6425a aktiv dik
DESCRIPTION
Active FolderTRANSCRIPT
-
Module 2: Configuring Domain Name Service for Active Directory Domain Services
This module helps students configure Domain Name Service for Active Directory Domain Services.
After completing this module, students will be able to:Describe Active Directory Domain Services and Domain Name System (DNS) DNS IntegrationConfigure Active Directory Integrated Zones Configure Read-Only DNS
Required materialsTo teach this module, you need the Microsoft Office PowerPoint file 6425A_02.ppt.
Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier PowerPoint version, all the features of the slides might not be displayed correctly.
Preparation tasksTo prepare for this module: Read all of the materials for this module. Complete the practices.
This section contains information that will help you teach this module.
For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information.
Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.
Presentation: 50 minutesLab: 45 minutes
-
Module Overview Overview of Active Directory Domain Services and DNS IntegrationConfiguring AD DS Integrated Zones Configuring Read-Only DNS Zones
-
Lesson 1: Overview of Active Directory Domain Services and DNS IntegrationAD DS and DNS Namespace Integration What Are Service Resource Locator Records?Demonstration: SRV Locator Records Registered by AD DS Domain Controllers How Service Resource Locator Records Are UsedIntegrating Service Resource Locator Records and AD DS Sites
-
AD DS and DNS Namespace Integration AD DS domain names must use DNS names
You can integrate an AD DS domain name with the external name space by using: The same name spaceA sub domain of the external name spaceA different name space where the domain and local are different names
Use the build slide to compare options for integrating the internal Domain Name System (DNS) name space with external name spaces.Emphasize the importance of maintaining separate DNS servers for internal and external name resolution. The internal DNS zones must never be exposed to the Internet, as the internal zones will contain all of the domain controller records.Mention that Active Directory requires DNS, but that it does not require any particular type of DNS server. The internal and DNS servers can be different types.
ReferenceHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432
-
What Are Service Locator Records?
SRV resource records allow DNS clients to locate TCP/IP-based Services. SRV resource records are used when: A domain controller needs to replicate changes
A client computer logs on to AD DS
A user attempts to change his or her password
An Exchange 2003 server performs a directory lookup
An administrator modifies AD DS
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msftprotocol.service.name TTL class type priority weight port targetSRV record syntax:Example of an SRV record
Stress the importance of SRV resource records in a Windows Server2008 environment. Since the release of Windows2000, all client computers have used DNS as the primary process for locating domain controllers. Without SRV resource records in DNS, logon from clients will be extremely slow or will fail.Describe the components of an SRV resource record, then use the example on the slide to describe how the record provides all of the information that a client computer needs to locate a domain controller.
ReferencesDNS Administrator Help: Adding resource recordsDNS Administrator Help: Service Location (SRV) Resource Record Dialog Box
-
Demonstration: SRV Resource Records Registered by AD DS Domain ControllersIn this demonstration, you will see how to view and manage the SRV resource records registered by domain controllers
Demonstration stepsTo complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Open the DNS management console and show the SRV resource records listed in MSDCS and in the WoodgroveBank.com domain. Go into detail describing one of the records, and then show the subfolders that contain records:Delete one of the SRV resource records in DNS.Stop and restart the NetLogon service, and confirm that the record is restored in DNS. Mention the importance of using a DNS server that supports DNS updates, so that the NetLogon service can register the records.Open %systemroot%\system32\config\netlogon.dns, and discuss how the records could be added to a DNS server that does not support dynamic updates.
ReferencesHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432
-
How Service Resource Locator Records Are Used
Locator initiates a call to Net Logon service1 Net Logon uses the information and queries DNS for SRV resource records3 Net Logon tests connectivity to target servers4 Locator collects information about the client2 Domain controllers respond, indicating that they are operational5 Net Logon returns the information to clients6
Describe the process that clients use to locate domain controllers. Mention that all computers, including workstations such as Windows XP and Windows Vista, and servers such as Windows Server2003 and Windows Server 2008, use the same process.
