透過主要-次要部署使用地理位置流量管理的 DNS 原則Use DNS Policy for Geo-Location Based Traffic Management with Primary-Secondary Deployments

適用於:Windows Server (半年通道),Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以了解如何建立地理位置流量管理的 DNS 原則,當您的 DNS 部署包含主要和次要 DNS 伺服器。You can use this topic to learn how to create DNS policy for geo-location based traffic management when your DNS deployment includes both primary and secondary DNS servers.

前述案例中,地理位置與主要伺服器,根據流量管理的使用 DNS 原則,提供的主要 DNS 伺服器上設定的地理位置流量管理的 DNS 原則的指示。The previous scenario, Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers, provided instructions for configuring DNS policy for geo-location based traffic management on a primary DNS server. 在網際網路基礎結構,不過,DNS 伺服器會廣泛地部署在主要-次要模型中,選取且安全的主要伺服器上儲存區域的可寫入複本,而區域的唯讀複本會保留在多部次要伺服器上。In the Internet infrastructure, however, the DNS servers are widely deployed in a primary-secondary model, where the writable copy of a zone is stored on select and secure primary servers, and read-only copies of the zone are kept on multiple secondary servers.

次要伺服器會使用區域傳輸通訊協定授權傳輸 (AXFR) 及增量區域轉送 (IXFR) 要求並接收區域更新包含新的主要 DNS 伺服器上區域的變更。The secondary servers use the zone transfer protocols Authoritative Transfer (AXFR) and Incremental Zone Transfer (IXFR) to request and receive zone updates that include new changes to the zones on the primary DNS servers.

注意

如需 AXFR 的詳細資訊,請參閱網際網路工程任務推動小組 (IETF)要求的註解 5936For more information about AXFR, see the Internet Engineering Task Force (IETF) Request for Comments 5936. 如需 IXFR 的詳細資訊,請參閱網際網路工程任務推動小組 (IETF)要求的註解 1995年For more information about IXFR, see the Internet Engineering Task Force (IETF) Request for Comments 1995.

主要-次要地理位置型流量管理範例Primary-Secondary Geo-Location Based Traffic Management Example

以下是如何,您可以在主要-次要部署中使用 DNS 原則以達到根據用戶端,執行 DNS 查詢的實體位置的流量重新導向的範例。Following is an example of how you can use DNS policy in a primary-secondary deployment to achieve traffic redirection on the basis of the physical location of the client that performs a DNS query.

這個範例會使用兩個虛構公司服務-Contoso 的雲端服務提供 web 與網域託管解決方案,為 Woodgrove 餐飲業,它會提供在多個城市的食物傳遞服務全球各地且具有網站 woodgrove.com。This example uses two fictional companies - Contoso Cloud Services, which provides web and domain hosting solutions; and Woodgrove Food Services, which provides food delivery services in multiple cities across the globe, and which has a Web site named woodgrove.com.

若要確保 woodgrove.com 客戶,從其網站取得回應的體驗,Woodgrove 想歐洲的用戶端導向到歐洲資料中心和美國的用戶端導向至在美國資料中心。To ensure that woodgrove.com customers get a responsive experience from their website, Woodgrove wants European clients directed to the European datacenter and American clients directed to the U.S. datacenter. 在其他地方位於世界各地的客戶可以導向至其中一個資料中心。Customers located elsewhere in the world can be directed to either of the datacenters.

Contoso 的雲端服務有兩個資料中心,一個在美國,另一個在歐洲,賴以 Contoso 裝載其排序 woodgrove.com 的入口網站的食物。Contoso Cloud Services has two datacenters, one in the U.S. and another in Europe, upon which Contoso hosts its food ordering portal for woodgrove.com.

