使用 DNS 原則 Split-Brain DNS Active Directory 中Use DNS Policy for Split-Brain DNS in Active Directory

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題的 Active Directory 部署 split\ 蛋整合 DNS 利用 DNS 原則的資料傳輸管理功能在 Windows Server 2016 的區域。You can use this topic to leverage the traffic management capabilities of DNS policies for split-brain deployments with Active Directory integrated DNS zones in Windows Server 2016.

在 Windows Server 2016 DNS 原則的支援延伸到 Active Directory 整合 DNS 區域。In Windows Server 2016, DNS policies support is extended to Active Directory integrated DNS zones. Active Directory 整合提供 multi\ 主機可用性功能 DNS 伺服器。Active Directory integration provides multi-master high availability capabilities to the DNS server.

之前,此案例,您必須 DNS 系統管理員,維護兩個不同的 DNS 伺服器,每個設定的使用者,內外每個提供服務。Previously, this scenario required that DNS administrators maintain two different DNS servers, each providing services to each set of users, internal and external. 如果只有數區域中的資料可讓您已 split\ brained 或兩個區域 (內外) 已委派給相同的父系網域,這會成為管理問題。If only a few records inside the zone were split-brained or both instances of the zone (internal and external) were delegated to the same parent domain, this became a management conundrum.

注意

  • DNS 部署會 split\ 蛋有兩個版本的單一區域,內部使用者在組織的企業網路,一種版本,一種版本的外部使用者 –,通常是在網際網路上的使用者。DNS deployments are split-brain when there are two versions of a single zone, one version for internal users on the organization intranet, and one version for external users – who are, typically, users on the Internet.
  • 此主題適用於使用 DNS 原則 Split-Brain DNS 部署解釋如何使用 DNS 原則和區域領域部署 split\ 蛋 DNS 系統單一的 Windows Server 2016 DNS 伺服器上。The topic Use DNS Policy for Split-Brain DNS Deployment explains how you can use DNS policies and zone scopes to deploy a split-brain DNS system on a single Windows Server 2016 DNS server.

在 Active Directory 中範例 Split\ 蛋 DNSExample Split-Brain DNS in Active Directory

此範例中使用虛構公司,以 Contoso,維持在 www.career.contoso.com 更上層樓網站。This example uses one fictional company, Contoso, which maintains a career Web site at www.career.contoso.com.

網站有兩個版本,一個用於內部使用者內部職位何處可使用。The site has two versions, one for the internal users where internal job postings are available. 在本機的 IP 位址 10.0.0.39 使用此內部網站。This internal site is available at the local IP address 10.0.0.39.

第二個版本的相同的網站,可在公用 IP 位址 65.55.39.10 公用版本。The second version is the public version of the same site, which is available at the public IP address 65.55.39.10.

DNS 原則不存在,系統管理員,才能主機上不同的 Windows Server DNS 伺服器下列兩個區域和管理另行購買。In the absence of DNS policy, the administrator is required to host these two zones on separate Windows Server DNS servers and manage them separately.

使用 DNS 原則這些區域可以立即裝載相同的 DNS 伺服器上。Using DNS policies these zones can now be hosted on the same DNS server.

如果 contoso.com 的 DNS 伺服器 Active Directory 整合,且在兩個網路介面聆聽,以 Contoso DNS 系統管理員可以依照達成 split\ 蛋部署本主題中的步驟操作。If the DNS server for contoso.com is Active Directory integrated, and is listening on two network interfaces, the Contoso DNS Administrator can follow the steps in this topic to achieve a split-brain deployment.

系統管理員 DNS 設定的 DNS 伺服器介面使用下列的 IP 位址。The DNS Administrator configures the DNS server interfaces with the following IP addresses.

  • 網際網路面對網路介面卡的外部查詢 208.84.0.53 公用 IP 位址設定。The Internet facing network adapter is configured with a public IP address of 208.84.0.53 for external queries.
  • 設定內部面對網路介面卡是內部查詢 10.0.0.56 私人 IP 位址。The Intranet facing network adapter is configured with a private IP address of 10.0.0.56 for internal queries.

下圖描述此案例。The following illustration depicts this scenario.

Split-Brain 廣告整合 DNS 部署

在 Active Directory 中蛋 Split\ DNS DNS 原則的方式How DNS Policy for Split-Brain DNS in Active Directory Works

時所需的 DNS 原則設定的 DNS 伺服器,每個名稱解析要求被評估 DNS 伺服器上的原則。When the DNS server is configured with the required DNS policies, each name resolution request is evaluated against the policies on the DNS server.

伺服器介面用於在此範例中為準則內外戶端來區分公司。The server Interface is used in this example as the criteria to differentiate between the internal and external clients.