ReferenceHow Domain Controllers Are Located in Windows XPhttp://go.microsoft.com/fwlink/?LinkId=99425
-
Integrating Service Locator Records and AD DS Sites
1. Queries DNS for DC4. MIA-DC1 returns site info NYC2. Responds with multiple records5. Queries DNS for DC in NYC site6. Responds with DC in NYC siteMiami Site3. Contacts MIA-DC1 by using LDAPLocal DNS ServerMIA-DC1NYC-DC1NYC Site
Use the build slide to describe how a client computer locates a domain controller in the same site as the client computer.Mention that the site configuration for client computers is dynamic, and is based on the computers IP address and the site configuration in Active Directory. The client computer is not aware of its site location until it starts and receives the site information from DNS and Active Directory. On the other hand, domain controllers are configured with a static site configuration.On the build slide, steps 1 and 2 show the client computer starting up and requesting a domain controller from the DNS server. Steps 3 and 4 show the client connecting to a domain controller in a different site remember the client is not yet site-aware. The domain controller checks the client configuration, and then and redirects the client to communicate with a domain controller in its local site. This is shown in steps 5 and 6
ReferenceFinding a Domain Controller in the Closest Site http://go.microsoft.com/fwlink/?LinkId=99427
-
Lesson 2: Configuring AD DS Integrated Zones What Are AD DS Integrated Zones? What Are Application Partitions in AD DS?Options for Configuring Application Partitions for DNSHow Dynamic Updates WorkHow Secure Dynamic DNS Updates WorkDemonstration: Configuring AD DS Integrated Zones How Background Zone Loading Works
-
What Are AD DS Integrated Zones?
AD DS integrated zones store DNS zone data in the AD DS database Benefits of using AD DS integrated zones: Replicates DNS zone information using AD DS replication
Supports multiple master DNS servers
Enhances security
Supports record aging and scavenging
Ask students how Domain Name System (DNS) zones are stored and replicated outside of Active Directory Domain Services (AD DS). If students are not familiar with how DNS zones are stored in text files, briefly describe the files and how standard DNS replication works. Next explain how AD DS can also store DNS zone information, and describe the benefits of using this option.Ask the students if they can think of any disadvantages to storing DNS information in AD DS. One possible answer might be that if dynamic updates are enabled for all computers in an enterprise, the Active Directory database can be very large.
ReferencesDNS Help: Understanding Active Directory Domain Services integrationHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432
-
What Are Application Partitions in AD DS?
A DNS zone can be stored in the domain partition or in an application partitionAdministrators can define the replication scope of customapplication partitionsDomainDNSzones and forestDNSzones are default application partitions that store DNS-specific data
DomainConfigSchemaApp1App2DomainConfigSchemaDomainConfigSchemaApp1The AD DS database is divided into directory partitions, with each directory partition replicated to specific domain controllers
If students are not familiar with the concept of the AD DS partitions, briefly describe the three partitions (also called naming contexts).Next describe how those partitions can store DNS information. Highlight that, by default, DNS information is stored in different partitions than the other AD DS information.Mention that the default application partitions for storing DNS information in AD DS are automatically created when DNS is installed and configured during AD DS installation. To create the partitions after AD DS is installed, you can use the DNS management tool or the DNSCMD command-line tool.
ReferencesDNS Help: Understanding DNS zone replication in Active Directory Domain ServicesDNS Help: Create the default DNS application directory partitions
-
Options for Configuring Application Partitions for DNS
To all domain controllers that are DNS servers in the AD DS domainTo all domain controllers in the replication scope for the application partitionTo all domain controllers that are DNS servers in the AD DS forestTo all domain controllers in the AD DS domainDNS information can be stored in a variety of application partitions
List the different partitions that are available for storing DNS information in AD DS. Mention that the primary reason for choosing each of the different zones is because each partition has a different replication scope.Consider using a diagram to describe the replication scopes for each partition. Include domain controllers that are not DNS servers and domain controllers that are in a different domain, and then show the effects of storing the Active Directory DNS information in each zone.Provide scenarios for when organizations might choose each option to store the DNS information in each partition. Summarize how to create a custom application partition for storing DNS information.
ReferencesHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432DNS Help: Create a DNS application directory partitionDNS Help: To enlist a DNS server in a DNS application directory partition
-
How Dynamic Updates Work
Client sends SOA query DNS server sends zone name and server IP addressClient verifies existing registrationDNS server responds by stating that registration does not existClient sends dynamic update to DNS serverResource RecordsDNS ServerWindows Server 2008Windows VistaWindows XP 1342512345
Describe how dynamic updates work. Mention that SOA stands for Start of Authority (SOA) resource record.Ask students what would happen if dynamic updates were not enabled. The biggest problem would be that domain controllers would not be able to register their records in DNS, so the domain controller records would have to be manually added.Mention that client computer resource records can be updated dynamically in DNS by Dynamic Host Configuration Protocol (DHCP) servers. (Refer to Course 6421 for more information)
ReferencesDNS Help: Understanding dynamic update How DNS Support For Active Directory Works http://go.microsoft.com/fwlink/?LinkId=99432 review the Dynamic Update section
-
How Secure Dynamic DNS Updates Work
ResultFind authoritative serverResultAttempt nonsecure updateRefusedSecure update negotiationAcceptedA secure dynamic update is accepted only if the client has the proper credentials to make the update Windows Vista DNS ClientDomain Controller with Active Directory Integrated DNS ZoneLocal DNS Server
Describe the rationale for enabling secure updates, then use the build slide to describe the process that the client and DNS server use to perform a secure dynamic update.Mention that by default, Windows Server 2008 DNS servers are configured to support secure-only updates for Active Directory-integrated zones.
ReferencesDNS Help: Understanding dynamic update How DNS Support For Active Directory Works http://go.microsoft.com/fwlink/?LinkId=99432 review the Secure Dynamic Update section
-
Demonstration: Configuring AD DS Integrated ZonesIn this demonstration, you will see how to configure:A DNS zone as AD DS integrated Dynamic updates on DNS zonesDynamic update settings on a network connectionSecure dynamic updates
Demonstration stepsTo complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Demonstrate how to configure: A DNS zone as AD DS-integrated. Dynamic updates on DNS zones. Dynamic update settings on a network connection. Secure dynamic updates.
ReferencesDNS Help: Create the default DNS application directory partitionsDNS Help: Understanding dynamic update
-
How Background Zone Loading Works
When a domain controller with Active Directory-integrated DNS zones starts, it: Enumerates all zones to be loaded
Loads root hints from files or AD DS servers
Loads all zones that are stored in files rather than in AD DS
Begins responding to queries and RPCs
Starts one or more threads to load the zones that are stored in AD DS
Refer back to the earlier question about one of the disadvantages of using dynamic updates one of the ways in which Windows Server 2008 addresses the issue of very large Active Directory databases containing DNS records is by using background zone loading. If a DNS client requests data for a host in a zone that has been already loaded, the DNS server responds with the data (or, if appropriate, a negative response) as expected. If the request is for a node that has not yet been loaded into memory, the DNS server reads the node's data from AD DS, and then updates the node's record list accordingly. Let the students know that RPC stands for Remote Procedure Call (RPC).
ReferenceDNS Server Rolehttp://go.microsoft.com/fwlink/?LinkId=99431
-
Lesson 3: Configuring Read-Only DNS ZonesWhat Are Read-Only DNS Zones? How Read-Only DNS WorksDiscussion: Comparing DNS Options for Branch Offices
-
What Are Read-Only DNS Zones?
A feature supported on Read-Only Domain Controllers
All application partitions containing DNS information are replicated to the RODC
Benefits: DNS information required for AD DS name resolution is available for clients in the same site as the RODC
Changes are not allowed on the read-only DNS zone, which increases security
Compare the read-only DNS zones with secondary name servers in standard DNS. In both cases, the zone information is read only. However, with read-only DNS on an RODC, the information is still stored in AD DS.
ReferenceDNS Server Rolehttp://go.microsoft.com/fwlink/?LinkId=99431
-
How Read-Only DNS Works
Read-only DNS is installed on an RODC when AD DS is installed, and the DNS option is selected
Read-only DNS zone data can be viewed, but cannot be updated
Dynamic DNS updated clients using the RODC are referred to a DNS server with a writeable copy of the zones
Records cannot be manually added to the read-only zone
123
Mention that the only way to add a record to a DNS zone is to update a writeable copy of the zone, and then wait for replication to update the zones read-only copy.
