Title: Module 2: Configuring Domain Name Service for Active Directory
1- Module 2 Configuring Domain Name Service for
Active Directory Domain Services
2Module Overview
- Overview of Active Directory Domain Services and
DNS Integration - Configuring Active Directory Integrated Zones
- Configuring Read-Only DNS
3Lesson 1 Overview of Active Directory Domain
Services and DNS Integration
- Active Directory Domain Services and DNS
Namespace Integration - What Are Service Resource Locator Records?
- Demonstration SRV Locator Records Registered by
AD DS Domain Controllers - How Service Resource Locator Records Are Used
- Integration of Service Resource Locator Records
and Active Directory Sites
4Active Directory Domain Services and DNS
Namespace Integration
Active Directory domain names must use DNS names
You can integrate an Active Directory domain name with the external name space by using The same name space A sub domain of the external name space A different name space where the domain and local are different names
5What Are Service Locator Records?
- SRV resource records allow DNS clients to locate
TCP/IP-based Services. SRV resource records are
used when
-
- A domain controller needs to replicate changes
- A client computer logs on to Active Directory
- A user attempts to change his or her password
- An Exchange 2003 server performs a directory
lookup
- An administrator modifies Active Directory
SRV record syntax
protocol.service.name TTL class type
priority weight port target
Example of an SRV record
_ldap._tcp.contoso.msft 600 IN SRV 0
100 389 den-dc1.contoso.msft
6Demonstration SRV Resource Records Registered by
AD DS Domain Controllers
- In this demonstration, you will see how to view
and manage the SRV resource records registered by
domain controllers
7How Service Resource Locator Records Are Used
Locator initiates a call to Net Logon service
1
Locator collects information about the client
2
Net Logon uses the information and queries DNS
for SRV resource records
3
Net Logon tests connectivity to target servers
4
Domain controllers respond, indicating that
they are operational
5
Net Logon returns the information to clients
6
8Integration of Service Locator Records and Active
Directory Sites
1. Queries DNS for DC
2. Responds with multiple records
5. Queries DNS for DC in NYC site
Local DNS Server
6. Responds with DC in NYC site
3. Contacts MIA-DC1 by using LDAP
4. MIA-DC1 returns site info NYC
MIA-DC1
NYC-DC1
Miami Site
NYC Site
9Lesson 2 Configuring Active Directory
Integrated Zones
- What Are Active Directory Integrated Zones?
- What Are Application Partitions in AD DS?
- Options for Configuring Application Partitions
for DNS - How Dynamic Updates Work
- How Secure Dynamic DNS Updates Work
- Demonstration Configuring AD DS Integrated Zones
- How Background Zone Loading Works
10What Are Active Directory Integrated Zones?
Active Directory integrated zones store DNS zone
data in the Active Directory database
- Benefits of using Active Directory integrated
zones
-
- Replicates DNS zone information using Active
Directory replication
- Supports multiple master DNS servers
- Supports record aging and scavenging
11What Are Application Partitions in AD DS?
The Active Directory database is divided into
directory partitions, with each directory
partition replicated to specific domain
controllers
- A DNS zone can be stored in the domain partition
or in an application partition - Administrators can define the replication scope
of customapplication partitions - DomainDNSzones and forestDNSzones are default
application partitions that store DNS-specific
data
Domain
Domain
Config
Domain
Config
Schema
Config
Schema
App1
Schema
App1
App2
12Options for Configuring Application Partitions
for DNS
DNS information can be stored in a variety of
application partitions
To all domain controllers in the Active Directory
domain
To all domain controllers that are DNS servers in
the Active Directory domain
To all domain controllers that are DNS servers in
the Active Directory forest
To all domain controllers in the replication
scope for the application partition
13How Dynamic Updates Work
Client sends SOA query
1
DNS server sends zone name and server IP address
Resource Records
DNS Server
2
Client verifies existing registration
3
1
2
3
4
5
DNS server responds by stating that registration
does not exist
4
Client sends dynamic update to DNS server
5
Windows Server 2008
Windows Vista
Windows XP
14How Secure Dynamic DNS Updates Work
A secure dynamic update is accepted only if the
client has the proper credentials to make the
update
Local DNS Server
Windows Vista DNS Client
Result
Find authoritative server
Result
Attempt nonsecure update
Refused
Domain Controller with Active Directory
Integrated DNS Zone
Secure update negotiation
Accepted
15Demonstration Configuring AD DS Integrated Zones
- In this demonstration, you will see how to
configure - A DNS zone as AD DS integrated
- Dynamic updates on DNS zones
- Dynamic update settings on a network connection
- Secure dynamic updates
16How Background Zone Loading Works
- When a domain controller with Active Directory
integrated DNS zones starts, it
-
- Enumerates all zones to be loaded
- Loads root hints from files or AD DS servers
- Loads all zones that are stored in files rather
than in AD DS
- Begins responding to queries and RPCs
- Starts one or more threads to load the zones that
are stored in AD DS
17Lesson 3 Configuring Read-Only DNS
- What Is Read-Only DNS?
- How Read-Only DNS Works
- Discussion Comparing DNS Options for Branch
Offices
18What Is Read-Only DNS?
-
- A feature supported on Read-Only Domain
Controllers
- All application partitions containing DNS
information are replicated to the RODC
-
- DNS information required for Active Directory
name resolution is available for clients in
the same site as the RODC
- Changes are not allowed on the read-only DNS
zone, which increases security
19How Read-Only DNS Works
Read-only DNS is installed on an RODC when AD DS
is installed and the DNS option is selected
-
- Read-only DNS zone data can be viewed, but
cannot be updated
- Dynamic DNS updated clients using the RODC are
referred to a DNS server with a writeable copy
of the zones
- Records cannot be manually added to the read-only
zone
1
2
3
20Discussion Comparing DNS Options for Branch
Offices
- What options other than read-only DNS are
available for implementing DNS in the branch
office? - What are the advantages and disadvantages of
each option?
21Lab Configuring AD DS and DNS Integration
- Exercise 1 Configuring Active Directory
Integrated Zones - Exercise 2 Configuring Read-Only DNS Zones
Logon information
Virtual machine NYC-DC1, MIA-RODC
User name Administrator
Password Paw0rd
Estimated time 45 minutes
22Lab Review
- What would be the advantage to storing the Active
Directory integrated DNS zones in a custom
application partition instead of the default
partitions? - What steps could you take to recover the SRV
resource records if they were deleted or
corrupted? - Who can create Active Directory integrated zones?
23Module Review and Takeaways
- Review questions
- Module key points
24Beta Feedback Tool
- Beta feedback tool helps
- Collect student roster information, module
feedback, and course evaluations. - Identify and sort the changes that students
request, thereby facilitating a quick team
triage. - Save data to a database in SQL Server that you
can later query. - Walkthrough of the tool
25Beta Feedback
- Overall flow of module
- Which topics did you think flowed smoothly from
topic to topic? - Was something taught out of order?
- Pacing
- Were you able to keep up? Are there any places
where the pace felt too slow? - Were you able to process what the instructor said
before moving on to next topic? - Did you have ample time to reflect on what you
learned? Did you have time to formulate and ask
questions? - Learner activities
- Which demos helped you learn the most? Why do you
think that is? - Did the lab help you synthesize the content in
the module? Did it help you to understand how you
can use this knowledge in your work environment? - Were there any discussion questions or reflection
questions that really made you think? Were there
questions you thought werent helpful?