TCP/IP
communication is based on IP addressing. Every packet transmitted over
the network must have IP addresses identifying its source and its
intended destination. Using numerical addresses, as TCP/IP does, is
great for computers, but not as good for humans. How would you like it
if whenever you wanted to access your favorite website, you had to
remember a Uniform Resource Locator (URL) such as http://192.168.43.181?
To make these
addresses easier for people to remember, TCP/IP networks use friendly
names to refer to specific computers. Therefore, when you type a URL
such as http://www.adatum.com
into your web browser, the computer first converts the name to its
equivalent IP address and then sends an HTTP request to the web server
using that address.
The names for specific
computers on a TCP/IP network, like their equivalent addresses, must be
unique, so this presents a problem. How do you assign unique names to
the millions of computers on the Internet without having to use long,
complex strings that are just as hard to remember as IP addresses? The
answer is the same as that for IP addresses: You divide the name into
administrative units and let individual network administrators assign
names to computers within each unit.
Note:
The distribution of administrative tasks is one of the key architectural principles of TCP/IP and the Internet
that you see again and again. Instead of creating a centralized point
of administration that is responsible for all IP addresses or all domain
names, the system is designed to distribute the administrative tasks
among networks all over the Internet.
On the Internet, the administrative unit is called a domain. An organization registers a domain name with ICANN or one of its many registrars, and then has the right to create host names within that domain. For example, in the www.adatum.com
name mentioned earlier, adatum.com is the name of the domain, and www
is the name that the domain administrator assigned to a host in that
domain, in this case a web server. Together, the host name and the
domain name are called a fully qualified domain name (FQDN).
1. Domain Namespace
Domain names are hierarchical
constructions consisting of two or more words, separated by periods,
reading from the bottom to the top of the hierarchy as you go from left
to right. The rightmost word, com in this example, is a top-level domain
name. The com domain is one of three generic top-level domains created
early in the history of the domain namespace. The others are net and
org. In addition to these names, there are two-letter, country-code
top-level domain names that represent most of the countries in the
world, such as fr for France and jp for Japan. Some additional generic
top-level domains, such as biz and info, were created later.
Note:
In addition to the generic
top-level domains mentioned, there are a number of sponsored top-level
domains, such as edu, gov, mil, and int, for which potential registrants
must prove eligibility before they can register a name.
The generic top-level domain
names are administered by ICANN, which is also responsible for
designating an appropriate trustee for each of the country-code
top-level domains. Network administrators can obtain a name in any of
the generic top-level domains
and many of the country-code top-level domains by contacting an
appropriate registrar and paying a fee. The registrant then receives all
rights to a second-level domain beneath that top-level domain,
including the right to create hosts and subdomains within that
second-level domain.
For example, the
organization that owns adatum.com registered that name and owns the
rights to the name as long as it continues to pay its fees. It can,
therefore, assign the host name www to its web server, creating the FQDN
www.adatum.com. If the organization wants to, it can also create additional hosts and additional domain name levels, such as sales.adatum.com.
2. Domain Name System
In the early days of the
Internet, when it was an experimental network consisting of only a few
dozen computers, every system had a hosts file, which contained a simple
list of all the computers on the Internet, with their host names and
equivalent IP addresses. Eventually, the hosts list became too large and
changed too often to be manageable, so a new solution of equating host
names and IP addresses was needed.
The main reason for the
hierarchical design of the domain namespace is to facilitate the
creation of that new solution, which is called the Domain Name System (DNS).
The fundamental design principle of the DNS is that instead of storing
and managing information about the entire domain namespace in one
location, the administrators of each domain are responsible for
maintaining information about their own computers.
A DNS server is a
specialized type of database application, designed to store name and
address information about computers in a domain. When you register a
second-level domain name for your organization, you must specify the
addresses of two DNS servers that will become the authoritative servers
for your domain. Then, for each computer on your network, you must
create a resource record on your DNS server, which specifies the computer’s host name and its equivalent IP address.