-
Discussion: Comparing DNS Options for Branch OfficesWhat options other than read-only DNS are available for implementing DNS in the branch office?What are the advantages and disadvantages of each option?
Other options include: Caching only DNS serversStub zonesZone delegationStandard secondary zones
Compare the security, network traffic, and client response that each of these solutions provides.
ReferenceHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432 review the sections on caching only DNS, stub zones, and forwarding
-
Lab: Configuring AD DS and DNS Integration Exercise 1: Configuring Active Directory Integrated Zones Exercise 2: Configuring Read-Only DNS Zones
Logon informationEstimated time: 45 minutes
Virtual machineNYC-DC1, MIA-RODC User nameAdministrator PasswordPa$$w0rd
In this lab, students will configure AD DS and DNS integration.Lab Objectives: Review SRV resource records Configure AD DS and DNS integrationConfigure read-only DNS zones.
Scenario:Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. The organization also includes a business unit named Fabrikam, Inc., which includes a domain in the Woodgrove Bank forest. As part of the Windows Server 2008 deployment, the organization has decided to reconfigure the DNS design to optimize name resolution in each office, and to provide a more reliable DNS infrastructure. The enterprise administrator has created a design document for the DNS configuration. The design includes configuring AD DS integrated zones, configuring DNS dynamic updates, and configuring read-only DNS zones.Exercise 1: Configuring Active Directory Integrated ZonesThe student will configure the DNS zones for the Woodgrove Bank environment to meet the design requirements. The students will modify DNS zones to store them in AD DS, (including a zone in the domain application partition and one in the forest application partition), and will configure dynamic updates. Students will also verify the SRV resource records that are registered by each domain controller. Exercise 2: Configuring Read-Only DNS ZonesThe student will configure a read-only DNS zone on an RODC, and will test dynamic updates and administrative updates.Inputs: Design documentation describing the required DNS deployment.
Outputs: Successful installation and configuration of the DNS environment.
-
Lab ReviewWhat would be the advantage to storing the Active Directory-integrated DNS zones in a custom application partition instead of the default partitions? What steps could you take to recover the SRV resource records if they were deleted or corrupted?Who can create Active Directory integrated zones?
Lab Review Questions and AnswersQuestion: What would be the advantage of storing the Active Directory integrated DNS zones in a custom application partition instead of the default partitions? Answer: The selected domain controllers running DNS could receive copies of the DNS zone. This might be useful in ensuring that internal and public records are replicated only to the correct DNS domain controllers.
Question: What steps could you take to recover the SRV resource records if they were deleted or corrupted?Answer: Restarting the Netlogon service.
Question: Who can create Active Directory integrated zones?Answer: Users with Administrative rights.
-
Module Review and TakeawaysReview questionsModule key points
Review questionsQuestion: What is the relationship between Active Directory domain names and DNS zone names?Answer: Each Active Directory domain must have an identically named DNS zone.
Question: How does a client computer determine what site it is in?Answer: The client queries a domain controller by passing its IP address to the domain controller. The domain controller looks up the clients IP address in its subnet-to-site map, and then returns site information to the client. The client then stores that information in its registry.
Question: List at least three benefits of Active Directory-integrated zones.Answer: Faster and more efficient directory replication than standard DNS replicationMultimaster updatesEnhanced security with secure dynamic updatesSupport for record aging and scavenging
Question: In the following example of two SRV resource records, which record will be used by a client querying for a Session Initiation Protocol (SIP) service?_sip._tcp.example.com. 86400 IN SRV 10 60 5060 Lcs1.contoso.com._sip._tcp.example.com. 86400 IN SRV 50 20 5060 Lcs2.contoso.com.
Answer: The SRV resource record for Lcs1 always will be chosen if it is available, because it has a lower priority field. The weight field is used only if the priority fields are equal.
