02 Configuring Domain Name Service for Active Directory Domain Services
-
Upload
nguyen-minh-quyen -
Category
Documents
-
view
42 -
download
7
Transcript of 02 Configuring Domain Name Service for Active Directory Domain Services
Module 2: Configuring Domain Name Service
for Active Directory® Domain Services
22
Module Overview
• Overview of Active Directory Domain Services and DNS Integration
• Configuring Active Directory Integrated Zones
• Configuring Read-Only DNS
33
Lesson 1: Overview of Active Directory Domain Services and DNS Integration
• Active Directory Domain Services and DNS Namespace Integration
• What Are Service Resource Locator Records?
• Demonstration: SRV Locator Records Registered by AD DS Domain Controllers
• How Service Resource Locator Records Are Used
• Integration of Service Resource Locator Records and Active Directory Sites
Active Directory Domain Services and DNS Namespace Integration
WoodgroveBank.com
WoodgroveBank.com
Active Directory domain names must use DNS names
Corp.WoodgroveBank.com
Woodgrovecorp.com
You can integrate an Active Directory domain name with the external name space by using:
• The same name space
• A sub domain of the external name space
• A different name space where the domain and local are different names
55
What Are Service Locator Records?
SRV resource records allow DNS clients to locate TCP/IP-based Services. SRV resource records are used when:
• A domain controller needs to replicate changes
• A client computer logs on to Active Directory
• A user attempts to change his or her password
• An Exchange 2003 server performs a directory lookup
• An administrator modifies Active Directory
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msft_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msft
protocol.service.name TTL class type priority weight port targetprotocol.service.name TTL class type priority weight port target
SRV record syntax:
Example of an SRV record
66
How Service Resource Locator Records Are Used?
Locator initiates a call to Net Logon service11
Net Logon uses the information and queries DNS for SRV resource records33
Net Logon tests connectivity to target servers44
Locator collects information about the client22
Domain controllers respond, indicating that they are operational55
Net Logon returns the information to clients66
77
Integration of Service Locator Records and Active Directory Sites
1. Queries DNS for DC
4. MIA-DC1 returns site info NYC
2. Responds with multiple records
5. Queries DNS for DC in NYC site
6. Responds with DC in NYC site
Miami SiteMiami Site
3. Contacts MIA-DC1 by using LDAP
Local DNS Server
MIA-DC1NYC-DC1
NYC SiteNYC Site
88
Lesson 2: Configuring Active Directory Integrated Zones
• What Are Active Directory Integrated Zones?
• What Are Application Partitions in AD DS?
• Options for Configuring Application Partitions for DNS
• How Dynamic Updates Work?
• How Secure Dynamic DNS Updates Work?
• Demonstration: Configuring AD DS Integrated Zones
• How Background Zone Loading Works?
99
What Are Active Directory Integrated Zones?
Active Directory integrated zones store DNS zone data in the Active Directory database
Benefits of using Active Directory integrated zones:
• Replicates DNS zone information using Active Directory replication
• Supports multiple master DNS servers
• Enhances security
• Supports record aging and scavenging
1010
What Are Application Partitions in AD DS?
