Module 2: Configuring Domain Name Service

for Active Directory® Domain Services

22

Module Overview

• Overview of Active Directory Domain Services and DNS Integration

• Configuring Active Directory Integrated Zones

• Configuring Read-Only DNS

33

Lesson 1: Overview of Active Directory Domain Services and DNS Integration

• Active Directory Domain Services and DNS Namespace Integration

• What Are Service Resource Locator Records?

• Demonstration: SRV Locator Records Registered by AD DS Domain Controllers

• How Service Resource Locator Records Are Used

• Integration of Service Resource Locator Records and Active Directory Sites

Active Directory Domain Services and DNS Namespace Integration

WoodgroveBank.com

WoodgroveBank.com

Active Directory domain names must use DNS names

Corp.WoodgroveBank.com

Woodgrovecorp.com

You can integrate an Active Directory domain name with the external name space by using:

• The same name space

• A sub domain of the external name space

• A different name space where the domain and local are different names

55

What Are Service Locator Records?

SRV resource records allow DNS clients to locate TCP/IP-based Services. SRV resource records are used when:

• A domain controller needs to replicate changes

• A client computer logs on to Active Directory

• A user attempts to change his or her password

• An Exchange 2003 server performs a directory lookup

• An administrator modifies Active Directory

_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msft_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msft

protocol.service.name TTL class type priority weight port targetprotocol.service.name TTL class type priority weight port target

SRV record syntax:

Example of an SRV record

66

How Service Resource Locator Records Are Used?

Locator initiates a call to Net Logon service11

Net Logon uses the information and queries DNS for SRV resource records33

Net Logon tests connectivity to target servers44

Locator collects information about the client22

Domain controllers respond, indicating that they are operational55

Net Logon returns the information to clients66

77

Integration of Service Locator Records and Active Directory Sites

1. Queries DNS for DC

4. MIA-DC1 returns site info NYC

2. Responds with multiple records

5. Queries DNS for DC in NYC site

6. Responds with DC in NYC site

Miami SiteMiami Site

3. Contacts MIA-DC1 by using LDAP

Local DNS Server

MIA-DC1NYC-DC1

NYC SiteNYC Site

88

Lesson 2: Configuring Active Directory Integrated Zones

• What Are Active Directory Integrated Zones?

• What Are Application Partitions in AD DS?

• Options for Configuring Application Partitions for DNS

• How Dynamic Updates Work?

• How Secure Dynamic DNS Updates Work?

• Demonstration: Configuring AD DS Integrated Zones

• How Background Zone Loading Works?

99

What Are Active Directory Integrated Zones?

Active Directory integrated zones store DNS zone data in the Active Directory database

Benefits of using Active Directory integrated zones:

• Replicates DNS zone information using Active Directory replication

• Supports multiple master DNS servers

• Enhances security

• Supports record aging and scavenging

1010

What Are Application Partitions in AD DS?

• A DNS zone can be stored in the domain partition or in an application partition

• Administrators can define the replication scope of customapplication partitions

• DomainDNSzones and forestDNSzones are default application partitions that store DNS-specific data

Domain

Config

Schema

App1

App2

Domain

Config

Schema

Domain

Config

Schema

App1

The Active Directory database is divided into directory partitions, with each directory partition replicated to specific domain controllers

1111

Options for Configuring Application Partitions for DNS

To all domain controllers that are DNS servers in the Active Directory domain

To all domain controllers that are DNS servers in the Active Directory domain

To all domain controllers in the replication scope for the application partition

To all domain controllers in the replication scope for the application partition

To all domain controllers that are DNS servers in the Active Directory forest

To all domain controllers that are DNS servers in the Active Directory forest

To all domain controllers in the Active Directory domainTo all domain controllers in the Active Directory domain

Domain

Config

Schema

DomainDNSZone

ForestDNSZones

CustomApp

DNS information can be stored in a variety of application partitions DNS information can be stored in a variety of application partitions