如果時,收到查詢伺服器介面比對任何原則,相關的區域範圍用來查詢回應。If the server interface upon which the query is received matches any of the policies, the associated zone scope is used to respond to the query.

因此,在我們的範例,私人 IP (10.0.0.56) 上接收 www.career.contoso.com DNS 查詢收到 DNS 回應包含內部 IP 位址。和在公用網路介面收到 DNS 查詢接收 DNS 回應包含 (這是正常查詢解析度一樣) 的區域預設範圍的公用 IP 位址。So, in our example, the DNS queries for www.career.contoso.com that are received on the private IP (10.0.0.56) receive a DNS response that contains an internal IP address; and the DNS queries that are received on the public network interface receive a DNS response that contains the public IP address in the default zone scope (this is the same as normal query resolution).

只有預設區域領域支援動態 DNS (DDNS) 更新和清除的支援。Support for Dynamic DNS (DDNS) updates and scavenging is supported only on the default zone scope. 內部戶端的服務的區域預設範圍,因為 Contoso DNS 系統管理員可以繼續使用(動態 DNS 或靜態)更新中 contoso.com 記錄現有的機制。預設 non\ 區域領域 \(例如,外部中的範圍此 example\),DDNS 或清除支援不提供。Because the internal clients are serviced by the default zone scope, Contoso DNS Administrators can continue using the existing mechanisms (dynamic DNS or static) to update the records in contoso.com. For non-default zone scopes (such as the external scope in this example), DDNS or scavenging support is not available.

原則的可用性High Availability of policies

DNS 原則不是 Active Directory 整合。DNS policies are not Active Directory integrated. 而不會複寫 DNS 原則相同的 Active Directory 整合式的區域裝載的其他 DNS 伺服器。Because of this, DNS policies are not replicated to the other DNS servers that are hosting the same Active Directory integrated zone.

DNS 原則會儲存在本機的 DNS 伺服器。DNS policies are stored on the local DNS server. 您可以輕鬆地匯出原則 DNS 伺服器到另一個使用以下的範例 Windows PowerShell 命令。You can easily export DNS policies from one server to another by using the following example Windows PowerShell commands.

$policies = Get-DnsServerQueryResolutionPolicy -ZoneName "contoso.com" -ComputerName Server01

$policies |  Add-DnsServerQueryResolutionPolicy -ZoneName "contoso.com" -ComputerName Server02

如需詳細資訊,下列 Windows PowerShell 參考主題。For more information, see the following Windows PowerShell reference topics.

如何設定在 Active Directory 中蛋 Split\ DNS DNS 原則How to Configure DNS Policy for Split-Brain DNS in Active Directory

若要設定 DNS Split-Brain 使用 DNS 原則部署,您必須使用下列的各節,提供詳細的設定指示操作。To configure DNS Split-Brain Deployment by using DNS Policy, you must use the following sections, which provide detailed configuration instructions.

新增 Active Directory 整合式的區域Add the Active Directory integrated zone

您可以使用下列命令範例 Active Directory 整合的 contoso.com 區域加入 DNS 伺服器。You can use the following example command to add the Active Directory integrated contoso.com zone to the DNS server.

Add-DnsServerPrimaryZone -Name "contoso.com" -ReplicationScope "Domain" -PassThru

如需詳細資訊,請查看新增-DnsServerPrimaryZoneFor more information, see Add-DnsServerPrimaryZone.

建立的區域的領域Create the Scopes of the Zone

您可以使用本節分割 contoso.com 建立外部區域領域的區域。You can use this section to partition the zone contoso.com to create an external zone scope.

時區領域是區域的唯一執行個體。A zone scope is a unique instance of the zone. DNS 區域可以有多個區域領域,與每個包含 DNS 記錄它自己設定的區域範圍。A DNS zone can have multiple zone scopes, with each zone scope containing its own set of DNS records. 相同記錄可能會出現在多個領域,以不同的 IP 位址或相同的 IP 位址。The same record can be present in multiple scopes, with different IP addresses or the same IP addresses.

在 Active Directory 整合區中新增這個新的時區範圍,因為區域範圍,以及在其中的記錄會複寫 Active Directory 透過到其他複本伺服器網域中。Because you are adding this new zone scope in an Active Directory integrated zone, the zone scope and the records inside it will replicate via Active Directory to other replica servers in the domain.

根據預設,區域領域存在每個 DNS 區域。By default, a zone scope exists in every DNS zone. 這個區域領域作為區域,具有相同的名稱,並在這個領域中工作舊版 DNS 作業。This zone scope has the same name as the zone, and legacy DNS operations work on this scope. 這個預設區域領域裝載內部 www.career.contoso.com 的版本。This default zone scope will host the internal version of www.career.contoso.com.