Question: What permissions are required to create DNS application directory partitions?Answer: Enterprise Admins permissions
Question: What utilities are available to create application partitions?Answer: Dnscmd, NTDSutil, ADSI edit, LDAP commands
Question: What is the default state of dynamic updates for an Active Directory integrated zone?Answer: Secure Only
-
Question: What is the default state of dynamic updates for a standard primary zone?Answer: None
Question: What groups have permission to perform secure dynamic updates?Answer: Authenticated Users
Module key pointsBecause of the dependency Windows Server 2008 and Active Directory clients have on DNS, the first step in troubleshooting Active Directory issues is often to troubleshoot DNS. Service locator records are critical to AD DS functioning properly.Service locator records need to be highly available. Windows Server 2008 can operate with any compatible DNS server, but Active Directory-integrated zones provide additional features and security.Active Directory-integrated zones can be replicated to domain-wide or forest-wide, or to specific domain controllers via custom application partitions.Internal DNS records should be kept separate from public DNS records.Dynamic updates lighten the administrative overhead of maintaining the DNS zone database.Dynamic updates can be limited to Authenticated Users.Background zone loading will reduce the time for DNS servers to become available after a restart.You can use read-only DNS in conjunction with read-only domain controllers, to provide security while still providing required client functionality.
This module helps students configure Domain Name Service for Active Directory Domain Services.
After completing this module, students will be able to:Describe Active Directory Domain Services and Domain Name System (DNS) DNS IntegrationConfigure Active Directory Integrated Zones Configure Read-Only DNS
Required materialsTo teach this module, you need the Microsoft Office PowerPoint file 6425A_02.ppt.
Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier PowerPoint version, all the features of the slides might not be displayed correctly.
Preparation tasksTo prepare for this module: Read all of the materials for this module. Complete the practices.
This section contains information that will help you teach this module.
For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information.
Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.
Presentation: 50 minutesLab: 45 minutes
Use the build slide to compare options for integrating the internal Domain Name System (DNS) name space with external name spaces.Emphasize the importance of maintaining separate DNS servers for internal and external name resolution. The internal DNS zones must never be exposed to the Internet, as the internal zones will contain all of the domain controller records.Mention that Active Directory requires DNS, but that it does not require any particular type of DNS server. The internal and DNS servers can be different types.
ReferenceHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432Stress the importance of SRV resource records in a Windows Server2008 environment. Since the release of Windows2000, all client computers have used DNS as the primary process for locating domain controllers. Without SRV resource records in DNS, logon from clients will be extremely slow or will fail.Describe the components of an SRV resource record, then use the example on the slide to describe how the record provides all of the information that a client computer needs to locate a domain controller.
ReferencesDNS Administrator Help: Adding resource recordsDNS Administrator Help: Service Location (SRV) Resource Record Dialog Box Demonstration stepsTo complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Open the DNS management console and show the SRV resource records listed in MSDCS and in the WoodgroveBank.com domain. Go into detail describing one of the records, and then show the subfolders that contain records:Delete one of the SRV resource records in DNS.Stop and restart the NetLogon service, and confirm that the record is restored in DNS. Mention the importance of using a DNS server that supports DNS updates, so that the NetLogon service can register the records.Open %systemroot%\system32\config\netlogon.dns, and discuss how the records could be added to a DNS server that does not support dynamic updates.
ReferencesHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432Describe the process that clients use to locate domain controllers. Mention that all computers, including workstations such as Windows XP and Windows Vista, and servers such as Windows Server2003 and Windows Server 2008, use the same process.
ReferenceHow Domain Controllers Are Located in Windows XPhttp://go.microsoft.com/fwlink/?LinkId=99425Use the build slide to describe how a client computer locates a domain controller in the same site as the client computer.Mention that the site configuration for client computers is dynamic, and is based on the computers IP address and the site configuration in Active Directory. The client computer is not aware of its site location until it starts and receives the site information from DNS and Active Directory. On the other hand, domain controllers are configured with a static site configuration.On the build slide, steps 1 and 2 show the client computer starting up and requesting a domain controller from the DNS server. Steps 3 and 4 show the client connecting to a domain controller in a different site remember the client is not yet site-aware. The domain controller checks the client configuration, and then and redirects the client to communicate with a domain controller in its local site. This is shown in steps 5 and 6
ReferenceFinding a Domain Controller in the Closest Site http://go.microsoft.com/fwlink/?LinkId=99427
Ask students how Domain Name System (DNS) zones are stored and replicated outside of Active Directory Domain Services (AD DS). If students are not familiar with how DNS zones are stored in text files, briefly describe the files and how standard DNS replication works. Next explain how AD DS can also store DNS zone information, and describe the benefits of using this option.Ask the students if they can think of any disadvantages to storing DNS information in AD DS. One possible answer might be that if dynamic updates are enabled for all computers in an enterprise, the Active Directory database can be very large.
