6425A_02 Configuring DNS for Active Directory Domain Services

8/14/2019 6425A_02 Configuring DNS for Active Directory Domain Services

1/24

Module 2: Configuring

Domain Name Servicefor Active DirectoryDomain Services


2/24

Module Overview

Overview of Active Directory Domain Services andDNS Integration

Configuring AD DS Integrated Zones

Configuring Read-Only DNS Zones


3/24

Lesson 1: Overview of Active Directory DomainServices and DNS Integration

AD DS and DNS Namespace Integration

What Are Service Resource Locator Records?

Demonstration: SRV Locator Records Registered by AD DS

Domain Controllers

How Service Resource Locator Records Are Used

Integrating Service Resource Locator Records andAD DS Sites


4/24

AD DS and DNS Namespace Integration

WoodgroveBank.com

WoodgroveBank.com

AD DS domain names must use DNS names

Corp.WoodgroveBank.com

Woodgrovecorp.com

You can integrate an ADDS domain name withthe externalnamespace by using:

The same name space

A sub domain of the externalname space

A different name space where the domainand local are different names


5/24

What Are Service Locator Records?

SRV resource records allow DNS clients to locate TCP/IP-based Services. SRV resource records are used when:

A domain controller needs to replicate changes

A client computer logs on to AD DS

A user attempts to change his or her password

An Exchange 2003 server performs a directory lookup

An administrator modifies AD DS

_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-

dc1.contoso.msft

_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-

dc1.contoso.msft

protocol.service.name TTL class type priority weightport target

protocol.service.name TTL class type priority weightport target

SRV record syntax:

Example of an SRV record


6/24

Demonstration: SRV Resource RecordsRegistered by AD DS Domain Controllers

In this demonstration, you will see how to view and managethe SRV resource records registered by domain controllers


7/24

How Service Resource Locator Records Are Used

Locator initiates a call to Net Logon service1

Net Logon uses the information and queries DNS

for SRV resource records

3

Net Logon tests connectivity to target servers4

Locator collects information about the client2

Domain controllers respond, indicating that theyare operational5

Net Logon returns the information to clients6


8/24

Integrating Service Locator Records andAD DS Sites

1.QueriesDN

SforDC

4.MIA-DC1returnssiteinfoNYC

2.Responds

withmultiple

records

5.QueriesDN

SforDCinNY

Csite

6.Respondswith

DCinNYCsi

te

Miami SiteMiami Site

3.ContactsMIA-DC1byusingLDAP

Local DNS

Server

MIA-DC1NYC-DC1

NYC SiteNYC Site


9/24

Lesson 2: Configuring AD DS Integrated Zones

What Are AD DS Integrated Zones?

What Are Application Partitions in AD DS?

Options for Configuring Application Partitionsfor DNS

How Dynamic Updates Work

How Secure Dynamic DNS Updates Work

Demonstration: Configuring AD DS Integrated Zones

How Background Zone Loading Works


10/24

What Are AD DS Integrated Zones?

AD DS integrated zones store DNS zone data in the

AD DS database

Benefits of using AD DS integrated zones: Replicates DNS zone information using AD DS replication

Supports multiple master DNS servers

Enhances security

Supports record aging/expiration and scavenging


11/24

What Are Application Partitions in AD DS?

Win 2000 Server: A DNS zone can be stored in the domain partition or inanapplication partition(a DNS, but not Schema, config, Domain)

Administrators can define the replication scope of customapplication partitions

>Win Server 03: If DC is also a DNS: it will has DomainDNS zone:DomainDNSzones and forestDNSzones are default application partitionsthat store DNS-specific data

Domain

Config

Schema

App1

App2

Domain

Config

Schema

Domain

Config

Schema

App1

The AD DS database is divided into directory partitions,

with each directory partition replicated to specific domain controllers


12/24

Options for Configuring Application Partitionsfor DNS

To all domain controllers that are DNSservers in the AD DS domain

To all domain controllers that are DNSservers in the AD DS domain

To all domain controllers in the replicationscope for theapplication partition

To all domain controllers in the replicationscope for theapplication partition

To all domain controllers that are DNSservers in the AD DS forest

To all domain controllers that are DNSservers in the AD DS forest

To all domain controllers in theAD DS domain

To all domain controllers in theAD DS domain

Domain

Config

Schema

DomainDNSZone

ForestDNSZones

CustomApp

DNS information can be stored in a variety of applicationpartitionsDNS information can be stored in a variety of applicationpartitions


13/24

How Dynamic Updates Work

Client sends SOA query

DNS server sends zonename and server IP address

Client verifies existingregistration

DNS server responds bystating that registrationdoes not exist

Client sends dynamicupdate to DNS server

ResourceRecords

DNSServer

WindowsServer 2008

WindowsVista

WindowsXP

1

3

4

2

5

1 2 3 4 5


14/24

How Secure Dynamic DNS Updates Work

Findauthoritativeserver

Result

FindauthoritativeserverResult

AttemptnonsecureupdateRefusedSecu

reupdatenegotiationAccepted

A secure dynamic update is accepted only if the client has the

proper credentials to make the update

A secure dynamicupdate is accepted only if the client has the

proper credentials to make the update

WindowsVistaDNS Client

Domain Controller

with Active DirectoryIntegrated DNS Zone

LocalDNS

Server

D i C fi i AD DS


15/24

Demonstration: Configuring AD DSIntegrated Zones

In this demonstration, you will see how to configure:

A DNS zone as AD DS integrated

Dynamic updates on DNS zones

Dynamic update settings on a network connection

Secure dynamic updates


16/24

How Background Zone Loading Works

When a domain controller with Active Directory-integratedDNS zones starts, it:

Enumerates all zones to be loaded

Loads root hints from files or AD DS servers

Loads all zones that are stored in files rather than in AD DS

Begins responding to queries and RPCs

Starts one or more threads to load the zones that arestored in AD DS


17/24

Lesson 3: Configuring Read-Only DNS Zones

What Are Read-Only DNS Zones?

How Read-Only DNS Works

Discussion: Comparing DNS Options for Branch Offices


18/24

What Are Read-Only DNS Zones?

A feature supported on Read-Only Domain Controllers

All application partitions containing DNS information arereplicated to the RODC

Benefits: DNS information required for AD DS name

resolution is available for clients in the same site asthe RODC

Changes are not allowed on the read-only DNS zone,which increases security


19/24

How Read-Only DNS Works

Read-only DNS is installed on an RODC when AD DS isinstalled, and the DNS option is selectedRead-only DNS is installed on an RODC when AD DS isinstalled, and the DNS option is selected

Read-only DNS zone data can be viewed, but cannotbe updated

Dynamic DNS updated clients using the RODC are referredto a DNS server with a writeable copy of the zones

Records cannot be manually added to the read-only zone

123

Di i C i DNS O ti f


20/24

Discussion: Comparing DNS Options forBranch Offices

What options other than read-only DNS are available forimplementing DNS in the branch office?

What are the advantages and disadvantages ofeach option?


21/24

Lab: Configuring AD DS and DNS Integration

Exercise 1: Configuring Active Directory Integrated Zones

Exercise 2: Configuring Read-Only DNS Zones

Logon information

Virtual machine NYC-DC1, MIA-RODC

User name Administrator

Password Pa$$w0rd

Estimated time: 45 minutes


22/24

Lab Review

What would be the advantage to storing the ActiveDirectory-integrated DNS zones in a custom application

partition instead of the default partitions?

What steps could you take to recover the SRV resourcerecords if they were deleted or corrupted?

Who can create Active Directory integrated zones?


23/24

Module Review and Takeaways

Review questions

Module key points


24/24

Documents

6425A_02 Configuring DNS for Active Directory Domain Services