Contoso DNS 部署包含兩個次要伺服器:SecondaryServer1,使用 IP 位址 10.0.0.2; 以及SecondaryServer2,使用 IP 位址 10.0.0.3。The Contoso DNS deployment includes two secondary servers: SecondaryServer1, with the IP address 10.0.0.2; and SecondaryServer2, with the IP address 10.0.0.3. 這些次要伺服器做為名稱伺服器,在兩個不同區域中,使用位於歐洲和 SecondaryServer2 位於美國的 SecondaryServer1These secondary servers are acting as name servers in the two different regions, with SecondaryServer1 located in Europe and SecondaryServer2 located in the U.S.

在沒有可寫入的主要區域複本PrimaryServer (IP 位址為 10.0.0.1),進行區域變更。There is a primary writable zone copy on PrimaryServer (IP address 10.0.0.1), where the zone changes are made. 使用一般的區域轉送到次要伺服器,次要伺服器一律是最新的任何新的變更至 PrimaryServer 的區域。With regular zone transfers to the secondary servers, the secondary servers are always up to date with any new changes to the zone on the PrimaryServer.

下圖說明此案例。The following illustration depicts this scenario.

主要-次要地理位置型流量管理範例

DNS 主要-次要系統的運作方式How the DNS Primary-Secondary System Works

當您部署在主要-次要 DNS 部署的地理位置流量管理時,務必了解如何正常進行之前了解區域範圍層級傳輸的傳輸的主要-次要區域。When you deploy geo-location based traffic management in a primary-secondary DNS deployment, it is important to understand how normal primary-secondary zone transfers occur before learning about zone scope level transfers. 下列各節提供區域和區域範圍層級傳輸的資訊。The following sections provide information on zone and zone scope level transfers.

在 DNS 主要-次要部署的區域轉送Zone transfers in a DNS primary-secondary deployment

您可以建立 DNS 主要-次要部署,並執行下列步驟同步區域。You can create a DNS primary-secondary deployment and synchronize zones with the following steps.

  1. 當您安裝 DNS 時,主要 DNS 伺服器上建立主要區域。When you install DNS, the primary zone is created on the primary DNS server.
  2. 在次要伺服器上,建立區域並指定主要伺服器。On the secondary server, create the zones and specify the primary servers.
  3. 主要伺服器上,您可以新增次要伺服器作為受信任的次要資料庫,在主要區域。On the primary servers, you can add the secondary servers as trusted secondaries on the primary zone.
  4. 次要區域進行完整的區域傳輸要求 (AXFR),而且收到的區域複本。The secondary zones make a full zone transfer request (AXFR) and receive the copy of the zone.
  5. 需要時,主要伺服器會將通知傳送的次要伺服器有關區域的更新。When needed, the primary servers send notifications to the secondary servers about zone updates.
  6. 次要伺服器進行增量區域傳輸要求 (IXFR)。Secondary servers make an incremental zone transfer request (IXFR). 因為這個緣故,次要伺服器都能保持與主要伺服器同步。Because of this, the secondary servers remain synchronized with the primary server.

傳輸中的 DNS 主要-次要部署的區域範圍層級Zone scope level transfers in a DNS primary-secondary deployment

流量管理方案需要額外的步驟,來分割至多個不同的區域範圍的區域。The traffic management scenario requires additional steps to partition the zones into different zone scopes. 基於這個原因,則需要在區域範圍內將資料傳送到次要伺服器,並將原則和 DNS 用戶端子網路傳輸到次要伺服器進行額外步驟。Because of this, additional steps are required to transfer the data inside the zone scopes to the secondary servers, and to transfer policies and DNS Client Subnets to the secondary servers.

設定您的 DNS 基礎結構的主要和次要伺服器之後,傳輸層級的區域範圍會自動執行 dns,使用下列程序。After you configure your DNS infrastructure with primary and secondary servers, zone scope level transfers are performed automatically by DNS, using the following processes.

