地理位置型主要次要部署的流量管理,使用 DNS 原則Use DNS Policy for Geo-Location Based Traffic Management with Primary-Secondary Deployments

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以了解如何建立的地理位置資料傳輸管理 DNS 原則,當您的 DNS 部署包含主要和次要 DNS 伺服器。You can use this topic to learn how to create DNS policy for geo-location based traffic management when your DNS deployment includes both primary and secondary DNS servers.

上述案例中,使用 DNS 原則主要伺服器的地理位置型流量管理的,提供的地理位置資料傳輸管理 DNS 原則設定的主要 DNS 伺服器上的指示操作。The previous scenario, Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers, provided instructions for configuring DNS policy for geo-location based traffic management on a primary DNS server. 網際網路基礎結構,但的 DNS 伺服器的廣泛地部署中所在的區域寫入複本儲存選取且安全的主要伺服器上與唯讀複本區域保留多個次要伺服器上的主要次要模型。In the Internet infrastructure, however, the DNS servers are widely deployed in a primary-secondary model, where the writable copy of a zone is stored on select and secure primary servers, and read-only copies of the zone are kept on multiple secondary servers.

第二個伺服器使用授權傳輸 (AXFR) 和增量區域傳輸 (IXFR) 區域傳輸通訊協定要求,及接收區域的更新,包括新的主要 DNS 伺服器上的區域的變更。The secondary servers use the zone transfer protocols Authoritative Transfer (AXFR) and Incremental Zone Transfer (IXFR) to request and receive zone updates that include new changes to the zones on the primary DNS servers.

注意

如需 AXFR,查看網際網路工程設計工作推動 (IETF)要求意見 5936 的For more information about AXFR, see the Internet Engineering Task Force (IETF) Request for Comments 5936. 如需 IXFR,查看網際網路工程設計工作推動 (IETF)要求意見 1995 年的For more information about IXFR, see the Internet Engineering Task Force (IETF) Request for Comments 1995.

主要次要地理位置型流量管理範例Primary-Secondary Geo-Location Based Traffic Management Example

以下是如何使用 DNS 原則中的主要次要部署達成流量重新導向以執行 DNS 查詢 client 的所在位置為基礎的範例。Following is an example of how you can use DNS policy in a primary-secondary deployment to achieve traffic redirection on the basis of the physical location of the client that performs a DNS query.

此範例中使用兩個虛構公司-Contoso 雲端服務,提供網頁和網域裝載方案。及 Woodgrove 食物服務提供多個城市的食物傳送服務全球有名 woodgrove.com 的網站。This example uses two fictional companies - Contoso Cloud Services, which provides web and domain hosting solutions; and Woodgrove Food Services, which provides food delivery services in multiple cities across the globe, and which has a Web site named woodgrove.com.

為了確保 woodgrove.com 針對回應式體驗從他們的網站,Woodgrove 想要歐洲戶端導向歐洲 datacenter 美國戶端導向美國資料中心。To ensure that woodgrove.com customers get a responsive experience from their website, Woodgrove wants European clients directed to the European datacenter and American clients directed to the U.S. datacenter. 針對其他地方找到世界可以導向的資料中心。Customers located elsewhere in the world can be directed to either of the datacenters.

Contoso 雲端服務將有兩個 datacenter 一個美國和歐洲時,以 Contoso 主控訂購 woodgrove.com 入口網站其食物另一個。Contoso Cloud Services has two datacenters, one in the U.S. and another in Europe, upon which Contoso hosts its food ordering portal for woodgrove.com.

Contoso DNS 部署包括有兩個次要伺服器:SecondaryServer1,以 10.0.0.2; 的 IP 位址以及SecondaryServer2,以 10.0.0.3 的 IP 位址。The Contoso DNS deployment includes two secondary servers: SecondaryServer1, with the IP address 10.0.0.2; and SecondaryServer2, with the IP address 10.0.0.3. 這些次要伺服器為 SecondaryServer1 位於歐洲和 SecondaryServer2 位於美國與做為名稱伺服器兩個不同的地區,These secondary servers are acting as name servers in the two different regions, with SecondaryServer1 located in Europe and SecondaryServer2 located in the U.S.

還有主要寫入區域複本,在PrimaryServer(IP 位址 10.0.0.1),其中區域的變更。There is a primary writable zone copy on PrimaryServer (IP address 10.0.0.1), where the zone changes are made. 次要伺服器區規則傳輸、次要伺服器都隨時取得最新的時區 PrimaryServer 在任何新的變更。With regular zone transfers to the secondary servers, the secondary servers are always up to date with any new changes to the zone on the PrimaryServer.

下圖描述此案例。The following illustration depicts this scenario.