1212

How Dynamic Updates Work

Client sends SOA (Start of

Authority) query

DNS server sends zone name and server IP address

Client verifies existing registration

DNS server responds by stating that registration does not exist

Client sends dynamic update to DNS server

Resource Records

DNS Server

Windows Server 2008

Windows Vista

Windows XP

11

33

44

22

55

11 22 33 44 55

1313

How Secure Dynamic DNS Updates Work

Find authoritative server

Result

Find authoritative serverResultAttempt nonsecure updateRefusedSecure update negotiationAccepted

A secure dynamic update is accepted only if the client has the proper credentials to make the update A secure dynamic update is accepted only if the client has the proper credentials to make the update

Windows 7 DNS Client

Domain Controller with Active Directory

Integrated DNS Zone

Local DNS

Server

1414

Demonstration: Configuring AD DS Integrated Zones

In this demonstration, you will see how to configure:

• A DNS zone as AD DS integrated

• Dynamic updates on DNS zones

• Dynamic update settings on a network connection

• Secure dynamic updates

1515

How Background Zone Loading Works

When a domain controller with Active Directory integrated DNS zones starts, it:

• Enumerates all zones to be loaded

• Loads root hints from files or AD DS servers

• Loads all zones that are stored in files rather than in AD DS

• Begins responding to queries and RPCs(Remote Procedure Call)

• Starts one or more threads to load the zones that are stored in AD DS

1616

Lesson 3: Configuring Read-Only DNS

• What Is Read-Only DNS?

• How Read-Only DNS Works

• Discussion: Comparing DNS Options for Branch Offices

1717

What Is Read-Only DNS?

• A feature supported on Read-Only Domain Controllers

• All application partitions containing DNS information are replicated to the RODC

Benefits:

• DNS information required for Active Directory name resolution is available for clients in the same site as the RODC

• Changes are not allowed on the read-only DNS zone, which increases security

1818

How Read-Only DNS Works

Read-only DNS is installed on an RODC when AD DS is installed and the DNS option is selected Read-only DNS is installed on an RODC when AD DS is installed and the DNS option is selected

• Read-only DNS zone data can be viewed, but cannot be updated

• Dynamic DNS updated clients using the RODC are referred to a DNS server with a writeable copy of the zones

• Records cannot be manually added to the read-only zone

112233

1919

Discussion: Comparing DNS Options for Branch Offices

• What options other than read-only DNS are available for implementing DNS in the branch office?

• What are the advantages and disadvantages of each option?

2020

Lab: Configuring AD DS and DNS Integration

• Exercise 1: Configuring Active Directory Integrated Zones

• Exercise 2: Configuring Read-Only DNS Zones

Logon information

Virtual machine NYC-DC1, MIA-RODC

User name Administrator

Password Pa$$w0rd

Estimated time: 45 minutes

2121

Lab Review

• What would be the advantage to storing the Active Directory integrated DNS zones in a custom application partition instead of the default partitions?

• What steps could you take to recover the SRV resource records if they were deleted or corrupted?

• Who can create Active Directory integrated zones?

2222

Module Review and Takeaways

• Review questions

• Module key points

2323

Beta Feedback Tool

• Beta feedback tool helps: Collect student roster information, module feedback, and

course evaluations. Identify and sort the changes that students request, thereby

facilitating a quick team triage. Save data to a database in SQL Server that you can later

query.

• Walkthrough of the tool

2424

Beta Feedback

• Overall flow of module: Which topics did you think flowed smoothly from topic to

topic? Was something taught out of order?

• Pacing: Were you able to keep up? Are there any places where the

pace felt too slow? Were you able to process what the instructor said before

moving on to next topic? Did you have ample time to reflect on what you learned? Did

you have time to formulate and ask questions?• Learner activities:

Which demos helped you learn the most? Why do you think that is?

Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?

Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?