Module 2: Configuring

Domain Name Service

for Active Directory®
Domain Services
Module Overview
• Overview of Active Directory Domain Services and
DNS Integration
• Configuring AD DS Integrated Zones

• Configuring Read-Only DNS Zones

Lesson 1: Overview of Active Directory Domain
Services and DNS Integration
• AD DS and DNS Namespace Integration

• What Are Service Resource Locator Records?

• Demonstration: SRV Locator Records Registered by AD DS

Domain Controllers
• How Service Resource Locator Records Are Used

• Integrating Service Resource Locator Records and

AD DS Sites
AD DS and DNS Namespace Integration

AD DS domain names must use DNS names

You can integrate an AD • The same name space

DS domain name with
the external name • A sub domain of the external
space by using: name space
• A different name space where the domain
and local are different names

WoodgroveBank.com

WoodgroveBank.com

Corp.WoodgroveBank.com

Woodgrovecorp.com
What Are Service Locator Records?

SRV resource records allow DNS clients to locate TCP/IP-

based Services. SRV resource records are used when:

• A domain controller needs to replicate changes

• A client computer logs on to AD DS

• A user attempts to change his or her password

• An Exchange 2003 server performs a directory lookup

• An administrator modifies AD DS

SRV record syntax:

protocol.service.name TTL class type priority weight
port target
Example of an SRV record
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 den-
dc1.contoso.msft
Demonstration: SRV Resource Records
Registered by AD DS Domain Controllers
In this demonstration, you will see how to view and manage
the SRV resource records registered by domain controllers
How Service Resource Locator Records Are Used

1 Locator initiates a call to Net Logon service

2 Locator collects information about the client

Net Logon uses the information and queries DNS

3 for SRV resource records

4 Net Logon tests connectivity to target servers

Domain controllers respond, indicating that they

5 are operational

6 Net Logon returns the information to clients

Integrating Service Locator Records and
AD DS Sites

D N S f or D C
ries
1. Que rd s
u lt i p le re c o
nd s with m te
2. Res
p o
D C i n N YC s i
r
e r ie s DNS fo
5. Qu
i n N YC site Local DNS
C
o nd s with D Server
p
6. Res

3. Con
tacts M
IA-DC
1 by u
sing LD
4. MIA AP
-D C 1 r
eturns
sit e i n
fo NYC

MIA-DC1
NYC-DC1
NYC Site Miami Site
Lesson 2: Configuring AD DS Integrated Zones
• What Are AD DS Integrated Zones?

• What Are Application Partitions in AD DS?

• Options for Configuring Application Partitions

for DNS
• How Dynamic Updates Work

• How Secure Dynamic DNS Updates Work

• Demonstration: Configuring AD DS Integrated Zones

• How Background Zone Loading Works

What Are AD DS Integrated Zones?

AD DS integrated zones store DNS zone data in the

AD DS database

Benefits of using AD DS integrated zones:

• Replicates DNS zone information using AD DS replication

• Supports multiple master DNS servers

• Enhances security

• Supports record aging/expiration and scavenging

What Are Application Partitions in AD DS?

The AD DS database is divided into directory partitions,

with each directory partition replicated to specific domain controllers

• Win 2000 Server: A DNS zone can be stored in the domain partition or in
an
application partition(a DNS, but not Schema, config, Domain)
• Administrators can define the replication scope of custom
application partitions
• >Win Server 03: If DC is also a DNS: it will has DomainDNS zone:
DomainDNSzones and forestDNSzones are default application partitions
that store DNS-specific data
Domain

Domain Config

Config Domain Schema

Schema Config App1

App1 Schema App2

Options for Configuring Application Partitions
for DNS

DNS information can be stored in a variety of application

partitions

To all domain controllers in the

AD DS domain
Domain

Config To all domain controllers that are DNS

servers in the AD DS domain
Schema

DomainDNSZone
To all domain controllers that are DNS
ForestDNSZones servers in the AD DS forest

CustomApp
To all domain controllers in the replication
scope for the
application partition
How Dynamic Updates Work

1 Client sends SOA query

Resource DNS server sends zone

DNS Server
Records
2 name and server IP address

Client verifies existing

3 registration
1 2 3 4 5
DNS server responds by
4 stating that registration
does not exist

Client sends dynamic

5 update to DNS server

Windows Windows Windows

Server 2008 Vista XP
How Secure Dynamic DNS Updates Work

A secure dynamic update is accepted only if the client has the

proper credentials to make the update

e server
Find authoritativ
Local
DNS
Windows Vista Result Server
DNS Client
Find au
thorita
tive se
rver
Result
Attemp
t nonse
cure up
date
Refused
Secure Domain Controller
update with Active Directory
negotia
tion Integrated DNS Zone
Accepte
d
Demonstration: Configuring AD DS
Integrated Zones
In this demonstration, you will see how to configure:
• A DNS zone as AD DS integrated

• Dynamic updates on DNS zones

• Dynamic update settings on a network connection

• Secure dynamic updates

How Background Zone Loading Works

When a domain controller with Active Directory-integrated

DNS zones starts, it:

• Enumerates all zones to be loaded

• Loads root hints from files or AD DS servers

• Loads all zones that are stored in files rather than in AD DS

• Begins responding to queries and RPCs

• Starts one or more threads to load the zones that are

stored in AD DS
Lesson 3: Configuring Read-Only DNS Zones
• What Are Read-Only DNS Zones?

• How Read-Only DNS Works

• Discussion: Comparing DNS Options for Branch Offices

 What Are Read-Only DNS Zones?

• A feature supported on Read-Only Domain Controllers

• All application partitions containing DNS information are

replicated to the RODC

Benefits:
• DNS information required for AD DS name
resolution is available for clients in the same site as
the RODC

• Changes are not allowed on the read-only DNS zone,

which increases security
How Read-Only DNS Works

Read-only DNS is installed on an RODC when AD DS is

installed, and the DNS option is selected

• Read-only DNS zone data can be viewed, but cannot

be updated

• Dynamic DNS updated clients using the RODC are referred

to a DNS server with a writeable copy of the zones

• Records cannot be manually added to the read-only zone

2 1
3
Discussion: Comparing DNS Options for
Branch Offices
• What options other than read-only DNS are available for
implementing DNS in the branch office?
• What are the advantages and disadvantages of
each option?
Lab: Configuring AD DS and DNS Integration
• Exercise 1: Configuring Active Directory Integrated Zones

• Exercise 2: Configuring Read-Only DNS Zones

Logon information
Virtual machine NYC-DC1, MIA-RODC
User name Administrator
Password Pa$$w0rd

Estimated time: 45 minutes

Lab Review
• What would be the advantage to storing the Active
Directory-integrated DNS zones in a custom application
partition instead of the default partitions?
• What steps could you take to recover the SRV resource
records if they were deleted or corrupted?
• Who can create Active Directory integrated zones?
Module Review and Takeaways
• Review questions

• Module key points