主要次要地理位置型流量管理範例

主要次要 DNS 系統的運作方式How the DNS Primary-Secondary System Works

當您要部署的主要次要 DNS 部署地理位置資料傳輸管理時,請務必以了解如何在一般的主要次要區域學習區域範圍層級傳輸之前發生的傳輸。When you deploy geo-location based traffic management in a primary-secondary DNS deployment, it is important to understand how normal primary-secondary zone transfers occur before learning about zone scope level transfers. 下列章節區域區域範圍層級轉送上提供的資訊。The following sections provide information on zone and zone scope level transfers.

在 [主要次要 DNS 部署區域轉送Zone transfers in a DNS primary-secondary deployment

您可以建立主要次要 DNS 部署,並進行下列步驟同步區域。You can create a DNS primary-secondary deployment and synchronize zones with the following steps.

  1. 當您安裝 DNS 時,主要 DNS 伺服器上建立主要區域。When you install DNS, the primary zone is created on the primary DNS server.
  2. 在次要伺服器,建立的區域,指定的主要伺服器。On the secondary server, create the zones and specify the primary servers.
  3. 主要的伺服器,您可以新增第二個伺服器上主要區域信任次要連結。On the primary servers, you can add the secondary servers as trusted secondaries on the primary zone.
  4. 次要區域完整區域傳輸要求 (AXFR),以及取得區域的複本。The secondary zones make a full zone transfer request (AXFR) and receive the copy of the zone.
  5. 需要時,主要伺服器會傳送通知區域的更新相關的第二個伺服器。When needed, the primary servers send notifications to the secondary servers about zone updates.
  6. 次要伺服器進行增量區域傳輸要求 (IXFR)。Secondary servers make an incremental zone transfer request (IXFR). 因此,次要伺服器維持與主要伺服器同步。Because of this, the secondary servers remain synchronized with the primary server.

在 [主要次要 DNS 部署區域範圍層級轉送Zone scope level transfers in a DNS primary-secondary deployment

交通管理案例需要額外的步驟來區域的不同領域插入磁碟分割區。The traffic management scenario requires additional steps to partition the zones into different zone scopes. 因為額外的步驟會需要區域領域中的資料傳輸到的第二個伺服器,並傳送原則和 DNS Client 子網路的第二個伺服器。Because of this, additional steps are required to transfer the data inside the zone scopes to the secondary servers, and to transfer policies and DNS Client Subnets to the secondary servers.

設定伺服器主要和次要 DNS 基礎結構之後,區域範圍層級轉送會自動執行,DNS,使用下列程序。After you configure your DNS infrastructure with primary and secondary servers, zone scope level transfers are performed automatically by DNS, using the following processes.

若要確保區域範圍層級轉送,DNS 伺服器使用 DNS (EDNS0) 加入 RR 擴充機制。To ensure the Zone scope level transfer, DNS servers use the Extension Mechanisms for DNS (EDNS0) OPT RR. EDNS0 加入 RR,其選項 ID 預設設定為「65433」是源自範圍的區域的所有區域(AXFR 或是 IXFR)傳送要求。All zone transfer (AXFR or IXFR) requests from the zones with scopes originate with an EDNS0 OPT RR, whose option ID is set to "65433" by default. 如需 EDNSO,查看 IETF要求意見 6891 的For more information about EDNSO, see the IETF Request for Comments 6891.

選擇 RR 值是區域範圍名稱正在傳送要求。The value of the OPT RR is the zone scope name for which the request is being sent. 當主要的 DNS 伺服器這封包收到來自信任的第二個伺服器時,它會轉譯為即將區域領域要求。When a primary DNS server receives this packet from a trusted secondary server, it interprets the request as coming for that zone scope.

如果主要伺服器區領域回應的資料傳輸(xfr 跑車)該範圍的。If the primary server has that zone scope it responds with the transfer (XFR) data from that scope. 回應包含選擇加入以相同的選項 ID」65433」的 RR 和值設定為相同的時區範圍。The response contains an OPT RR with the same option ID "65433" and value set to the same zone scope. 次要伺服器接收此回應、從所做出的回應擷取的範圍資訊和更新特定範圍的區域。The secondary servers receive this response, retrieve the scope information from the response, and update that particular scope of the zone.

此程序後主要伺服器維護的受信任的次要已傳送通知的此類區域範圍要求的連結。After this process, the primary server maintains a list of trusted secondaries which have sent such a zone scope request for notifications.

適用於所有區域領域中的進一步更新,IXFR 通知的第二個伺服器,使用相同的加入 RR。For any further update in a zone scope, an IXFR notification is sent to the secondary servers, with the same OPT RR. 接收的通知區域領域可包含該加入 RR IXFR 要求和相同的程序,如上文所述如下。The zone scope receiving that notification makes the IXFR request containing that OPT RR and the same process as described above follows.

