1
00:00:07,000 --> 00:00:13,150
Let's have a brief overview of considerations for implementing complex ideas environments.

2
00:00:13,280 --> 00:00:19,520
And this lesson will talk about DNS considerations which include the following points.

3
00:00:19,660 --> 00:00:24,240
Decide on a centralized or decentralized model.

4
00:00:24,250 --> 00:00:32,770
You should also consider verifying DNS clan configuration and verify and monitor DNS name resolution

5
00:00:33,100 --> 00:00:41,200
after this point so you have to optimize DNS name resolution between multiple name spaces by using DNS

6
00:00:41,200 --> 00:00:45,880
features such as conditional forwarding and stop zones.

7
00:00:45,880 --> 00:00:52,160
You should also consider DNS name devolution and DNS suffix search order.

8
00:00:52,180 --> 00:01:00,400
Another consideration is deploying a global name zone and use an Active Directory integrated DNS zones.

9
00:01:00,430 --> 00:01:08,020
We'll also talk about considerations when you extend your 80 days domain into Asia and finally we'll

10
00:01:08,020 --> 00:01:16,690
talk about European considerations which include European suffixes and global catalog and Federated

11
00:01:17,050 --> 00:01:19,150
authentication scenarios.

12
00:01:19,150 --> 00:01:19,800
Let's start.

13
00:01:20,140 --> 00:01:27,550
So in a single forest single domain a tedious environment when you install a yes and DNS with default

14
00:01:27,550 --> 00:01:31,390
settings the configuration works appropriately.

15
00:01:31,420 --> 00:01:40,240
In most scenarios however as your organization grows and your HDD environment becomes more complex you

16
00:01:40,240 --> 00:01:48,460
might have to make several choices to facilitate efficient name resolution and user sign ins within

17
00:01:48,460 --> 00:01:50,490
the 80 days and wired moment.

18
00:01:50,800 --> 00:01:57,020
So let's talk about DNS considerations in a multi domain or multi forest environment.

19
00:01:57,130 --> 00:02:05,710
Client computers might have to locate a variety of cross forest services including key management services

20
00:02:06,010 --> 00:02:16,990
servers for Windows activation terminals Services License servers license and servers for specific applications

21
00:02:17,320 --> 00:02:20,650
and domain controllers in any domain to.

22
00:02:20,980 --> 00:02:25,840
Well it trusts when accessing resources in another domain.

23
00:02:25,930 --> 00:02:34,390
When organizations deploy multiple trees in a net aided as forest or when they deploy multiple forests

24
00:02:34,690 --> 00:02:43,200
name resolution is more complicated because you must manage multiple domain name spaces in these scenarios.

25
00:02:43,210 --> 00:02:45,270
Consider the following points.

26
00:02:45,280 --> 00:02:53,170
First consider deciding on a centralized or decentralized model in a centralized model.

27
00:02:53,170 --> 00:03:01,150
You can figure all DNS zones for forest wide replication making them locally a way a label on every

28
00:03:01,150 --> 00:03:03,410
domain controller in the forest.

29
00:03:03,460 --> 00:03:11,680
Although this is easy to accomplish and to ensure growth domain name resolution you must consider the

30
00:03:11,770 --> 00:03:20,350
impact this might have on domain controller replication throughout your HDD environment in a decentralized

31
00:03:20,350 --> 00:03:21,150
model.

32
00:03:21,250 --> 00:03:28,810
Zones are configured for domain wide replication making them available on every domain controller in

33
00:03:28,810 --> 00:03:32,830
the domain to implement cross domain name resolution.

34
00:03:32,830 --> 00:03:40,360
You create the allegations in the parent domain and Forwarders in the child domains a decentralized

35
00:03:40,360 --> 00:03:43,390
model is more difficult to maintain.

36
00:03:43,750 --> 00:03:52,660
But it allows you more control over replication and flexibility in administering child demands.

37
00:03:52,660 --> 00:03:57,880
Another point to consider is verifying DNS clan configuration.

38
00:03:57,910 --> 00:04:05,950
You have to configure all computers in the 80 days domain with at least two addresses or of functional

39
00:04:06,040 --> 00:04:09,320
DNS servers all of your computer a small.

40
00:04:09,340 --> 00:04:14,370
My must have good network connectivity with DNS servers.

41
00:04:14,380 --> 00:04:19,900
The next point to consider is verifying and monitoring DNS name resolution.

42
00:04:19,930 --> 00:04:26,950
You have to verify that all of your computers include them including domain controllers are rebuilt

43
00:04:26,950 --> 00:04:33,280
to perform successful DNS look ups for role domain controllers in the forest.

