Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Module 4: Managing Security

advertisement 
Module 2: Configuring
Domain Name Service
for Active Directory®
Domain Services
Module Overview
• Overview of Active Directory Domain Services and
DNS Integration
• Configuring AD DS Integrated Zones
• Configuring Read-Only DNS Zones
Lesson 1: Overview of Active Directory Domain
Services and DNS Integration
• AD DS and DNS Namespace Integration
• What Are Service Resource Locator Records?
• Demonstration: SRV Locator Records Registered by AD DS
Domain Controllers
• How Service Resource Locator Records Are Used
• Integrating Service Resource Locator Records and
AD DS Sites
AD DS and DNS Namespace Integration
AD DS domain names must use DNS names
You can integrate
an AD DS domain
name with the
external name
space by using:
• The same name space
• A sub domain of the external
name space
• A different name space where the
domain and local are different names
WoodgroveBank.com
WoodgroveBank.com
Corp.WoodgroveBank.com
Woodgrovecorp.com
What Are Service Locator Records?
SRV resource records allow DNS clients to locate TCP/IPbased Services. SRV resource records are used when:
• A domain controller needs to replicate changes
• A client computer logs on to AD DS
• A user attempts to change his or her password
• An Exchange 2003 server performs a directory lookup
• An administrator modifies AD DS
SRV record syntax:
protocol.service.name TTL class type priority weight
port target
Example of an SRV record
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-dc1.contoso.msft
Demonstration: SRV Resource Records
Registered by AD DS Domain Controllers
In this demonstration, you will see how to view and manage
the SRV resource records registered by domain controllers
How Service Resource Locator Records Are Used
1
Locator initiates a call to Net Logon service
2
Locator collects information about the client
3
Net Logon uses the information and queries DNS
for SRV resource records
4
Net Logon tests connectivity to target servers
5
Domain controllers respond, indicating that they
are operational
6
Net Logon returns the information to clients
Integrating Service Locator Records and
AD DS Sites
Local DNS
Server
NYC-DC1
NYC Site
MIA-DC1
Miami Site
Lesson 2: Configuring AD DS Integrated Zones
• What Are AD DS Integrated Zones?
• What Are Application Partitions in AD DS?
• Options for Configuring Application Partitions
for DNS
• How Dynamic Updates Work
• How Secure Dynamic DNS Updates Work
• Demonstration: Configuring AD DS Integrated Zones
• How Background Zone Loading Works
What Are AD DS Integrated Zones?
AD DS integrated zones store DNS zone data in the
AD DS database
Benefits of using AD DS integrated zones:
• Replicates DNS zone information using AD DS replication
• Supports multiple master DNS servers
• Enhances security
• Supports record aging and scavenging
What Are Application Partitions in AD DS?
The AD DS database is divided into directory partitions,
with each directory partition replicated to specific domain controllers
• A DNS zone can be stored in the domain partition or in an
application partition
• Administrators can define the replication scope of custom
application partitions
• DomainDNSzones and forestDNSzones are default application
partitions that store DNS-specific data
Domain
Domain
Config
Config
Domain
Schema
Schema
Config
App1
App1
Schema
App2
Options for Configuring Application Partitions
for DNS
DNS information can be stored in a variety of
application partitions
To all domain controllers in the
AD DS domain
Domain
Config
Schema
DomainDNSZone
ForestDNSZones
To all domain controllers that are
DNS servers in the AD DS domain
To all domain controllers that are
DNS servers in the AD DS forest
CustomApp
To all domain controllers in the
replication scope for the
application partition
How Dynamic Updates Work
Resource
Records
DNS Server
1
Windows
Server
2008
2
3
Windows
Vista
4
5
Windows
XP
1
Client sends SOA query
2
DNS server sends zone
name and server IP address
3
Client verifies existing
registration
4
DNS server responds by
stating that registration
does not exist
5
Client sends dynamic
update to DNS server
How Secure Dynamic DNS Updates Work
A secure dynamic update is accepted only if the client has
the proper credentials to make the update
Windows Vista
DNS Client
Local
DNS
Server
Domain Controller
with Active
Directory
Integrated DNS
Zone
Demonstration: Configuring AD DS
Integrated Zones
In this demonstration, you will see how to configure:
• A DNS zone as AD DS integrated
• Dynamic updates on DNS zones
• Dynamic update settings on a network connection
• Secure dynamic updates
How Background Zone Loading Works
When a domain controller with Active Directory-integrated
DNS zones starts, it:
• Enumerates all zones to be loaded
• Loads root hints from files or AD DS servers
• Loads all zones that are stored in files rather than in AD DS
• Begins responding to queries and RPCs
• Starts one or more threads to load the zones that are
stored in AD DS
Lesson 3: Configuring Read-Only DNS Zones
• What Are Read-Only DNS Zones?
• How Read-Only DNS Works
• Discussion: Comparing DNS Options for Branch Offices
What Are Read-Only DNS Zones?
• A feature supported on Read-Only Domain Controllers
• All application partitions containing DNS information are
replicated to the RODC
Benefits:
• DNS information required for AD DS name
resolution is available for clients in the same site as
the RODC
• Changes are not allowed on the read-only DNS zone,
which increases security
How Read-Only DNS Works
Read-only DNS is installed on an RODC when AD DS
is installed, and the DNS option is selected
• Read-only DNS zone data can be viewed, but cannot
be updated
• Dynamic DNS updated clients using the RODC are referred
to a DNS server with a writeable copy of the zones
• Records cannot be manually added to the read-only zone
3
2
1
Discussion: Comparing DNS Options for
Branch Offices
• What options other than read-only DNS are available for
implementing DNS in the branch office?
• What are the advantages and disadvantages of
each option?
Lab: Configuring AD DS and DNS Integration
• Exercise 1: Configuring Active Directory Integrated Zones
• Exercise 2: Configuring Read-Only DNS Zones
Logon information
Virtual machine
NYC-DC1, MIA-RODC
User name
Administrator
Password
Pa$$w0rd
Estimated time: 45 minutes
Lab Review
• What would be the advantage to storing the Active
Directory-integrated DNS zones in a custom application
partition instead of the default partitions?
• What steps could you take to recover the SRV resource
records if they were deleted or corrupted?
• Who can create Active Directory integrated zones?
Module Review and Takeaways
• Review questions
• Module key points
Related documents
Questions for Unit-7
Questions for Unit-7
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
Assignment-2_old Paper
Assignment-2_old Paper
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Super G on Raven PTarmigan January15th, 2009 RACE JURY
Lab 11 - Personal Web Pages
Lab 11 - Personal Web Pages
What Is DNS, And Why Do I Care
What Is DNS, And Why Do I Care
Matching game to review for Exam II
Matching game to review for Exam II
HOMEWORK 2 • DNS stands for do not submit 1. Problems In the
HOMEWORK 2 • DNS stands for do not submit 1. Problems In the
Name Services
Name Services
Download
advertisement