Presentation is loading. Please wait.

Presentation is loading. Please wait.

Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.

Published byAlexis Manning Modified over 9 years ago

Similar presentations

Presentation on theme: "Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps."— Presentation transcript:

1 Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps students configure Domain Name Service for Active Directory Domain Servers. After completing this module, students will be able to: Describe Active Directory Domain Services and Domain Name System (DNS) DNS Integration Configure Active Directory Integrated Zones Configure Read-Only DNS Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6425A_02.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier PowerPoint version, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Complete the practices. This section contains information that will help you teach this module. For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information. Module 2: Configuring Domain Name Service for Active Directory® Domain Services

2 Course 6425A Module Overview Module 2: Configuring Domain Name Service for Active Directory® Domain Services Overview of Active Directory Domain Services and DNS Integration Configuring Active Directory Integrated Zones Configuring Read-Only DNS

3 Course 6425A Lesson 1: Overview of Active Directory Domain Services and DNS Integration Module 2: Configuring Domain Name Service for Active Directory® Domain Services Active Directory Domain Services and DNS Namespace Integration What Are Service Resource Locator Records? Demonstration: SRV Locator Records Registered by AD DS Domain Controllers How Service Resource Locator Records Are Used Integration of Service Resource Locator Records and Active Directory Sites

4 Active Directory Domain Services and DNS Namespace Integration
Course 6425A Active Directory Domain Services and DNS Namespace Integration Module 2: Configuring Domain Name Service for Active Directory® Domain Services Active Directory domain names must use DNS names You can integrate an Active Directory domain name with the external name space by using: The same name space A sub domain of the external name space A different name space where the domain and local are different names Use the build slide to compare options for integrating the internal Domain Name System (DNS) name space with external name spaces. Emphasize the importance of maintaining separate DNS servers for internal and external name resolution. The internal DNS zones must never be exposed to the Internet, as the internal zones will contain all of the domain controller records. Mention that Active Directory requires DNS, but that it does not require any particular type of DNS server. The internal and DNS servers can be different types. References How DNS Support for Active Directory Works: c7ead mspx?mfr=true WoodgroveBank.com WoodgroveBank.com Corp.WoodgroveBank.com Woodgrovecorp.com

5 What Are Service Locator Records?
Course 6425A What Are Service Locator Records? Module 2: Configuring Domain Name Service for Active Directory® Domain Services SRV resource records allow DNS clients to locate TCP/IP-based Services. SRV resource records are used when: A domain controller needs to replicate changes Stress the importance of SRV resource records in a Windows Server 2008 environment. Since the release of Windows 2000, all client computers have used DNS as the primary process for locating domain controllers. Without SRV resource records in DNS, logon from clients will be extremely slow or will fail. Describe the components of an SRV resource record, then use the example on the slide to describe how the record provides all of the information that a client computer needs to locate a domain controller. References DNS Administrator Help: Adding resource records DNS Administrator Help: Service Location (SRV) Resource Record Dialog Box A client computer logs on to Active Directory A user attempts to change his or her password An Exchange 2003 server performs a directory lookup An administrator modifies Active Directory SRV record syntax: protocol.service.name TTL class type priority weight port target Example of an SRV record _ldap._tcp.contoso.msft IN SRV den-dc1.contoso.msft

6 Course 6425A Demonstration: SRV Resource Records Registered by AD DS Domain Controllers Module 2: Configuring Domain Name Service for Active Directory® Domain Services In this demonstration, you will see how to view and manage the SRV resource records registered by domain controllers Demonstration steps: To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Open the DNS management console and show the SRV resource records listed in MSDCS and in the WoodgroveBank.com domain. Go into detail describing one of the records, and then show the subfolders that contain records: Delete one of the SRV resource records in DNS. Stop and restart the NetLogon service and confirm that the record is restored in DNS. Mention the importance of using a DNS server that supports DNS updates so that the NetLogon service can register the records. Open the %systemroot%\system32\config\netlogon.dns and discuss how the records could be added to a DNS server that does not support dynamic updates. References How to Verify the Creation of SRV Records for a Domain Controller How DNS Support for Active Directory Works: c7ead mspx?mfr=true