若要確保區域範圍的層級轉送,DNS 伺服器會使用的 DNS (EDNS0) 選擇 RR 擴充機制。To ensure the Zone scope level transfer, DNS servers use the Extension Mechanisms for DNS (EDNS0) OPT RR. 從範圍區域的所有區域轉送 (AXFR 或 IXFR) 要求都源自 EDNS0 選擇 RR,識別碼的選項預設設定為"65433 」。All zone transfer (AXFR or IXFR) requests from the zones with scopes originate with an EDNS0 OPT RR, whose option ID is set to "65433" by default. 如需 EDNSO 的詳細資訊,請參閱 IETF要求的註解 6891For more information about EDNSO, see the IETF Request for Comments 6891.

選擇資源記錄的值是正在傳送要求的區域範圍名稱。The value of the OPT RR is the zone scope name for which the request is being sent. 當主要的 DNS 伺服器收到此封包從受信任的次要伺服器時,它可解譯來自該區域範圍的要求。When a primary DNS server receives this packet from a trusted secondary server, it interprets the request as coming for that zone scope.

如果主要伺服器具有該區域範圍回應的傳輸 (XFR) 資料從該範圍。If the primary server has that zone scope it responds with the transfer (XFR) data from that scope. 回應包含具有相同的選項識別碼 」 65433 「 選擇加入的 RR 以及設為相同的區域範圍的值。The response contains an OPT RR with the same option ID "65433" and value set to the same zone scope. 次要伺服器會收到這個回應、 從回應中,擷取範圍的資訊和更新特定區域的範圍。The secondary servers receive this response, retrieve the scope information from the response, and update that particular scope of the zone.

此程序之後,主要伺服器會維護一份受信任的次要複本已傳送通知的這類區域範圍要求。After this process, the primary server maintains a list of trusted secondaries which have sent such a zone scope request for notifications.

在區域範圍內任何進一步的更新,如 IXFR 通知會傳送至次要伺服器,使用相同的選擇 RR。For any further update in a zone scope, an IXFR notification is sent to the secondary servers, with the same OPT RR. 收到該通知的區域範圍會包含該選擇的 RR IXFR request 接著相同的程序如上面所述。The zone scope receiving that notification makes the IXFR request containing that OPT RR and the same process as described above follows.

如何設定主要-次要地理位置流量管理的 DNS 原則How to configure DNS Policy for Primary-Secondary Geo-Location Based Traffic Management

開始之前,請確定您已完成的步驟 > 主題中的所有地理位置與主要伺服器,根據流量管理的使用 DNS 原則,且您的主要 DNS 伺服器已設定區域,區域範圍,DNS 用戶端子網路和 DNS 原則。Before you begin, ensure that you have completed all of the steps in the topic Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers, and your primary DNS server is configured with zones, zone scopes, DNS Client Subnets, and DNS policy.

注意

本主題中的指示,將 DNS 用戶端的子網路、 區域範圍和 DNS 原則從主要的 DNS 伺服器複製到次要的 DNS 伺服器是您初始的 DNS 設定和驗證。The instructions in this topic to copy DNS Client Subnets, zone scopes, and DNS policies from DNS primary servers to DNS secondary servers are for your initial DNS setup and validation. 在未來可能會想要變更 DNS 用戶端的子網路、 區域範圍,並在主要伺服器上的原則設定。In the future you might want to change the DNS Client Subnets, zone scopes, and policies settings on the primary server. 在此情況下,您可以建立自動化指令碼,以保持與主要伺服器同步處理的次要伺服器。In this circumstance, you can create automation scripts to keep the secondary servers synchronized with the primary server.

若要設定主要-次要地理位置基礎查詢回應的 DNS 原則,您必須執行下列步驟。To configure DNS policy for primary-secondary geo-location based query responses, you must perform the following steps.

下列各節提供詳細的設定指示。The following sections provide detailed configuration instructions.

重要

下列各節包含 Windows PowerShell 命令範例包含許多參數的範例值。The following sections include example Windows PowerShell commands that contain example values for many parameters. 請確定這些命令列中的範例值取代是適用於您的部署,然後再執行這些命令的值。Ensure that you replace example values in these commands with values that are appropriate for your deployment before you run these commands.

中的成員資格DnsAdmins,或同等權限,才能執行下列程序。Membership in DnsAdmins, or equivalent, is required to perform the following procedures.

建立次要區域Create the Secondary Zones

您可以建立您想要複寫至 SecondaryServer1 和 SecondaryServer2 區域的次要複本 (假設指令程式正在執行遠端從單一管理用戶端)。You can create the secondary copy of the zone you want to replicate to SecondaryServer1 and SecondaryServer2 (assuming the cmdlets are being executed remotely from a single management client).

比方說,您可以建立次要複本的 www.woodgrove.com SecondaryServer1 和 SecondarySesrver2 上。For example, you can create the secondary copy of www.woodgrove.com on SecondaryServer1 and SecondarySesrver2.

您可以使用下列 Windows PowerShell 命令來建立次要區域。You can use the following Windows PowerShell commands to create the secondary zones.

Add-DnsServerSecondaryZone -Name "woodgrove.com" -ZoneFile "woodgrove.com.dns" -MasterServers 10.0.0.1 -ComputerName SecondaryServer1  
  
Add-DnsServerSecondaryZone -Name "woodgrove.com" -ZoneFile "woodgrove.com.dns" -MasterServers 10.0.0.1 -ComputerName SecondaryServer2  
  

如需詳細資訊,請參閱 < 新增 DnsServerSecondaryZoneFor more information, see Add-DnsServerSecondaryZone.

設定在主要區域的區域轉送設定Configure the Zone Transfer Settings on the Primary Zone

您必須設定主要區域設定以便:You must configure the primary zone settings so that:

  1. 允許從主要伺服器的區域轉送到指定的次要伺服器。Zone transfers from the primary server to the specified secondary servers are allowed.
  2. 區域更新通知會傳送到次要伺服器的主要伺服器。Zone update notifications are sent by the primary server to the secondary servers.

您可以使用下列 Windows PowerShell 命令進行區域轉送設定在主要區域。You can use the following Windows PowerShell commands to configure the zone transfer settings on the primary zone.

注意

在下列範例命令中,參數 -通知指定主要伺服器會將更新的相關通知傳送至次要複本的 select 清單。In the following example command, the parameter -Notify specifies that the primary server will send notifications about updates to the select list of secondaries.

Set-DnsServerPrimaryZone -Name "woodgrove.com" -Notify Notify -SecondaryServers "10.0.0.2,10.0.0.3" -SecureSecondaries TransferToSecureServers -ComputerName PrimaryServer  
 

如需詳細資訊,請參閱 < 組 DnsServerPrimaryZoneFor more information, see Set-DnsServerPrimaryZone.

複製 DNS 用戶端的子網路Copy the DNS Client Subnets

您必須將 DNS 用戶端的子網路從主要伺服器複製次要伺服器。You must copy the DNS Client Subnets from the primary server to the secondary servers.

您可以使用下列 Windows PowerShell 命令複製到次要伺服器的子網路。You can use the following Windows PowerShell commands to copy the subnets to the secondary servers.

Get-DnsServerClientSubnet -ComputerName PrimaryServer | Add-DnsServerClientSubnet -ComputerName SecondaryServer1  
  
Get-DnsServerClientSubnet -ComputerName PrimaryServer | Add-DnsServerClientSubnet -ComputerName SecondaryServer2  
  

如需詳細資訊,請參閱 < 新增 DnsServerClientSubnetFor more information, see Add-DnsServerClientSubnet.

次要伺服器上建立的區域範圍Create the Zone Scopes on the Secondary Server

您必須在次要伺服器上建立的區域範圍。You must create the zone scopes on the secondary servers. 在 DNS 中的區域範圍也會開始從主要伺服器要求 XFRs。In DNS, the zone scopes also start requesting XFRs from the primary server. 在主要伺服器上的區域範圍上的任何變更,與包含的區域範圍資訊的通知會傳送到次要伺服器。With any change on the zone scopes on the primary server, a notification that contains the zone scope information is sent to the secondary servers. 然後,次要伺服器就可以使用累加式變更中,來更新其區域範圍。The secondary servers can then update their zone scopes with incremental change.