ReferencesDNS Help: Understanding Active Directory Domain Services integrationHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432If students are not familiar with the concept of the AD DS partitions, briefly describe the three partitions (also called naming contexts).Next describe how those partitions can store DNS information. Highlight that, by default, DNS information is stored in different partitions than the other AD DS information.Mention that the default application partitions for storing DNS information in AD DS are automatically created when DNS is installed and configured during AD DS installation. To create the partitions after AD DS is installed, you can use the DNS management tool or the DNSCMD command-line tool.
ReferencesDNS Help: Understanding DNS zone replication in Active Directory Domain ServicesDNS Help: Create the default DNS application directory partitions List the different partitions that are available for storing DNS information in AD DS. Mention that the primary reason for choosing each of the different zones is because each partition has a different replication scope.Consider using a diagram to describe the replication scopes for each partition. Include domain controllers that are not DNS servers and domain controllers that are in a different domain, and then show the effects of storing the Active Directory DNS information in each zone.Provide scenarios for when organizations might choose each option to store the DNS information in each partition. Summarize how to create a custom application partition for storing DNS information.
ReferencesHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432DNS Help: Create a DNS application directory partitionDNS Help: To enlist a DNS server in a DNS application directory partition
Describe how dynamic updates work. Mention that SOA stands for Start of Authority (SOA) resource record.Ask students what would happen if dynamic updates were not enabled. The biggest problem would be that domain controllers would not be able to register their records in DNS, so the domain controller records would have to be manually added.Mention that client computer resource records can be updated dynamically in DNS by Dynamic Host Configuration Protocol (DHCP) servers. (Refer to Course 6421 for more information)
ReferencesDNS Help: Understanding dynamic update How DNS Support For Active Directory Works http://go.microsoft.com/fwlink/?LinkId=99432 review the Dynamic Update section Describe the rationale for enabling secure updates, then use the build slide to describe the process that the client and DNS server use to perform a secure dynamic update.Mention that by default, Windows Server 2008 DNS servers are configured to support secure-only updates for Active Directory-integrated zones.
ReferencesDNS Help: Understanding dynamic update How DNS Support For Active Directory Works http://go.microsoft.com/fwlink/?LinkId=99432 review the Secure Dynamic Update section Demonstration stepsTo complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running.Demonstrate how to configure: A DNS zone as AD DS-integrated. Dynamic updates on DNS zones. Dynamic update settings on a network connection. Secure dynamic updates.
ReferencesDNS Help: Create the default DNS application directory partitionsDNS Help: Understanding dynamic update Refer back to the earlier question about one of the disadvantages of using dynamic updates one of the ways in which Windows Server 2008 addresses the issue of very large Active Directory databases containing DNS records is by using background zone loading. If a DNS client requests data for a host in a zone that has been already loaded, the DNS server responds with the data (or, if appropriate, a negative response) as expected. If the request is for a node that has not yet been loaded into memory, the DNS server reads the node's data from AD DS, and then updates the node's record list accordingly. Let the students know that RPC stands for Remote Procedure Call (RPC).
ReferenceDNS Server Rolehttp://go.microsoft.com/fwlink/?LinkId=99431
Compare the read-only DNS zones with secondary name servers in standard DNS. In both cases, the zone information is read only. However, with read-only DNS on an RODC, the information is still stored in AD DS.
ReferenceDNS Server Rolehttp://go.microsoft.com/fwlink/?LinkId=99431Mention that the only way to add a record to a DNS zone is to update a writeable copy of the zone, and then wait for replication to update the zones read-only copy. Other options include: Caching only DNS serversStub zonesZone delegationStandard secondary zones
Compare the security, network traffic, and client response that each of these solutions provides.