7 How Service Resource Locator Records Are Used
Course 6425A How Service Resource Locator Records Are Used Module 2: Configuring Domain Name Service for Active Directory® Domain Services Locator initiates a call to Net Logon service 1 Locator collects information about the client 2 Describe the process that clients use to locate domain controllers. Mention that all computers, including both workstations such as Windows XP and Windows Vista, and servers, such as Windows Server 2003 and Windows Server 2008, use the same process. References How Domain Controllers Are Located in Windows XP Net Logon uses the information and queries DNS for SRV resource records 3 Net Logon tests connectivity to target servers 4 Domain controllers respond, indicating that they are operational 5 Net Logon returns the information to clients 6

8 Integration of Service Locator Records and Active Directory Sites
Course 6425A Integration of Service Locator Records and Active Directory Sites Module 2: Configuring Domain Name Service for Active Directory® Domain Services 1. Queries DNS for DC 2. Responds with multiple records Use the build slide to describe how a client computer locates a domain controller (DC) in the same site as the client computer. Mention that the site configuration for client computers is dynamic and based on the computer’s IP address and the site configuration in Active Directory. The client computer is not aware of its site location until it starts and receives the site information from DNS and Active Directory. On the other hand, domain controllers are configured with a static site configuration. On the build slide, steps 1 and 2 show the client computer starting up and requesting a DC from the DNS server. Steps 3 and 4 show the client connecting to a DC in a different site – remember the client is not yet site aware. The DC checks the client configuration and redirects the client to communicate with a DC in its local site. This is shown in steps 5 and 6 References Finding a Domain Controller in the Closest Site 5. Queries DNS for DC in NYC site Local DNS Server 6. Responds with DC in NYC site 3. Contacts MIA-DC1 by using LDAP 4. MIA-DC1 returns site info NYC MIA-DC1 NYC-DC1 NYC Site Miami Site

9 Lesson 2: Configuring Active Directory Integrated Zones
Course 6425A Lesson 2: Configuring Active Directory Integrated Zones Module 2: Configuring Domain Name Service for Active Directory® Domain Services What Are Active Directory Integrated Zones? What Are Application Partitions in AD DS? Options for Configuring Application Partitions for DNS How Dynamic Updates Work How Secure Dynamic DNS Updates Work Demonstration: Configuring AD DS Integrated Zones How Background Zone Loading Works

10 What Are Active Directory Integrated Zones?
Course 6425A What Are Active Directory Integrated Zones? Module 2: Configuring Domain Name Service for Active Directory® Domain Services Active Directory integrated zones store DNS zone data in the Active Directory database Benefits of using Active Directory integrated zones: Ask students how Domain Name System (DNS) zones are stored and replicated outside of Active Directory. If students are not familiar with how DNS zones are stored in text files, briefly describe the files and how standard DNS replication works. Then explain how Active Directory also can store DNS zone information, and describe the benefits of using this option. Ask the students if they can think of any disadvantages to storing DNS information in Active Directory. One possible answer might be that if dynamic updates are enabled for all computers in an enterprise, the Active Directory database can be very large. References DNS Help: Understanding Active Directory Domain Services integration How DNS Support for Active Directory Works: c7ead mspx?mfr=true Replicates DNS zone information using Active Directory replication Supports multiple master DNS servers Enhances security Supports record aging and scavenging

11 What Are Application Partitions in AD DS?
Course 6425A What Are Application Partitions in AD DS? Module 2: Configuring Domain Name Service for Active Directory® Domain Services The Active Directory database is divided into directory partitions, with each directory partition replicated to specific domain controllers A DNS zone can be stored in the domain partition or in an application partition Administrators can define the replication scope of custom application partitions DomainDNSzones and forestDNSzones are default application partitions that store DNS-specific data If students are not familiar with the concept of the Active Directory partitions, briefly describe the three partitions (also called naming contexts). Then describe how those partitions can store DNS information. Highlight that, by default, DNS information is stored in different partitions than the other Active Directory information. Mention that the default application partitions for storing DNS information in Active Directory are automatically created when DNS is installed and configured during AD DS installation. To create the partitions after AD DS is installed, you can use the DNS management tool or the DNSCMD command-line tool. References DNS Help: Understanding DNS zone replication in Active Directory Domain Services DNS Help: Create the default DNS application directory partitions Domain Domain Config Config Domain Schema Schema Config App1 App1 Schema App2