如何設定主要次要地理位置型流量管理 DNS 原則How to configure DNS Policy for Primary-Secondary Geo-Location Based Traffic Management

在您開始之前,請確定您已完成此主題中的步驟執行的所有使用 DNS 原則主要伺服器的地理位置型流量管理,並與區域,區域範圍、DNS Client 子網路和 DNS 原則設定您的主要 DNS 伺服器。Before you begin, ensure that you have completed all of the steps in the topic Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers, and your primary DNS server is configured with zones, zone scopes, DNS Client Subnets, and DNS policy.

注意

本主題中的指示來次要 dns 複製 DNS Client 子網路,區域的範圍,以及 DNS 原則的主要的 DNS 伺服器的驗證和初始 DNS 設定。The instructions in this topic to copy DNS Client Subnets, zone scopes, and DNS policies from DNS primary servers to DNS secondary servers are for your initial DNS setup and validation. 未來可能會想要變更 DNS Client 子網路、區域的範圍,以及主要伺服器原則設定。In the future you might want to change the DNS Client Subnets, zone scopes, and policies settings on the primary server. 在這種情況下,您可以建立保持同步的主要伺服器次要伺服器自動化的指令碼。In this circumstance, you can create automation scripts to keep the secondary servers synchronized with the primary server.

若要設定為主要次要地理位置型查詢回應 DNS 原則,您必須執行下列步驟。To configure DNS policy for primary-secondary geo-location based query responses, you must perform the following steps.

下列章節提供詳細的設定指示操作。The following sections provide detailed configuration instructions.

重要

以下的各節包含包含許多參數值範例範例 Windows PowerShell 命令。The following sections include example Windows PowerShell commands that contain example values for many parameters. 請確認值是適用於您的部署,執行下列命令之前,先取代範例值這些命令列中。Ensure that you replace example values in these commands with values that are appropriate for your deployment before you run these commands.

資格在DnsAdmins,或等,才能執行下列程序。Membership in DnsAdmins, or equivalent, is required to perform the following procedures.

建立次要區域Create the Secondary Zones

您可以建立第二份您想要複寫 SecondaryServer1 和 SecondaryServer2 區域(假設 cmdlet 執行遠端從單一管理 client)。You can create the secondary copy of the zone you want to replicate to SecondaryServer1 and SecondaryServer2 (assuming the cmdlets are being executed remotely from a single management client).

例如,您可以建立 www.woodgrove.com 第二份 SecondaryServer1 SecondarySesrver2 上。For example, you can create the secondary copy of www.woodgrove.com on SecondaryServer1 and SecondarySesrver2.

您可以使用下列的 Windows PowerShell 命令來建立次要區域。You can use the following Windows PowerShell commands to create the secondary zones.

Add-DnsServerSecondaryZone -Name "woodgrove.com" -ZoneFile "woodgrove.com.dns" -MasterServers 10.0.0.1 -ComputerName SecondaryServer1  

Add-DnsServerSecondaryZone -Name "woodgrove.com" -ZoneFile "woodgrove.com.dns" -MasterServers 10.0.0.1 -ComputerName SecondaryServer2  

如需詳細資訊,請查看新增-DnsServerSecondaryZoneFor more information, see Add-DnsServerSecondaryZone.

時區傳輸上設定「主要」區域Configure the Zone Transfer Settings on the Primary Zone

您必須設定主要區域,:You must configure the primary zone settings so that:

  1. 允許從主要伺服器次要指定的伺服器區傳輸。Zone transfers from the primary server to the specified secondary servers are allowed.
  2. 區域更新通知主要的伺服器來傳送到的第二個伺服器。Zone update notifications are sent by the primary server to the secondary servers.

您可以使用下列的 Windows PowerShell 命令主要區域上設定的區域傳輸設定。You can use the following Windows PowerShell commands to configure the zone transfer settings on the primary zone.

注意

下列範例命令的參數在-通知指定主要伺服器傳送更新通知來選取清單中次要連結。In the following example command, the parameter -Notify specifies that the primary server will send notifications about updates to the select list of secondaries.

Set-DnsServerPrimaryZone -Name "woodgrove.com" -Notify Notify -SecondaryServers "10.0.0.2,10.0.0.3" -SecureSecondaries TransferToSecureServers -ComputerName PrimaryServer  

如需詳細資訊,請查看設定為 DnsServerPrimaryZoneFor more information, see Set-DnsServerPrimaryZone.

複製 DNS Client 子網路Copy the DNS Client Subnets

您必須將 DNS Client 子網路主要伺服器複製的第二個伺服器。You must copy the DNS Client Subnets from the primary server to the secondary servers.

您可以使用下列的 Windows PowerShell 命令的第二個伺服器複製子網路。You can use the following Windows PowerShell commands to copy the subnets to the secondary servers.