44
00:04:33,280 --> 00:04:41,770
Domain controllers must be able to connect to other domain controllers to successfully replicate changes

45
00:04:42,070 --> 00:04:49,930
to a tedious client computer computers must be able to locate domain controllers by using service resource

46
00:04:49,930 --> 00:04:58,750
records or reel records and count computers must be able to resolve the Domain Controller names to IP

47
00:04:58,750 --> 00:04:59,710
addresses.

48
00:04:59,710 --> 00:05:08,010
Now some words about optimizing DNS name resolution between multiple namespace first use DNS features

49
00:05:08,030 --> 00:05:16,390
such as conditional forwarding and stop zones to optimize the process of resolving computer names across

50
00:05:16,400 --> 00:05:17,410
namespace.

51
00:05:17,630 --> 00:05:26,090
By using a conditional form or or stop zone you effectively create a shortcut that prevents the need

52
00:05:26,090 --> 00:05:31,410
for recursive queries to the demand through or forest route.

53
00:05:31,670 --> 00:05:40,130
Although a conditional 4 order or stop zone is not required for name resolution to work correctly it

54
00:05:40,130 --> 00:05:47,990
might greatly reduce latency when cross domain or cross forest name resolution a cure is frequently

55
00:05:48,320 --> 00:05:51,930
when you configure a trust between two forests.

56
00:05:52,010 --> 00:06:00,080
You typically use a conditional forward or in each forest to to facilitate name resolution on both sides

57
00:06:00,080 --> 00:06:01,310
of the trust.

58
00:06:01,310 --> 00:06:11,150
Another consideration is DNS name devolution and DNS suffix search order DNS name devolution is a feature

59
00:06:11,450 --> 00:06:19,310
of the windows DNS client that allows the client in a child's namespace to resolve the IP address of

60
00:06:19,310 --> 00:06:25,810
a host in a parent namespace without specifying a fully qualified domain name.

61
00:06:25,850 --> 00:06:34,220
The devolution process automatically attempts to resolve a single label name by abandon the primary

62
00:06:34,220 --> 00:06:35,470
DNS suffix.

63
00:06:35,540 --> 00:06:45,530
If a result is not found devolution recursively bans the parent DNS suffix until the name result resolves

64
00:06:45,560 --> 00:06:48,230
or the devolution level is met.

65
00:06:48,320 --> 00:06:55,520
The devolution level is determined automatically by comparing the forest through domain to the primary

66
00:06:55,760 --> 00:07:01,580
DNS suffix but it also can be manually configured when Bruce.

67
00:07:01,580 --> 00:07:09,620
Control is necessary income blacks say it is in white moments where you might have a deep domain 3 with

68
00:07:09,620 --> 00:07:18,540
many levels in the namespace relying on DNS name devolution for name resolution might not be efficient.

69
00:07:18,650 --> 00:07:27,620
In this case as you can configure the DNS suffix search order to manually specify the DNS suffixes to

70
00:07:27,710 --> 00:07:36,200
a band and the order in which to append them when the DNS suffix search order is specified manually

71
00:07:36,470 --> 00:07:44,690
or through group policy that DNS named devolution process automatically disables the next consideration

72
00:07:45,050 --> 00:07:53,820
when you deploy multiple trees in a tedious forest or when you deploy multiple forests is deploying

73
00:07:53,840 --> 00:07:56,040
a global names names.

74
00:07:56,050 --> 00:08:04,630
Zone A Global names zone allows you to configure single name resolution for DNS names in your forest.

75
00:08:04,640 --> 00:08:11,750
This allows name resolution by using a shorter name that is easier to remember than a fully qualified

76
00:08:11,750 --> 00:08:12,830
domain name.

77
00:08:12,830 --> 00:08:20,780
Previously Windows Internet names service or Windows was configured in a domain to support single label

78
00:08:20,780 --> 00:08:22,130
name resolution.

79
00:08:22,190 --> 00:08:30,830
You can use a global names zone to replace winds in your environment especially if you deploy Internet

80
00:08:30,860 --> 00:08:37,070
Protocol version 6 because winds does not support IP vs 6 address.

81
00:08:37,160 --> 00:08:45,830
In addition you can use global names zone when relying on DNS suffix storage lists is not efficient

82
00:08:46,070 --> 00:08:50,540
because of the number of domains that must be searched.

83
00:08:50,540 --> 00:08:58,190
Another consideration is use an active directory integrated DNS zones when you configure DNS zone as

84
00:08:58,430 --> 00:09:06,620
Active Directory integrated DNS information is stored in a tedious and replicates through the normal

85
00:09:06,680 --> 00:09:09,080
HDD replication process.

86
00:09:09,110 --> 00:09:14,870
This optimizes the process of replicating changes throughout the forest.

87
00:09:14,870 --> 00:09:23,180
You can also configure the scope of replication for DNS zones by default domain specific DNS records

88
00:09:23,500 --> 00:09:29,840
or replicate to other domain controllers that are also DNS source in the domain.