12 Options for Configuring Application Partitions for DNS
Course 6425A Options for Configuring Application Partitions for DNS Module 2: Configuring Domain Name Service for Active Directory® Domain Services DNS information can be stored in a variety of application partitions List the different partitions that are available for storing DNS information in Active Directory. Mention that the primary reason for choosing each of the different zones is because each partition has a different replication scope. Consider using a diagram to describe the replication scopes for each partition. Include domain controllers that are not DNS servers and domain controllers that are in a different domain, and then show the effects of storing the Active Directory DNS information in each zone. Provide scenarios for when organizations might choose each option to store the DNS information in each partition. Summarize how to create a custom application partition for storing DNS information. References How DNS Support for Active Directory Works: c7ead mspx?mfr=true DNS Help: Create a DNS application directory partition DNS Help: To enlist a DNS server in a DNS application directory partition To all domain controllers in the Active Directory domain Domain Config Schema DomainDNSZone ForestDNSZones CustomApp To all domain controllers that are DNS servers in the Active Directory domain To all domain controllers that are DNS servers in the Active Directory forest To all domain controllers in the replication scope for the application partition

13 How Dynamic Updates Work
Course 6425A How Dynamic Updates Work Module 2: Configuring Domain Name Service for Active Directory® Domain Services Client sends SOA query 1 Describe how dynamic updates work. Mention that SOA stands for Start of Authority (SOA) resource record Ask students what would happen if dynamic updates were not enabled. The biggest problem would be that domain controllers would not be able to register their records in DNS, so the domain controller records would have to added manually. Mention that client computer resource records can be updated dynamically in DNS by Dynamic Host Configuration Protocol (DHCP) servers. (Refer to Course 6421 for more information) References DNS Help: Understanding dynamic update How DNS Works c7ead mspx?mfr=true – review the Dynamic Update section DNS server sends zone name and server IP address DNS Server Resource Records 2 Client verifies existing registration 3 1 2 3 4 5 DNS server responds by stating that registration does not exist 4 Client sends dynamic update to DNS server 5 Windows Server 2008 Windows Vista Windows XP

14 How Secure Dynamic DNS Updates Work
Course 6425A How Secure Dynamic DNS Updates Work Module 2: Configuring Domain Name Service for Active Directory® Domain Services A secure dynamic update is accepted only if the client has the proper credentials to make the update Describe the rationale for enabling secure updates, then use the build slide to describe the process that the client and DNS server use to perform a secure dynamic update. Mention that by default, Windows Server 2008 DNS servers are configured to support secure-only updates for Active Directory integrated zones. References DNS Help: Understanding dynamic update How DNS Works c7ead mspx?mfr=true – review the Secure Dynamic Update section Find authoritative server Local DNS Server Windows Vista DNS Client Result Find authoritative server Result Attempt nonsecure update Refused Domain Controller with Active Directory Integrated DNS Zone Secure update negotiation Accepted

15 Demonstration: Configuring AD DS Integrated Zones
Course 6425A Demonstration: Configuring AD DS Integrated Zones Module 2: Configuring Domain Name Service for Active Directory® Domain Services In this demonstration, you will see how to configure: A DNS zone as AD DS integrated Dynamic updates on DNS zones Dynamic update settings on a network connection Secure dynamic updates To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstrate how to configure: A DNS zone as AD DS integrated. Dynamic updates on DNS zones. Dynamic update settings on a network connection. Secure dynamic updates. References DNS Help: Create the default DNS application directory partitions DNS Help: Understanding dynamic update

16 How Background Zone Loading Works
Course 6425A How Background Zone Loading Works Module 2: Configuring Domain Name Service for Active Directory® Domain Services When a domain controller with Active Directory integrated DNS zones starts, it: Refer back to the earlier question about one of the disadvantages of using dynamic updates – one of the ways in which Windows Server 2008 addresses the issue of very large Active Directory databases containing DNS records is by using background zone loading. If a DNS client requests data for a host in a zone that has been loaded already, the DNS server responds with the data (or, if appropriate, a negative response) as expected. If the request is for a node that has not yet been loaded into memory, the DNS server reads the node's data from AD DS and updates the node's record list accordingly. Let the students know that RPC stands for Remote Procedure Call (RPC). References DNS Server Role: a2a4330acb mspx?mfr=true Enumerates all zones to be loaded Loads root hints from files or AD DS servers Loads all zones that are stored in files rather than in AD DS Begins responding to queries and RPCs Starts one or more threads to load the zones that are stored in AD DS