您可以使用下列命令範例建立區域領域 DNS 伺服器上。You can use the following example command to create the zone scope on the DNS server.

Add-DnsServerZoneScope -ZoneName "contoso.com" -Name "external"

如需詳細資訊,請查看新增-DnsServerZoneScopeFor more information, see Add-DnsServerZoneScope.

若要的區域領域加入資料Add Records to the Zone Scopes

下一個步驟是新增兩代表網頁伺服器主機記錄區域領域外部及 [預設 (for internal clients)。The next step is to add the records representing the web server host into the two zone scopes- external and default (for internal clients).

在內部區域預設範圍,記錄 www.career.contoso.com 新增的 IP 位址 10.0.0.39,也就是私人 IP 位址。並在外部區域範圍,相同使用碼表進行 (www.career.contoso.com) 加入公用 IP 位址 65.55.39.10。In the default internal zone scope, the record www.career.contoso.com is added with IP address 10.0.0.39, which is a private IP address; and in the external zone scope, the same record (www.career.contoso.com) is added with the public IP address 65.55.39.10.

記錄 \(兩者皆內部區域預設範圍和外部區域 scope\)將會自動複製上使用他們區域各個領域的網域。The records (both in the default internal zone scope and the external zone scope) will automatically replicate across the domain with their respective zone scopes.

若要將 DNS 伺服器上的時區領域加入資料來,您可以使用下列命令範例。You can use the following example command to add records to the zone scopes on the DNS server.

Add-DnsServerResourceRecord -ZoneName "contoso.com" -A -Name "www.career" -IPv4Address "65.55.39.10" -ZoneScope "external"

Add-DnsServerResourceRecord -ZoneName "contoso.com" -A -Name "www.career" -IPv4Address "10.0.0.39”

注意

– ZoneScope當記錄新增到區域預設範圍時,不包含的參數。The –ZoneScope parameter is not included when the record is added to the default zone scope. 這個動作會相同記錄加入一般的區域。This action is same as adding records to a normal zone.

如需詳細資訊,請查看新增-DnsServerResourceRecordFor more information, see Add-DnsServerResourceRecord.

建立 DNS 原則Create the DNS Policies

伺服器介面外部網路和連絡找出您所建立的時區範圍之後,您必須建立連接內外區域領域 DNS 原則。After you have identified the server interfaces for the external network and internal network and you have created the zone scopes, you must create DNS policies that connect the internal and external zone scopes.

注意

此範例中使用伺服器介面 \(中範例命令 below-ServerInterface 參數)來區分內外戶端條件為。This example uses the server interface (the -ServerInterface parameter in the example command below) as the criteria to differentiate between the internal and external clients. 區分外部和內部另一個方法是使用 client 子網路為條件。Another method to differentiate between external and internal clients is by using client subnets as a criteria. 如果您找出內部戶端所屬的子網路,您可以設定來區分根據 client 子網路的 DNS 原則。If you can identify the subnets to which the internal clients belong, you can configure DNS policy to differentiate based on client subnet. 如何設定流量管理使用 client 子網路條件資訊,請查看使用 DNS 原則主要伺服器的地理位置型流量管理的For information on how to configure traffic management using client subnet criteria, see Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers.

當上公用 DNS 查詢接收設定原則之後,從區域的外部範圍傳回解答。After you configure policies, when a DNS query is received on the public interface, the answer is returned from the external scope of the zone.

注意

不原則所需的對應內部區域預設範圍。No policies are required for mapping the default internal zone scope.

Add-DnsServerQueryResolutionPolicy -Name "SplitBrainZonePolicy" -Action ALLOW -ServerInterface "eq,208.84.0.53" -ZoneScope "external,1" -ZoneName contoso.com

注意

208.84.0.53 是在公用網路介面的 IP 位址。208.84.0.53 is the IP address on the public network interface.

如需詳細資訊,請查看新增-DnsServerQueryResolutionPolicyFor more information, see Add-DnsServerQueryResolutionPolicy.

現在 DNS 伺服器設定所需的 DNS 原則的名稱 split-brain 伺服器 Active Directory 整合 DNS 的區域。Now the DNS server is configured with the required DNS policies for a split-brain name server with an Active Directory integrated DNS zone.

您可以建立數千 DNS 原則根據您的資料傳輸管理的需求,且所有的新原則已經套用動態-不需要重新 DNS 伺服器-連入查詢。You can create thousands of DNS policies according to your traffic management requirements, and all new policies are applied dynamically - without restarting the DNS server - on incoming queries.