您可以使用下列 Windows PowerShell 命令,次要伺服器上建立的區域範圍。You can use the following Windows PowerShell commands to create the zone scopes on the secondary servers.

Get-DnsServerZoneScope -ZoneName "woodgrove.com" -ComputerName PrimaryServer|Add-DnsServerZoneScope -ZoneName "woodgrove.com" -ComputerName SecondaryServer1 -ErrorAction Ignore  
  
Get-DnsServerZoneScope -ZoneName "woodgrove.com" -ComputerName PrimaryServer|Add-DnsServerZoneScope -ZoneName "woodgrove.com" -ComputerName SecondaryServer2 -ErrorAction Ignore  

注意

在下列範例命令中, -ErrorAction 忽略參數都會包括在內,因為每個區域上有的預設區域範圍。In these example commands, the -ErrorAction Ignore parameter is included, because a default zone scope exists on every zone. 無法建立或刪除預設區域範圍。The default zone scope cannot be created or deleted. 管線會嘗試建立該範圍,它將會失敗。Pipelining will result in an attempt to create that scope and it will fail. 或者,您也可以在兩個的次要區域上建立非預設區域範圍。Alternatively, you can create the non-default zone scopes on two secondary zones.

如需詳細資訊,請參閱 < 新增 DnsServerZoneScopeFor more information, see Add-DnsServerZoneScope.

設定 DNS 原則Configure DNS policy

建立子網路之後,資料分割 (區域範圍),而且您已新增記錄,您必須建立連接的子網路和資料分割的原則,以便中 DNS 用戶端子網路的其中一個來源的查詢時,會傳回查詢回應正確的範圍內的區域。After you have created the subnets, the partitions (zone scopes), and you have added records, you must create policies that connect the subnets and partitions, so that when a query comes from a source in one of the DNS client subnets, the query response is returned from the correct scope of the zone. 沒有任何原則所需的對應預設區域範圍。No policies are required for mapping the default zone scope.

您可以使用下列 Windows PowerShell 命令來建立 DNS 原則,DNS 用戶端的子網路連結和區域範圍。You can use the following Windows PowerShell commands to create a DNS policy that links the DNS Client Subnets and the zone scopes.

$policy = Get-DnsServerQueryResolutionPolicy -ZoneName "woodgrove.com" -ComputerName PrimaryServer  
  
$policy | Add-DnsServerQueryResolutionPolicy -ZoneName "woodgrove.com" -ComputerName SecondaryServer1  
  
$policy | Add-DnsServerQueryResolutionPolicy -ZoneName "woodgrove.com" -ComputerName SecondaryServer2  
  

如需詳細資訊,請參閱 < 新增 DnsServerQueryResolutionPolicyFor more information, see Add-DnsServerQueryResolutionPolicy.

現在使用必要的 DNS 原則,根據地理位置的流量重新導向設定次要 DNS 伺服器。Now the secondary DNS servers are configured with the required DNS policies to redirect traffic based on geo-location.

當 DNS 伺服器收到名稱解析查詢時,DNS 伺服器會評估 DNS 要求,根據設定的 DNS 原則中的欄位。When the DNS server receives name resolution queries, the DNS server evaluates the fields in the DNS request against the configured DNS policies. 如果在 名稱解析要求的來源 IP 位址會符合任何原則,相關聯的區域範圍來回應查詢,並將使用者導向的地理位置最接近它們的資源。If the source IP address in the name resolution request matches any of the policies, the associated zone scope is used to respond to the query, and the user is directed to the resource that is geographically closest to them.

您可以建立數以千計的 DNS 原則根據您的流量管理需求,而且所有新的原則都會套用動態-不需要重新啟動 DNS 伺服器-在傳入的查詢。You can create thousands of DNS policies according to your traffic management requirements, and all new policies are applied dynamically - without restarting the DNS server - on incoming queries.