89
00:09:29,990 --> 00:09:40,730
DNS records that enable cross domain lock ups are stored in the underscore emails DCF DOD forest route

90
00:09:41,090 --> 00:09:50,240
and your domain name zoom and they replicate demand controllers there are also DNS servers in the entire

91
00:09:50,240 --> 00:09:51,350
forest.

92
00:09:51,350 --> 00:09:54,520
You should not change this default configuration.

93
00:09:54,530 --> 00:10:02,270
Now some words about extend on your 80 days domain into Asia when doing so you must take a few extra

94
00:10:02,270 --> 00:10:03,320
steps.

95
00:10:03,320 --> 00:10:11,830
Asia was built in DNS does not support today's demands to support cloud based demand components you

96
00:10:11,830 --> 00:10:13,030
must do the following.

97
00:10:13,390 --> 00:10:22,600
You must configure an Asia virtual network and aided in a site for your Asia or subnet and register

98
00:10:22,600 --> 00:10:27,280
your on premises DNS with the Asia virtual network.

99
00:10:27,280 --> 00:10:35,350
You must do this to allow an easier virtual machine to communicate with your on premises aided Yes and

100
00:10:35,560 --> 00:10:42,370
after you successfully promote a Nasir virtual machine to an aide it is the main control around DNS

101
00:10:42,370 --> 00:10:43,300
server.

102
00:10:43,300 --> 00:10:51,730
Register that virtual machines IP address the DNS server for your Asia virtual network.

103
00:10:51,730 --> 00:11:00,020
This allows locally tedious communication and name resolution for all the virtual machines in Eurasia

104
00:11:00,130 --> 00:11:01,150
subnet.

105
00:11:01,180 --> 00:11:09,360
And lastly some votes about European considerations in a multi domain or multi forest environment sign

106
00:11:09,360 --> 00:11:17,650
and n becomes more complicated because users must be aware of the domain that contains their user recalled

107
00:11:18,010 --> 00:11:26,740
users are able to sign in by using the Net biased name of the domain and their same account name or

108
00:11:26,740 --> 00:11:33,400
the friendlier European attribute which is formatted like an email address.

109
00:11:33,430 --> 00:11:43,480
By default you ban is user followed by at sign and your DNS Domain Name a European is generally easier

110
00:11:43,480 --> 00:11:47,080
to remember and is met in many organizations.

111
00:11:47,080 --> 00:11:51,150
It might match the user's primary email address.

112
00:11:51,160 --> 00:11:58,570
If you decide to use the European attribute for signing name you must consider several things you must

113
00:11:58,570 --> 00:12:01,000
consider European suffixes.

114
00:12:01,000 --> 00:12:10,840
By default the European suffix matches the DNS F Q GM of the domain where the user account exists in

115
00:12:10,840 --> 00:12:18,760
complex a tedious environments where multiple domains are in a domain 3 the European suffix might become

116
00:12:19,070 --> 00:12:22,120
quite long and difficult to remember.

117
00:12:22,180 --> 00:12:29,130
For example in an edit s environment that is organized by region and department.

118
00:12:29,200 --> 00:12:39,100
A simple default European might look like user at a sha dot North America dot com toss dot com.

119
00:12:39,150 --> 00:12:46,450
In this situation you might decide to utilize a common European suffix for role users in the domain.

120
00:12:46,540 --> 00:12:54,460
The European suffix does not have to be a well it DNS domain but in many cases organizations choose

121
00:12:54,730 --> 00:13:01,330
to use their email domain name to simplify the sign and process for users.

122
00:13:01,330 --> 00:13:09,160
The active director of domains and trusts console allows you to specify alternative European suffixes

123
00:13:09,160 --> 00:13:16,900
for a domain you specify the European suffix for a user account during an account creation and you can

124
00:13:16,900 --> 00:13:20,400
modify it at any time afterward.

125
00:13:20,410 --> 00:13:29,530
Another thing to consider about European is global catalog to allow signing in with a European availability

126
00:13:29,530 --> 00:13:33,490
of a global catalogue server must be necessary.

127
00:13:33,490 --> 00:13:40,840
If an alternate European suffix is used in the computer account is not in the same domain as the user

128
00:13:40,840 --> 00:13:41,640
account.

129
00:13:41,770 --> 00:13:50,230
A global catalogue server is required to resolve the APM that is specified during signing and the last

130
00:13:50,230 --> 00:13:56,150
consideration about European is Federated authentication scenarios.

131
00:13:56,170 --> 00:14:04,390
If your organization uses a DFS to perform Federated authentication with a cloud based service such

132
00:14:04,390 --> 00:14:14,170
as office 365 the European suffix must be well it external DNS domain that your organization owns.

133
00:14:14,170 --> 00:14:22,150
This is necessary because a federation trust can not be created with a DNS domain that only exists within

134
00:14:22,150 --> 00:14:25,120
your internal HDD infrastructure.