Note:
Administrators can
create DNS resource records manually, but computers also can create them
automatically. For example, if you use the DHCP Server role on your
Windows SBS 2011 server to assign IP addresses to your clients, the
system automatically creates a DNS resource record for each DHCP client.
3. DNS Name Resolution
DNS servers are also
responsible for converting host names into IP addresses at the request
of clients on the network. This process is known as name resolution. In
the name
resolution process, DNS servers all over the Internet communicate with
each other to locate the authoritative information for specific
computers. This process occurs as follows:
When you type the URL http://www.adatum.com
into your web browser, the first thing your browser does is use your
computer’s DNS client, called a resolver, to send a name resolution
request to your DNS server. The name of the DNS server is specified in
the computer’s TCP/IP configuration. This request contains the www.adatum.com
FQDN, and is asking for its equivalent IP address in return. Unless
your computer’s DNS server happens to be the authoritative source for
the adatum.com domain, it must pass the request on to other servers to
get the information it needs.
The
DNS server starts at the top of the domain hierarchy and forwards your
request to an authoritative server for the com domain. The com domain is
hosted by one of the root name servers whose addresses are coded into
every DNS server. Because the root name server is the authoritative
source for the com domain, it contains resource records for all the
second-level domains
beneath com, including adatum.com. Registrars create these resource
records using the information supplied by people registering
second-level domains. The com server responds to the request by sending
the resource record for the adatum.com domain back to your DNS server.
Your DNS server now knows where to go to get information about the adatum.com domain, so it forwards the original name
resolution request to the adatum.com server it learned about from the
com server. The adatum.com server replies by sending the resource record
for the www host back to your DNS server. This resource record, which
the administrator of the adatum.com domain created, contains the IP
address of the www host in that domain.
Your DNS server now knows the IP address of the www.adatum.com computer, so it replies to your resolver’s original request by forwarding the www.adatum.com resource record to your computer.
Your computer now has the IP address for www.adatum.com, so the computer can send its original web page access request, using that address, to the web server on the Internet.
Despite its complexity,
the DNS name resolution process occurs very quickly, and it may be more
or less complicated, depending on the name being resolved and current
conditions on the network. For example, resolving a name beneath one of
the country-code top-level domains requires an additional step because
the root domain servers do not host these domains. On the other hand,
the name resolution process might be abbreviated due to the caching
capabilities of DNS servers.
DNS servers are designed
to cache the resource records they receive from other DNS servers for a
specified length of time. For example, if you use your browser to access
the www.adatum.com
web server, and someone else on your network tries to connect to the
same website a few minutes later, your DNS server still has the www.adatum.com resource record in its cache, so it does not have to perform the entire name resolution process again.
Note:
The DNS resource records
that specify IP address equivalents for host names are called Host (A)
records. However, by supporting other types of resource records, DNS
servers can perform other functions in addition to name resolution. For
example, Mail Exchanger (MX) records enable computers to locate the
address of the mail server for a specific domain.
4. Active Directory Domains
When you install Windows SBS
2011 on your server, the setup program asks you to supply a name for
your domain. It is not an Internet domain name the program is referring
to, however; it is an Active Directory Domain Services (AD DS) domain
name. As part of the installation process, the setup program installs
the AD DS role and creates a domain using the name you specify, plus the
top-level domain name local.
AD DS also uses domains to create
administrative divisions within a Windows network. In the case of a
Windows SBS 2011 installation, you need only one domain, but large
enterprise networks can have many domains, grouped into larger divisions
called trees and forests. AD DS also uses DNS for name resolution as
well as for other internal functions, but the AD DS domain on your
server is not accessible from the Internet because local is not an
official top-level domain. This protects your internal domain from
Internet intrusion.
Note:
It is theoretically
possible to use the same domain name for your organization’s Internet
presence and for its internal AD DS domain, but this can put your AD DS
domain at risk. It is also possible to use a second-level domain name,
such as adatum.com, on the Internet; and create a third-level domain,
such as int.adatum.com, for internal use. Using a local domain name
internally and a completely separate second-level domain name on the
Internet is the most secure arrangement, however, which is why Windows
SBS 2011 uses this method.