器上解析dns查询。好吧,为了实现这一点,由于传递信任,所有流量都必须通过林根,dns服务器通过林根将信息发送回findme.net域中的客户端。现在这会导致不需要发生的过多流量,因此您将创建一个自定义应用程序目录分区,并在zyx.net域和findme.net域中的dns服务器中登记dns服务器。然后,您可以将该分区的复制范围更改为仅在新分区中登记的dns服务器,从而无需遍历林根并导致不必要的流量。
From what I read in your message, I think that configuring the dhcp option 006 for dns would resolve your issue in being assigned an dns server locally for name resolution. This would allow dhcp to assign locally placed dns servers attached to configured subnets and if those DC's running the DNS Service ever fail, they will revert to other DNS Servers to prevent DNS Outage.
从我在您的消息中读到的内容,我认为为dns配置dhcp选项006将解决您在本地分配dns服务器以进行名称解析的问题。这将允许dhcp分配连接到已配置子网的本地放置的DNS服务器,如果那些运行DNS服务的DC发生故障,它们将恢复到其他DNS服务器以防止DNS中断。