17 Lesson 3: Configuring Read-Only DNS
Course 6425A Lesson 3: Configuring Read-Only DNS Module 2: Configuring Domain Name Service for Active Directory® Domain Services What Is Read-Only DNS? How Read-Only DNS Works Discussion: Comparing DNS Options for Branch Offices

18 What Is Read-Only DNS? Benefits:
Course 6425A What Is Read-Only DNS? Module 2: Configuring Domain Name Service for Active Directory® Domain Services A feature supported on Read-Only Domain Controllers Compare the read-only DNS zones with secondary name servers in standard DNS. In both cases, the zone information is read only. However, with read-only DNS on an RODC, the information is still stored in Active Directory. References DNS Server Role a2a4330acb mspx?mfr=true All application partitions containing DNS information are replicated to the RODC Benefits: DNS information required for Active Directory name resolution is available for clients in the same site as the RODC Changes are not allowed on the read-only DNS zone, which increases security

19 How Read-Only DNS Works
Course 6425A How Read-Only DNS Works Module 2: Configuring Domain Name Service for Active Directory® Domain Services Read-only DNS is installed on an RODC when AD DS is installed and the DNS option is selected Read-only DNS zone data can be viewed, but cannot be updated Mention that the only way to add a record to a DNS zone is to update a writeable copy of the zone and then wait for replication to update the zone’s read-only copy. References None Dynamic DNS updated clients using the RODC are referred to a DNS server with a writeable copy of the zones Records cannot be manually added to the read-only zone 2 1 3

20 Discussion: Comparing DNS Options for Branch Offices
Course 6425A Discussion: Comparing DNS Options for Branch Offices Module 2: Configuring Domain Name Service for Active Directory® Domain Services What options other than read-only DNS are available for implementing DNS in the branch office? What are the advantages and disadvantages of each option? Other options include: Caching only DNS servers Stub zones Zone delegation Standard secondary zones Compare the security, network traffic, and client response that each of these solutions provides. References How DNS Works c7ead mspx?mfr=true – review the sections on caching only DNS, stub zones, and forwarding

21 Lab: Configuring AD DS and DNS Integration
Course 6425A Lab: Configuring AD DS and DNS Integration Module 2: Configuring Domain Name Service for Active Directory® Domain Services Exercise 1: Configuring Active Directory Integrated Zones Exercise 2: Configuring Read-Only DNS Zones In this lab, students will configure AD DS and DNS integration. Objectives covered in the Lab: Review SRV resource records Configure AD DS and DNS integration Configure read-only DNS zones. Scenario: Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. The organization also includes a business unit named Fabrikam, Inc., which includes a domain in the Woodgrove Bank forest. As part of the Windows Server 2008 deployment, the organization has decided to reconfigure the DNS design to optimize name resolution in each office and to provide a more reliable DNS infrastructure. The enterprise administrator has created a design document for the DNS configuration. The design includes configuring AD DS integrated zones, configuring DNS dynamic updates, and configuring read-only DNS zones. Exercise 1: Configuring Active Directory Integrated Zones The student will configure the DNS zones for the Woodgrove Bank environment to meet the design requirements. The students will modify DNS zones to store them in AD DS (including a zone in the domain application partition and one in the forest application partition), and will configure dynamic updates. Students also will verify the SRV resource records that are registered by each domain controller. Exercise 2: Configuring Read-Only DNS Zones The student will configure a read-only DNS zone on an RODC, and will test dynamic updates and administrative updates. Inputs: Design documentation describing the required DNS deployment. Outputs: Successful installation and configuration of the DNS environment. Logon information Virtual machine NYC-DC1, MIA-RODC User name Administrator Password Pa$$w0rd Estimated time: 45 minutes

22 Course 6425A Lab Review Module 2: Configuring Domain Name Service for Active Directory® Domain Services What would be the advantage to storing the Active Directory integrated DNS zones in a custom application partition instead of the default partitions? What steps could you take to recover the SRV resource records if they were deleted or corrupted? Who can create Active Directory integrated zones? Question: What would be the advantage of storing the Active Directory integrated DNS zones in a custom application partition instead of the default partitions? Answer: The selected domain controllers running DNS could receive copies of the DNS zone. This might be useful in ensuring that internal and public records are replicated only to the correct DNS domain controllers. Question: What steps could you take to recover the SRV resource records if they were deleted or corrupted? Answer: Restarting the Netlogon service. Question: Who can create Active Directory integrated zones? Answer: Administrative rights are required.

