Module 2: Configuring

Domain Name Service

for Active Directory
Domain Services

Module Overview
Overview of Active Directory Domain Services and

DNS Integration

Configuring AD DS Integrated Zones

Configuring Read-Only DNS Zones

Lesson 1: Overview of Active Directory Domain

Services and DNS Integration
AD DS and DNS Namespace Integration
What Are Service Resource Locator Records?
Demonstration: SRV Locator Records Registered by AD DS

Domain Controllers
How Service Resource Locator Records Are Used
Integrating Service Resource Locator Records and

AD DS Sites

AD DS and DNS Namespace Integration

AD DS domain names must use DNS names
The same name space

You can integrate

an AD DS domain
name with the
external name
space by using:
WoodgroveBank.com

A sub domain of the external

name space

A different name space where the

domain and local are different

names

WoodgroveBank.com
Corp.WoodgroveBank.com
Woodgrovecorp.com

What Are Service Locator Records?

SRV resource records allow DNS clients to locate TCP/IPbased Services. SRV resource records are used when:
A domain controller needs to replicate changes
A client computer logs on to AD DS
A user attempts to change his or her password
An Exchange 2003 server performs a directory lookup
An administrator modifies AD DS
SRV record syntax:

protocol.service.name TTL class type priority weight

port target

Example of an SRV record

_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msft

Demonstration: SRV Resource Records Registered

by AD DS Domain Controllers
In this demonstration, you will see how to view and manage
the SRV resource records registered by domain controllers

How Service Resource Locator Records Are Used

Locator initiates a call to Net Logon service

Locator collects information about the client

Net Logon uses the information and queries DNS

for SRV resource records

Net Logon tests connectivity to target servers

Domain controllers respond, indicating that they

are operational

Net Logon returns the information to clients

Integrating Service Locator Records and

AD DS Sites

1.

C
S for D
N
D
s
e
Q u e ri

e c o r ds
r
e
l
p
i
t
l
ith mu
w
s
d
n
te
po
N YC s i
n
i
2. Res
C
D
NS for
D
s
e
i
r
5. Que
te
N Y C si
n
i
C
hD
d s w it
n
o
p
s
6. Re

Local DNS
Server

3. Con
tacts M
IA-DC1
by usin
g LDAP
4. MIA
-DC1 r
eturns
site in
fo NYC

NYC-DC1
NYC Site

MIA-DC1
Miami Site

Lesson 2: Configuring AD DS Integrated Zones

What Are AD DS Integrated Zones?
What Are Application Partitions in AD DS?
Options for Configuring Application Partitions

for DNS

How Dynamic Updates Work

How Secure Dynamic DNS Updates Work
Demonstration: Configuring AD DS Integrated Zones
How Background Zone Loading Works

What Are AD DS Integrated Zones?

AD DS integrated zones store DNS zone data in the
AD DS database

Benefits of using AD DS integrated zones:

Replicates DNS zone information using AD DS replication
Supports multiple master DNS servers
Enhances security
Supports record aging and scavenging

What Are Application Partitions in AD DS?

The AD DS database is divided into directory partitions,
with each directory partition replicated to specific domain controllers
A DNS zone can be stored in the domain partition or in an
application partition
Administrators can define the replication scope of custom
application partitions
DomainDNSzones and forestDNSzones are default application
partitions that store DNS-specific data
Domain
Domain

Config

Config

Domain

Schema

Schema

Config

App1

App1

Schema

App2

Options for Configuring Application Partitions

for DNS

DNS information can be stored in a variety of

application partitions
To all domain controllers in the
AD DS domain
Domain
Config
Schema
DomainDNSZone
ForestDNSZones

To all domain controllers that are

DNS servers in the AD DS domain

To all domain controllers that are

DNS servers in the AD DS forest

CustomApp
To all domain controllers in the
replication scope for the
application partition

How Dynamic Updates Work

Resource
Records

DNS Server

Windows
Server
2008

Windows
Vista

Windows
XP

Client sends SOA query

DNS server sends zone

name and server IP address

Client verifies existing

registration

DNS server responds by

stating that registration
does not exist

Client sends dynamic

update to DNS server

How Secure Dynamic DNS Updates Work

A secure dynamic update is accepted only if the client has
the proper credentials to make the update

Windows Vista
DNS Client

e server
v
ti
ta
ri
o
th
u
a
d
n
Fi
Result
Find au
thorita
tive se
rver
Result
Attemp
t nonse
cure up
date
Refused
Secure
update
negotia
tion
Accepte
d

Local
DNS
Server

Domain Controller
with Active
Directory
Integrated DNS
Zone

Demonstration: Configuring AD DS
Integrated Zones
In this demonstration, you will see how to configure:
A DNS zone as AD DS integrated
Dynamic updates on DNS zones
Dynamic update settings on a network connection
Secure dynamic updates

How Background Zone Loading Works

When a domain controller with Active Directory-integrated
DNS zones starts, it:
Enumerates all zones to be loaded
Loads root hints from files or AD DS servers
Loads all zones that are stored in files rather than in AD DS
Begins responding to queries and RPCs
Starts one or more threads to load the zones that are
stored in AD DS

Lesson 3: Configuring Read-Only DNS Zones

What Are Read-Only DNS Zones?
How Read-Only DNS Works
Discussion: Comparing DNS Options for Branch Offices

What Are Read-Only DNS Zones?

A feature supported on Read-Only Domain Controllers

All application partitions containing DNS information are
replicated to the RODC

Benefits:
DNS information required for AD DS name
resolution is available for clients in the same site as
the RODC
Changes are not allowed on the read-only DNS zone,
which increases security

How Read-Only DNS Works

Read-only DNS is installed on an RODC when AD DS
is installed, and the DNS option is selected

Read-only DNS zone data can be viewed, but cannot

be updated
Dynamic DNS updated clients using the RODC are referred
to a DNS server with a writeable copy of the zones
Records cannot be manually added to the read-only zone

Discussion: Comparing DNS Options for

Branch Offices
What options other than read-only DNS are available for

implementing DNS in the branch office?

What are the advantages and disadvantages of

each option?

Lab: Configuring AD DS and DNS Integration

Exercise 1: Configuring Active Directory Integrated Zones
Exercise 2: Configuring Read-Only DNS Zones

Logon information

Virtual machine

NYC-DC1, MIA-RODC

User name

Administrator

Password

Pa$$w0rd

Estimated time: 45 minutes

Lab Review
What would be the advantage to storing the Active

Directory-integrated DNS zones in a custom application

partition instead of the default partitions?

What steps could you take to recover the SRV resource

records if they were deleted or corrupted?

Who can create Active Directory integrated zones?

Module Review and Takeaways

Review questions
Module key points