Sie sind auf Seite 1von 24

Module 2: Configuring Domain Name Service for Active Directory Domain Services

Module Overview
Overview of Active Directory Domain Services and

DNS Integration

Configuring Active Directory Integrated Zones Configuring Read-Only DNS

Lesson 1: Overview of Active Directory Domain Services and DNS Integration


Active Directory Domain Services and DNS

Namespace Integration

What Are Service Resource Locator Records? Demonstration: SRV Locator Records Registered by AD DS

Domain Controllers

How Service Resource Locator Records Are Used

Integration of Service Resource Locator Records and

Active Directory Sites

Active Directory Domain Services and DNS Namespace Integration


Active Directory domain names must use DNS names
The same name space A sub domain of the external

You can integrate an Active Directory domain name with the external name space by using: WoodgroveBank.com

name space

A different name space where the

domain and local are different names

WoodgroveBank.com

Corp.WoodgroveBank.com
Woodgrovecorp.com

What Are Service Locator Records?


SRV resource records allow DNS clients to locate TCP/IPbased Services. SRV resource records are used when:
A domain controller needs to replicate changes A client computer logs on to Active Directory A user attempts to change his or her password An Exchange 2003 server performs a directory lookup An administrator modifies Active Directory
SRV record syntax:

protocol.service.name TTL class type priority weight


Example of an SRV record

port target

_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msft

How Service Resource Locator Records Are Used?

1 2 3 4

Locator initiates a call to Net Logon service Locator collects information about the client Net Logon uses the information and queries DNS for SRV resource records Net Logon tests connectivity to target servers Domain controllers respond, indicating that they are operational Net Logon returns the information to clients

5
6

Integration of Service Locator Records and Active Directory Sites

Local DNS Server

NYC-DC1 NYC Site

MIA-DC1 Miami Site


7

Lesson 2: Configuring Active Directory Integrated Zones


What Are Active Directory Integrated Zones? What Are Application Partitions in AD DS?

Options for Configuring Application Partitions

for DNS

How Dynamic Updates Work? How Secure Dynamic DNS Updates Work? Demonstration: Configuring AD DS Integrated Zones How Background Zone Loading Works?

What Are Active Directory Integrated Zones?


Active Directory integrated zones store DNS zone data in the Active Directory database

Benefits of using Active Directory integrated zones:


Replicates DNS zone information using Active Directory replication Supports multiple master DNS servers Enhances security Supports record aging and scavenging

What Are Application Partitions in AD DS?


The Active Directory database is divided into directory partitions, with each directory partition replicated to specific domain controllers A DNS zone can be stored in the domain partition or in an application partition Administrators can define the replication scope of custom application partitions DomainDNSzones and forestDNSzones are default application partitions that store DNS-specific data
Domain Domain Config Schema App1 Domain Config Schema Config Schema App1

App2

10

Options for Configuring Application Partitions for DNS

DNS information can be stored in a variety of application partitions


To all domain controllers in the Active Directory domain Domain Config Schema DomainDNSZone ForestDNSZones CustomApp To all domain controllers in the replication scope for the application partition To all domain controllers that are DNS servers in the Active Directory domain To all domain controllers that are DNS servers in the Active Directory forest

11

How Dynamic Updates Work

1
DNS Server Resource Records

Client sends SOA (Start of Authority) query DNS server sends zone name and server IP address Client verifies existing registration DNS server responds by stating that registration does not exist Client sends dynamic update to DNS server

2 3

4
5
Windows Server 2008 Windows Vista Windows XP

12

How Secure Dynamic DNS Updates Work


A secure dynamic update is accepted only if the client has the proper credentials to make the update

Windows 7 DNS Client

Local DNS Server

Domain Controller with Active Directory Integrated DNS Zone

13

Demonstration: Configuring AD DS Integrated Zones


In this demonstration, you will see how to configure:
A DNS zone as AD DS integrated

Dynamic updates on DNS zones


Dynamic update settings on a network connection Secure dynamic updates

14

How Background Zone Loading Works


When a domain controller with Active Directory integrated DNS zones starts, it:
Enumerates all zones to be loaded

Loads root hints from files or AD DS servers


Loads all zones that are stored in files rather than in AD DS Begins responding to queries and RPCs(Remote Procedure Call)

Starts one or more threads to load the zones that are stored in AD DS

15

Lesson 3: Configuring Read-Only DNS


What Is Read-Only DNS? How Read-Only DNS Works

Discussion: Comparing DNS Options for Branch Offices

16

What Is Read-Only DNS?

A feature supported on Read-Only Domain Controllers All application partitions containing DNS information are replicated to the RODC

Benefits:
DNS information required for Active Directory name resolution is available for clients in the same site as the RODC Changes are not allowed on the read-only DNS zone, which increases security

17

How Read-Only DNS Works


Read-only DNS is installed on an RODC when AD DS is installed and the DNS option is selected

Read-only DNS zone data can be viewed, but cannot be updated Dynamic DNS updated clients using the RODC are referred to a DNS server with a writeable copy of the zones Records cannot be manually added to the read-only zone

1
18

Discussion: Comparing DNS Options for Branch Offices


What options other than read-only DNS are available for

implementing DNS in the branch office? each option?

What are the advantages and disadvantages of

19

Lab: Configuring AD DS and DNS Integration


Exercise 1: Configuring Active Directory Integrated Zones Exercise 2: Configuring Read-Only DNS Zones

Logon information

Virtual machine

NYC-DC1, MIA-RODC

User name
Password

Administrator
Pa$$w0rd

Estimated time: 45 minutes

20

Lab Review

What would be the advantage to storing the Active Directory integrated DNS zones in a custom application partition instead of the default partitions?

What steps could you take to recover the SRV resource records if they were deleted or corrupted?
Who can create Active Directory integrated zones?

21

Module Review and Takeaways


Review questions Module key points

22

Beta Feedback Tool

Beta feedback tool helps:


Collect student roster information, module feedback, and course evaluations. Identify and sort the changes that students request, thereby facilitating a quick team triage. Save data to a database in SQL Server that you can later query.

Walkthrough of the tool

23

Beta Feedback

Overall flow of module:

Pacing:

Which topics did you think flowed smoothly from topic to topic? Was something taught out of order? Were you able to keep up? Are there any places where the pace felt too slow? Were you able to process what the instructor said before moving on to next topic? Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? Which demos helped you learn the most? Why do you think that is? Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment? Were there any discussion questions or reflection questions that really made you think? Were there questions you thought werent helpful?
24

Learner activities: