The Active Directory database is divided into directory partitions, with each directory partition replicated to specific domain controllers.?. Options for Configuring Application Partit[r]
Trang 1Module 2: Configuring Domain Name Service
for Active Directory®
Domain Services
Trang 3Lesson 1: Overview of Active Directory Domain
Services and DNS Integration
• Active Directory Domain Services and DNS
Namespace Integration
• What Are Service Resource Locator Records?
• Demonstration: SRV Locator Records Registered by AD DS Domain Controllers
• How Service Resource Locator Records Are Used
• Integration of Service Resource Locator Records and
Active Directory Sites
Trang 4Active Directory Domain Services and DNS
Namespace Integration
WoodgroveBank.com
WoodgroveBank.com Active Directory domain names must use DNS names
Corp.WoodgroveBank.com
Woodgrovecorp.com
You can integrate
an Active Directory
domain name with
the external name
space by using:
• The same name space
• A sub domain of the external name space
• A different name space where the domain and local are different
names
Trang 5What Are Service Locator Records?
SRV resource records allow DNS clients to locate based Services SRV resource records are used when:
• A domain controller needs to replicate changes
• A client computer logs on to Active Directory
• A user attempts to change his or her password
• An Exchange 2003 server performs a directory lookup
• An administrator modifies Active Directory
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msft
protocol.service.name TTL class type priority weight port target
SRV record syntax:
Example of an SRV record
Trang 6Demonstration: SRV Resource Records
Registered by AD DS Domain Controllers
In this demonstration, you will see how to view and manage the SRV resource records registered by domain controllers
Trang 7How Service Resource Locator Records Are Used
Locator initiates a call to Net Logon service
1
Net Logon uses the information and queries DNS
for SRV resource records
Trang 8Integration of Service Locator Records and Active Directory Sites
MIA-DC1 NYC-DC1
NYC Site
Trang 9Lesson 2: Configuring Active Directory
Integrated Zones
• What Are Active Directory Integrated Zones?
• What Are Application Partitions in AD DS?
• Options for Configuring Application Partitions
for DNS
• How Dynamic Updates Work
• How Secure Dynamic DNS Updates Work
• Demonstration: Configuring AD DS Integrated Zones
• How Background Zone Loading Works
Trang 10What Are Active Directory Integrated Zones?
Active Directory integrated zones store DNS zone data in the Active Directory database
Benefits of using Active Directory integrated zones:
• Replicates DNS zone information using
Active Directory replication
• Supports multiple master DNS servers
• Enhances security
• Supports record aging and scavenging
Trang 11What Are Application Partitions in AD DS?
• A DNS zone can be stored in the domain partition or in an
application partition
• Administrators can define the replication scope of custom
application partitions
• DomainDNSzones and forestDNSzones are default application
partitions that store DNS-specific data
Domain Config Schema App1 App2
Domain Config Schema
Domain Config Schema App1 The Active Directory database is divided into directory partitions, with each directory partition replicated to specific domain controllers
Trang 12Options for Configuring Application Partitions for DNS
To all domain controllers that are DNS servers in the Active
DNS information can be stored in a variety of
application partitions
DNS information can be stored in a variety of
application partitions
Trang 13How Dynamic Updates Work
Client sends SOA query
DNS server sends zone name and server IP address
Client verifies existing registration
DNS server responds by stating that registration does not exist
Client sends dynamic update to DNS server
Resource Records DNS Server
Windows
Server
2008
Windows Vista Windows XP
1
3 4 2
5
Trang 14How Secure Dynamic DNS Updates Work
Find authoritative server
Result
Find authoritative server
Result Attempt nonsecure update
Refused Secure update negotiation
Accepted
A secure dynamic update is accepted only if the client has
the proper credentials to make the update
A secure dynamic update is accepted only if the client has
the proper credentials to make the update
Windows Vista
DNS Client
Domain Controller with Active Directory Integrated DNS
Zone
Local DNS Server
Trang 15Demonstration: Configuring AD DS
Integrated Zones
In this demonstration, you will see how to configure:
• A DNS zone as AD DS integrated
• Dynamic updates on DNS zones
• Dynamic update settings on a network connection
• Secure dynamic updates
Trang 16How Background Zone Loading Works
When a domain controller with Active Directory integrated DNS zones starts, it:
• Enumerates all zones to be loaded
• Loads root hints from files or AD DS servers
• Loads all zones that are stored in files rather than in AD DS
• Begins responding to queries and RPCs
• Starts one or more threads to load the zones that are
stored in AD DS
Trang 17Lesson 3: Configuring Read-Only DNS
• What Is Read-Only DNS?
• How Read-Only DNS Works
• Discussion: Comparing DNS Options for Branch Offices
Trang 18What Is Read-Only DNS?
• A feature supported on Read-Only Domain Controllers
• All application partitions containing DNS information are replicated to the RODC
Benefits:
• DNS information required for Active Directory name
resolution is available for clients in the same site as
the RODC
• Changes are not allowed on the read-only DNS zone,
which increases security
Trang 19How Read-Only DNS Works
Read-only DNS is installed on an RODC when AD DS
is installed and the DNS option is selected
Read-only DNS is installed on an RODC when AD DS
is installed and the DNS option is selected
• Read-only DNS zone data can be viewed, but cannot
be updated
• Dynamic DNS updated clients using the RODC are referred
to a DNS server with a writeable copy of the zones
• Records cannot be manually added to the read-only zone
1 2
3
Trang 20Discussion: Comparing DNS Options for
Trang 21Lab: Configuring AD DS and DNS Integration
• Exercise 1: Configuring Active Directory Integrated Zones
• Exercise 2: Configuring Read-Only DNS Zones
Logon information
Estimated time: 45 minutes
Trang 22Lab Review
• What would be the advantage to storing the Active
Directory integrated DNS zones in a custom application partition instead of the default partitions?
• What steps could you take to recover the SRV resource records if they were deleted or corrupted?
• Who can create Active Directory integrated zones?
Trang 23Module Review and Takeaways
• Review questions
• Module key points
Trang 24Beta Feedback Tool
• Beta feedback tool helps:
Collect student roster information, module feedback, and course evaluations
Identify and sort the changes that students request, thereby facilitating a quick team triage
Save data to a database in SQL Server that you can later query
• Walkthrough of the tool
Trang 25Beta Feedback
• Overall flow of module:
Which topics did you think flowed smoothly from topic to
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did you have time to formulate and ask questions?
knowledge in your work environment?
Were there any discussion questions or reflection questions that really made you think? Were there questions you
thought weren’t helpful?