ReferenceHow DNS Support for Active Directory Workshttp://go.microsoft.com/fwlink/?LinkId=99432 review the sections on caching only DNS, stub zones, and forwarding In this lab, students will configure AD DS and DNS integration.Lab Objectives: Review SRV resource records Configure AD DS and DNS integrationConfigure read-only DNS zones.
Scenario:Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. The organization also includes a business unit named Fabrikam, Inc., which includes a domain in the Woodgrove Bank forest. As part of the Windows Server 2008 deployment, the organization has decided to reconfigure the DNS design to optimize name resolution in each office, and to provide a more reliable DNS infrastructure. The enterprise administrator has created a design document for the DNS configuration. The design includes configuring AD DS integrated zones, configuring DNS dynamic updates, and configuring read-only DNS zones.Exercise 1: Configuring Active Directory Integrated ZonesThe student will configure the DNS zones for the Woodgrove Bank environment to meet the design requirements. The students will modify DNS zones to store them in AD DS, (including a zone in the domain application partition and one in the forest application partition), and will configure dynamic updates. Students will also verify the SRV resource records that are registered by each domain controller. Exercise 2: Configuring Read-Only DNS ZonesThe student will configure a read-only DNS zone on an RODC, and will test dynamic updates and administrative updates.Inputs: Design documentation describing the required DNS deployment.
Outputs: Successful installation and configuration of the DNS environment.
Lab Review Questions and AnswersQuestion: What would be the advantage of storing the Active Directory integrated DNS zones in a custom application partition instead of the default partitions? Answer: The selected domain controllers running DNS could receive copies of the DNS zone. This might be useful in ensuring that internal and public records are replicated only to the correct DNS domain controllers.
Question: What steps could you take to recover the SRV resource records if they were deleted or corrupted?Answer: Restarting the Netlogon service.
Question: Who can create Active Directory integrated zones?Answer: Users with Administrative rights.Review questionsQuestion: What is the relationship between Active Directory domain names and DNS zone names?Answer: Each Active Directory domain must have an identically named DNS zone.
Question: How does a client computer determine what site it is in?Answer: The client queries a domain controller by passing its IP address to the domain controller. The domain controller looks up the clients IP address in its subnet-to-site map, and then returns site information to the client. The client then stores that information in its registry.
Question: List at least three benefits of Active Directory-integrated zones.Answer: Faster and more efficient directory replication than standard DNS replicationMultimaster updatesEnhanced security with secure dynamic updatesSupport for record aging and scavenging
Question: In the following example of two SRV resource records, which record will be used by a client querying for a Session Initiation Protocol (SIP) service?_sip._tcp.example.com. 86400 IN SRV 10 60 5060 Lcs1.contoso.com._sip._tcp.example.com. 86400 IN SRV 50 20 5060 Lcs2.contoso.com.
Answer: The SRV resource record for Lcs1 always will be chosen if it is available, because it has a lower priority field. The weight field is used only if the priority fields are equal.
Question: What permissions are required to create DNS application directory partitions?Answer: Enterprise Admins permissions
Question: What utilities are available to create application partitions?Answer: Dnscmd, NTDSutil, ADSI edit, LDAP commands
Question: What is the default state of dynamic updates for an Active Directory integrated zone?Answer: Secure Only
Question: What is the default state of dynamic updates for a standard primary zone?Answer: None
Question: What groups have permission to perform secure dynamic updates?Answer: Authenticated Users
Module key pointsBecause of the dependency Windows Server 2008 and Active Directory clients have on DNS, the first step in troubleshooting Active Directory issues is often to troubleshoot DNS. Service locator records are critical to AD DS functioning properly.Service locator records need to be highly available. Windows Server 2008 can operate with any compatible DNS server, but Active Directory-integrated zones provide additional features and security.Active Directory-integrated zones can be replicated to domain-wide or forest-wide, or to specific domain controllers via custom application partitions.Internal DNS records should be kept separate from public DNS records.Dynamic updates lighten the administrative overhead of maintaining the DNS zone database.Dynamic updates can be limited to Authenticated Users.Background zone loading will reduce the time for DNS servers to become available after a restart.You can use read-only DNS in conjunction with read-only domain controllers, to provide security while still providing required client functionality.