The Active Directory database is divided into directory partitions, with each directory partition replicated to specific domain controllers.?. Options for Configuring Application Partit[r]
(1)Module 2: Configuring Domain Name Service
for Active Directory®
(2)Module Overview
• Overview of Active Directory Domain Services and DNS Integration
• Configuring Active Directory Integrated Zones
(3)Lesson 1: Overview of Active Directory Domain Services and DNS Integration
• Active Directory Domain Services and DNS Namespace Integration
• What Are Service Resource Locator Records?
• Demonstration: SRV Locator Records Registered by AD DS Domain Controllers
• How Service Resource Locator Records Are Used
(4)Active Directory Domain Services and DNS Namespace Integration
WoodgroveBank.com
WoodgroveBank.com
Active Directory domain names must use DNS names
Corp.WoodgroveBank.com
Woodgrovecorp.com
You can integrate an Active Directory domain name with the external name space by using:
• The same name space
• A sub domain of the external name space
• A different name space where the domain and local are different
(5)What Are Service Locator Records?
SRV resource records allow DNS clients to locate TCP/IP-based Services SRV resource records are used when:
• A domain controller needs to replicate changes
• A client computer logs on to Active Directory
• A user attempts to change his or her password
• An Exchange 2003 server performs a directory lookup
• An administrator modifies Active Directory
_ldap._tcp.contoso.msft 600 IN SRV 100 389 den-dc1.contoso.msft
_ldap._tcp.contoso.msft 600 IN SRV 100 389 den-dc1.contoso.msft
protocol.service.name TTL class type priority
weight port target
protocol.service.name TTL class type priority weight port target
SRV record syntax:
(6)Demonstration: SRV Resource Records Registered by AD DS Domain Controllers
(7)How Service Resource Locator Records Are Used
Locator initiates a call to Net Logon service
1
1
Net Logon uses the information and queries DNS for SRV resource records
3
3
Net Logon tests connectivity to target servers
4
4
Locator collects information about the client
2
2
Domain controllers respond, indicating that they are operational
5
5
Net Logon returns the information to clients
6
(8)Integration of Service Locator Records and Active Directory Sites
1 Queries DNS
for DC
4 MIA-DC1 returns site info NYC
2 Responds w
ith multiple rec ords
5 Queries DNS
for DC in NYC s ite
6 Responds wi
th DC in NYC sit e
Miami Site Miami Site
3 Contacts M
IA-DC1 by using LDAP
(9)Lesson 2: Configuring Active Directory Integrated Zones
• What Are Active Directory Integrated Zones?
• What Are Application Partitions in AD DS?
• Options for Configuring Application Partitions for DNS
• How Dynamic Updates Work
• How Secure Dynamic DNS Updates Work
• Demonstration: Configuring AD DS Integrated Zones
(10)What Are Active Directory Integrated Zones?
Active Directory integrated zones store DNS zone data in the Active Directory database
Benefits of using Active Directory integrated zones:
• Replicates DNS zone information using Active Directory replication
• Supports multiple master DNS servers
• Enhances security
(11)What Are Application Partitions in AD DS?
• A DNS zone can be stored in the domain partition or in an
application partition
• Administrators can define the replication scope of custom
application partitions
• DomainDNSzones and forestDNSzones are default application
partitions that store DNS-specific data
Domain Config Schema App1 App2 Domain Config Schema Domain Config Schema App1
(12)Options for Configuring Application Partitions for DNS
To all domain controllers that are DNS servers in the Active
Directory domain
To all domain controllers that are DNS servers in the Active
Directory domain
To all domain controllers in the replication scope for the
application partition
To all domain controllers in the replication scope for the
application partition
To all domain controllers that are DNS servers in the Active
Directory forest
To all domain controllers that are DNS servers in the Active
Directory forest
To all domain controllers in the Active Directory domain
To all domain controllers in the Active Directory domain
Domain Config Schema DomainDNSZone ForestDNSZones CustomApp
DNS information can be stored in a variety of application partitions
(13)How Dynamic Updates Work
Client sends SOA query DNS server sends zone
name and server IP address Client verifies existing
registration
DNS server responds by stating that registration does not exist
Client sends dynamic update to DNS server
Resource Records DNS Server Windows Server 2008 Windows
Vista Windows XP
1 1 3 3 4 4 2 2 5 5 1
(14)How Secure Dynamic DNS Updates Work
Find authoritative server Result
Find authoritative server Result
Attempt nonsecure update Refused
Secure update negotiation Accepted
A secure dynamic update is accepted only if the client has the proper credentials to make the update
A secure dynamic update is accepted only if the client has the proper credentials to make the update
(15)Demonstration: Configuring AD DS Integrated Zones
In this demonstration, you will see how to configure:
• A DNS zone as AD DS integrated
• Dynamic updates on DNS zones
• Dynamic update settings on a network connection
(16)How Background Zone Loading Works
When a domain controller with Active Directory integrated DNS zones starts, it:
• Enumerates all zones to be loaded
• Loads root hints from files or AD DS servers
• Loads all zones that are stored in files rather than in AD DS
• Begins responding to queries and RPCs
(17)Lesson 3: Configuring Read-Only DNS
• What Is Read-Only DNS?
• How Read-Only DNS Works
(18)What Is Read-Only DNS?
• A feature supported on Read-Only Domain Controllers
• All application partitions containing DNS information are replicated to the RODC
Benefits:
• DNS information required for Active Directory name resolution is available for clients in the same site as the RODC
(19)How Read-Only DNS Works
Read-only DNS is installed on an RODC when AD DS is installed and the DNS option is selected
Read-only DNS is installed on an RODC when AD DS is installed and the DNS option is selected
• Read-only DNS zone data can be viewed, but cannot be updated
• Dynamic DNS updated clients using the RODC are referred to a DNS server with a writeable copy of the zones
• Records cannot be manually added to the read-only zone
1
1
2
2
3
(20)Discussion: Comparing DNS Options for Branch Offices
• What options other than read-only DNS are available for implementing DNS in the branch office?
(21)Lab: Configuring AD DS and DNS Integration
• Exercise 1: Configuring Active Directory Integrated Zones
• Exercise 2: Configuring Read-Only DNS Zones
Logon information
Virtual machine NYC-DC1, MIA-RODC
User name Administrator
Password Pa$$w0rd
(22)Lab Review
• What would be the advantage to storing the Active
Directory integrated DNS zones in a custom application partition instead of the default partitions?
• What steps could you take to recover the SRV resource records if they were deleted or corrupted?
(23)Module Review and Takeaways
• Review questions
(24)Beta Feedback Tool
• Beta feedback tool helps:
Collect student roster information, module feedback, and course evaluations
Identify and sort the changes that students request, thereby facilitating a quick team triage
Save data to a database in SQL Server that you can later query
(25)Beta Feedback
• Overall flow of module:
Which topics did you think flowed smoothly from topic to topic?
Was something taught out of order?
• Pacing:
Were you able to keep up? Are there any places where the pace felt too slow?
Were you able to process what the instructor said before moving on to next topic?
Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions?
• Learner activities:
Which demos helped you learn the most? Why you think that is?
Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions that really made you think? Were there questions you