• A DNS zone can be stored in the domain partition or in an application partition
• Administrators can define the replication scope of customapplication partitions
• DomainDNSzones and forestDNSzones are default application partitions that store DNS-specific data
Domain
Config
Schema
App1
App2
Domain
Config
Schema
Domain
Config
Schema
App1
The Active Directory database is divided into directory partitions, with each directory partition replicated to specific domain controllers
1111
Options for Configuring Application Partitions for DNS
To all domain controllers that are DNS servers in the Active Directory domain
To all domain controllers that are DNS servers in the Active Directory domain
To all domain controllers in the replication scope for the application partition
To all domain controllers in the replication scope for the application partition
To all domain controllers that are DNS servers in the Active Directory forest
To all domain controllers that are DNS servers in the Active Directory forest
To all domain controllers in the Active Directory domainTo all domain controllers in the Active Directory domain
Domain
Config
Schema
DomainDNSZone
ForestDNSZones
CustomApp
DNS information can be stored in a variety of application partitions DNS information can be stored in a variety of application partitions
1212
How Dynamic Updates Work
Client sends SOA (Start of
Authority) query
DNS server sends zone name and server IP address
Client verifies existing registration
DNS server responds by stating that registration does not exist
Client sends dynamic update to DNS server
Resource Records
DNS Server
Windows Server 2008
Windows Vista
Windows XP
11
33
44
22
55
11 22 33 44 55
1313
How Secure Dynamic DNS Updates Work
Find authoritative server
Result
Find authoritative serverResultAttempt nonsecure updateRefusedSecure update negotiationAccepted
A secure dynamic update is accepted only if the client has the proper credentials to make the update A secure dynamic update is accepted only if the client has the proper credentials to make the update
Windows 7 DNS Client
Domain Controller with Active Directory
Integrated DNS Zone
Local DNS
Server
1414
Demonstration: Configuring AD DS Integrated Zones
In this demonstration, you will see how to configure:
• A DNS zone as AD DS integrated
• Dynamic updates on DNS zones
• Dynamic update settings on a network connection
• Secure dynamic updates
1515
How Background Zone Loading Works
When a domain controller with Active Directory integrated DNS zones starts, it:
• Enumerates all zones to be loaded
• Loads root hints from files or AD DS servers
• Loads all zones that are stored in files rather than in AD DS
• Begins responding to queries and RPCs(Remote Procedure Call)
• Starts one or more threads to load the zones that are stored in AD DS
1616
Lesson 3: Configuring Read-Only DNS
• What Is Read-Only DNS?
• How Read-Only DNS Works
• Discussion: Comparing DNS Options for Branch Offices
1717
What Is Read-Only DNS?
• A feature supported on Read-Only Domain Controllers
• All application partitions containing DNS information are replicated to the RODC
Benefits:
• DNS information required for Active Directory name resolution is available for clients in the same site as the RODC
• Changes are not allowed on the read-only DNS zone, which increases security
1818
How Read-Only DNS Works
Read-only DNS is installed on an RODC when AD DS is installed and the DNS option is selected Read-only DNS is installed on an RODC when AD DS is installed and the DNS option is selected
• Read-only DNS zone data can be viewed, but cannot be updated
• Dynamic DNS updated clients using the RODC are referred to a DNS server with a writeable copy of the zones
• Records cannot be manually added to the read-only zone
112233
1919
Discussion: Comparing DNS Options for Branch Offices
• What options other than read-only DNS are available for implementing DNS in the branch office?
• What are the advantages and disadvantages of each option?
2020
Lab: Configuring AD DS and DNS Integration
• Exercise 1: Configuring Active Directory Integrated Zones
• Exercise 2: Configuring Read-Only DNS Zones
Logon information
Virtual machine NYC-DC1, MIA-RODC
User name Administrator
Password Pa$$w0rd
Estimated time: 45 minutes
2121
Lab Review
• What would be the advantage to storing the Active Directory integrated DNS zones in a custom application partition instead of the default partitions?
• What steps could you take to recover the SRV resource records if they were deleted or corrupted?
• Who can create Active Directory integrated zones?
2222
Module Review and Takeaways
• Review questions
• Module key points
2323
Beta Feedback Tool
• Beta feedback tool helps: Collect student roster information, module feedback, and
course evaluations. Identify and sort the changes that students request, thereby
facilitating a quick team triage. Save data to a database in SQL Server that you can later
query.
• Walkthrough of the tool
2424
Beta Feedback
• Overall flow of module: Which topics did you think flowed smoothly from topic to
topic? Was something taught out of order?
• Pacing: Were you able to keep up? Are there any places where the
pace felt too slow? Were you able to process what the instructor said before
moving on to next topic? Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?• Learner activities:
Which demos helped you learn the most? Why do you think that is?
Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?
Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?