23 Module Review and Takeaways
Course 6425A Module Review and Takeaways Module 2: Configuring Domain Name Service for Active Directory® Domain Services Review questions Module key points Review questions Question: What is the relationship between Active Directory domain names and DNS zone names? Answer: Each Active Directory domain must have an identically named DNS zone. Question: How does a client computer determine what site it is in? Answer: The client queries a domain controller by passing its IP address to the domain controller. The domain controller looks up the client’s IP address in its subnet-to-site map and returns site information to the client. The client stores that information in its registry. Question: List at least three benefits of Active Directory integrated zones. Answer: Directory replication is faster and more efficient than standard DNS replication Multimaster updates Enhanced security with secure dynamic updates Support for record aging and scavenging Question: In the following example of two SRV resource records, which record will be used by a client querying for a Session Initiation Protocol (SIP) service? _sip._tcp.example.com IN SRV Lcs1.contoso.com. _sip._tcp.example.com IN SRV Lcs2.contoso.com. Answer: The SRV resource record for Lcs1 always will be chosen if it is available because it has a lower priority field. The weight field is used only if the priority fields are equal. Question: What permissions are required to create DNS application directory partitions? Answer: Enterprise Admins permissions Question: What utilities are available to create application partitions? Answer: Dnscmd, NTDSutil, ADSI edit, LDAP commands Question: What is the default state of dynamic updates for an Active Directory integrated zone? Answer: Secure Only Question: What is the default state of dynamic updates for a standard primary zone? Answer: None Question: What groups have permission to perform secure dynamic updates? Answer: Authenticated Users The three most important concepts in this module are:  Because of the dependency Windows Server 2008 and Active Directory clients have on DNS, the first step in troubleshooting Active Directory issues will often be to troubleshoot DNS. Windows Server 2008 can operate with any compatible DNS server, but Active Directory integrated zones provide additional features and security. Use read-only DNS in conjunction with read-only domain controllers to provide security while still providing required client functionality.

24 Beta Feedback Tool Beta feedback tool helps: Walkthrough of the tool
Course 6425A Beta Feedback Tool Module 2: Configuring Domain Name Service for Active Directory® Domain Services Beta feedback tool helps: Collect student roster information, module feedback, and course evaluations. Identify and sort the changes that students request, thereby facilitating a quick team triage. Save data to a database in SQL Server that you can later query. Walkthrough of the tool

25 Beta Feedback Overall flow of module: Pacing: Learner activities:
Course 6425A Beta Feedback Module 2: Configuring Domain Name Service for Active Directory® Domain Services Overall flow of module: Which topics did you think flowed smoothly from topic to topic? Was something taught out of order? Pacing: Were you able to keep up? Are there any places where the pace felt too slow? Were you able to process what the instructor said before moving on to next topic? Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions? Learner activities: Which demos helped you learn the most? Why do you think that is? Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment? Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?

Download ppt "Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps."

Similar presentations

Course 2786B Module 8: Implementing an Active Directory® Domain Services Monitoring Plan Presentation: 60 minutes Lab: 60 minutes This module helps students.

Course 2786B Module 8: Implementing an Active Directory® Domain Services Monitoring Plan Presentation: 60 minutes Lab: 60 minutes This module helps students.
Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students.

Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Windows Server 2003 AD 安裝設定與管理維護 林寶森

Windows Server 2003 AD 安裝設定與管理維護 林寶森
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.
Module 10: Troubleshooting AD DS, DNS, and Replication Issues.

Module 10: Troubleshooting AD DS, DNS, and Replication Issues.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Implementing Domain Name System

Implementing Domain Name System
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Module 3: Configuring Active Directory Objects and Trusts.

Module 3: Configuring Active Directory Objects and Trusts.
Chapter 9: Configuring DNS for Active Directory

Chapter 9: Configuring DNS for Active Directory
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
Implementing High Availability

Implementing High Availability
Understanding Active Directory

Understanding Active Directory
Windows Server 2008 Chapter 8 Last Update 2012.05.31 1.0.0.

Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Managing Client Access

Managing Client Access

Similar presentations

Ads by Google