Get-DnsServerClientSubnet -ComputerName PrimaryServer | Add-DnsServerClientSubnet -ComputerName SecondaryServer1  

Get-DnsServerClientSubnet -ComputerName PrimaryServer | Add-DnsServerClientSubnet -ComputerName SecondaryServer2  

如需詳細資訊,請查看新增-DnsServerClientSubnetFor more information, see Add-DnsServerClientSubnet.

第二個伺服器上建立的時區領域Create the Zone Scopes on the Secondary Server

您必須建立區域領域次要伺服器上。You must create the zone scopes on the secondary servers. 在 DNS 區域領域也會開始要求 XFRs 主要伺服器。In DNS, the zone scopes also start requesting XFRs from the primary server. 主要伺服器上的時區領域上的任何變更,以通知包含區域範圍資訊傳送至次要伺服器。With any change on the zone scopes on the primary server, a notification that contains the zone scope information is sent to the secondary servers. 第二個伺服器可以再更新增量變更其時區範圍。The secondary servers can then update their zone scopes with incremental change.

您可以使用下列 Windows PowerShell 命令建立的時區領域次要伺服器上。You can use the following Windows PowerShell commands to create the zone scopes on the secondary servers.

Get-DnsServerZoneScope -ZoneName "woodgrove.com" -ComputerName PrimaryServer|Add-DnsServerZoneScope -ZoneName "woodgrove.com" -ComputerName SecondaryServer1 -ErrorAction Ignore  

Get-DnsServerZoneScope -ZoneName "woodgrove.com" -ComputerName PrimaryServer|Add-DnsServerZoneScope -ZoneName "woodgrove.com" -ComputerName SecondaryServer2 -ErrorAction Ignore  

注意

在這些範例命令中,-ErrorAction 忽略]參數預設區域領域存在於每個區域因為是包含。In these example commands, the -ErrorAction Ignore parameter is included, because a default zone scope exists on every zone. 預設區域領域無法建立復原或者。The default zone scope cannot be created or deleted. 管線會導致嘗試建立該範圍,它將會失敗。Pipelining will result in an attempt to create that scope and it will fail. 或者,您可以在兩個次要區域建立區域非預設範圍。Alternatively, you can create the non-default zone scopes on two secondary zones.

如需詳細資訊,請查看新增-DnsServerZoneScopeFor more information, see Add-DnsServerZoneScope.

設定 DNS 原則Configure DNS policy

子網路建立後的磁碟分割(區域領域),而且您已新增記錄、查詢回應 DNS client 子網路的來源查詢時,會傳回正確的範圍的區域的您必須建立連接子網路和的磁碟分割的原則。After you have created the subnets, the partitions (zone scopes), and you have added records, you must create policies that connect the subnets and partitions, so that when a query comes from a source in one of the DNS client subnets, the query response is returned from the correct scope of the zone. 不原則所需的對應區域預設範圍。No policies are required for mapping the default zone scope.

您可以使用下列的 Windows PowerShell 命令來建立 DNS 原則連結 DNS Client 子網路,以及區域範圍。You can use the following Windows PowerShell commands to create a DNS policy that links the DNS Client Subnets and the zone scopes.

$policy = Get-DnsServerQueryResolutionPolicy -ZoneName "woodgrove.com" -ComputerName PrimaryServer  

$policy | Add-DnsServerQueryResolutionPolicy -ZoneName "woodgrove.com" -ComputerName SecondaryServer1  

$policy | Add-DnsServerQueryResolutionPolicy -ZoneName "woodgrove.com" -ComputerName SecondaryServer2  

如需詳細資訊,請查看新增-DnsServerQueryResolutionPolicyFor more information, see Add-DnsServerQueryResolutionPolicy.

現在的設定所需的 DNS 原則,將根據地理位置資料傳輸次要 DNS 伺服器。Now the secondary DNS servers are configured with the required DNS policies to redirect traffic based on geo-location.

當 DNS 伺服器接收名稱解析查詢時、DNS 伺服器評估 DNS 要求針對 DNS 原則設定中的欄位。When the DNS server receives name resolution queries, the DNS server evaluates the fields in the DNS request against the configured DNS policies. 如果名稱解析要求來源 IP 位址比對任何原則,相關的區域範圍用來回應查詢,和使用者導向它們地理位置最接近的資源。If the source IP address in the name resolution request matches any of the policies, the associated zone scope is used to respond to the query, and the user is directed to the resource that is geographically closest to them.

您可以建立數千 DNS 原則根據您的資料傳輸管理的需求,且所有的新原則已經套用動態-不需要重新 DNS 伺服器-連入查詢。You can create thousands of DNS policies according to your traffic management requirements, and all new policies are applied dynamically - without restarting the DNS server - on incoming queries.