02-Configuring Domain Name Service for Active Directory Domain Services
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (760.45 KB, 25 trang )
<span class='text_page_counter'>(1)</span><div class='page_container' data-page=1>
Module 2: Configuring
Domain Name Service
for Active Directory
đ</div>
<span class='text_page_counter'>(2)</span><div class='page_container' data-page=2>
Module Overview
ã
Overview of Active Directory Domain Services and
DNS Integration
•
Configuring Active Directory Integrated Zones
</div>
<span class='text_page_counter'>(3)</span><div class='page_container' data-page=3>
Lesson 1: Overview of Active Directory Domain
Services and DNS Integration
•
Active Directory Domain Services and DNS
Namespace Integration
•
What Are Service Resource Locator Records?
•
Demonstration: SRV Locator Records Registered by AD DS
Domain Controllers
•
How Service Resource Locator Records Are Used
</div>
<span class='text_page_counter'>(4)</span><div class='page_container' data-page=4>
Active Directory Domain Services and DNS
Namespace Integration
<b>WoodgroveBank.com </b>
<b>WoodgroveBank.com </b>
<b> Active Directory domain names must use DNS names</b>
<b>Corp.WoodgroveBank.com </b>
<b>Woodgrovecorp.com </b>
<b>You can integrate </b>
<b>an Active Directory </b>
<b>domain name with </b>
<b>the external name </b>
<b>space by using: </b>
• <b>The same name space</b>
• <b>A sub domain of the external </b>
<b>name space</b>
• <b>A different name space where the </b>
<b>domain and local are different </b>
</div>
<span class='text_page_counter'>(5)</span><div class='page_container' data-page=5>
What Are Service Locator Records?
<b>SRV resource records allow DNS clients to locate </b>
<b>TCP/IP-based Services. SRV resource records are used when:</b>
•<b> A domain controller needs to replicate changes</b>
• <b>A client computer logs on to Active Directory</b>
• <b>A user attempts to change his or her password</b>
• <b>An Exchange 2003 server performs a directory lookup</b>
• <b>An administrator modifies Active Directory</b>
<b>_ldap._tcp.contoso.msft 600 IN SRV 0 100 </b>
<b>389 den-dc1.contoso.msft</b>
<b>_ldap._tcp.contoso.msft 600 IN SRV 0 100 </b>
<b>389 den-dc1.contoso.msft</b>
<b>protocol.service.name TTL class type priority </b>
<b>weight </b> <b>port target</b>
<b>protocol.service.name TTL class type priority </b>
<b>weight </b> <b>port target</b>
SRV record syntax:
</div>
<span class='text_page_counter'>(6)</span><div class='page_container' data-page=6>
Demonstration: SRV Resource Records
Registered by AD DS Domain Controllers
</div>
<span class='text_page_counter'>(7)</span><div class='page_container' data-page=7>
How Service Resource Locator Records Are Used
<b> Locator initiates a call to Net Logon service</b>
<b>1</b>
<b>1</b>
<b> Net Logon uses the information and queries DNS </b>
<b> for SRV resource records</b>
<b>3</b>
<b>3</b>
<b> Net Logon tests connectivity to target servers</b>
<b>4</b>
<b>4</b>
<b> Locator collects information about the client</b>
<b>2</b>
<b>2</b>
<b> Domain controllers respond, indicating that they </b>
<b> are operational</b>
<b>5</b>
<b>5</b>
<b> Net Logon returns the information to clients</b>
<b>6</b>
</div>
<span class='text_page_counter'>(8)</span><div class='page_container' data-page=8>
Integration of Service Locator Records and Active
Directory Sites
1. Queries DNS
for DC
4. MIA-DC1 re<sub>turns site info</sub>
NYC
2. Responds w
ith multiple rec
ords
5. Queries DNS
for DC in NYC s
ite
6. Responds wi
th DC in NYC sit
e
<b>Miami Site</b>
<b>Miami Site</b>
3. Contacts M
IA-DC1 by usin<sub>g LDAP</sub>
</div>
<span class='text_page_counter'>(9)</span><div class='page_container' data-page=9>
Lesson 2: Configuring Active Directory
Integrated Zones
•
What Are Active Directory Integrated Zones?
•
What Are Application Partitions in AD DS?
•
Options for Configuring Application Partitions
for DNS
•
How Dynamic Updates Work
•
How Secure Dynamic DNS Updates Work
•
Demonstration: Configuring AD DS Integrated Zones
</div>
<span class='text_page_counter'>(10)</span><div class='page_container' data-page=10>
What Are Active Directory Integrated Zones?
<b>Active Directory integrated zones store DNS zone data in the </b>
<b>Active Directory database </b>
<b>Benefits of using Active Directory integrated zones:</b>
<sub> </sub>•<b> Replicates DNS zone information using </b>
<b> Active Directory replication</b>
• <b>Supports multiple master DNS servers </b>
• <b>Enhances security</b>
</div>
<span class='text_page_counter'>(11)</span><div class='page_container' data-page=11>
What Are Application Partitions in AD DS?
<b>• A DNS zone can be stored in the domain partition or in an </b>
<b>application partition</b>
<b>• Administrators can define the replication scope of custom</b>
<b>application partitions</b>
<b>• DomainDNSzones and forestDNSzones are default application </b>
<b>partitions that store DNS-specific data</b>
<b>Domain</b>
<b>Config</b>
<b>Schema</b>
<b>App1</b>
<b>App2</b>
<b>Domain</b>
<b>Config</b>
<b>Schema</b>
<b>Domain</b>
<b>Config</b>
<b>Schema</b>
<b>App1</b>
</div>
<span class='text_page_counter'>(12)</span><div class='page_container' data-page=12>
Options for Configuring Application Partitions
for DNS
<b>To all domain controllers that are </b>
<b>DNS servers in the Active </b>
<b>Directory domain</b>
<b>To all domain controllers that are </b>
<b>DNS servers in the Active </b>
<b>Directory domain</b>
<b>To all domain controllers in the </b>
<b>replication scope for the </b>
<b>application partition</b>
<b>To all domain controllers in the </b>
<b>replication scope for the </b>
<b>application partition</b>
<b>To all domain controllers that are </b>
<b>DNS servers in the Active </b>
<b>Directory forest</b>
<b>To all domain controllers that are </b>
<b>DNS servers in the Active </b>
<b>Directory forest</b>
<b>To all domain controllers in the </b>
<b>Active Directory domain</b>
<b>To all domain controllers in the </b>
<b>Active Directory domain</b>
<b>Domain</b>
<b>Config</b>
<b>Schema</b>
<b>DomainDNSZone</b>
<b>ForestDNSZones</b>
<b>CustomApp</b>
<b>DNS information can be stored in a variety of </b>
<b>application partitions </b>
</div>
<span class='text_page_counter'>(13)</span><div class='page_container' data-page=13>
How Dynamic Updates Work
<b>Client sends SOA query </b>
<b>DNS server sends zone </b>
<b>name and server IP address</b>
<b>Client verifies existing </b>
<b>registration</b>
<b>DNS server responds by </b>
<b>stating that registration </b>
<b>does not exist</b>
<b>Client sends dynamic </b>
<b>update to DNS server</b>
<b>Resource </b>
<b>Records</b>
<b>DNS</b> <b>Server</b>
<b>Windows </b>
<b>Server </b>
<b>2008</b>
<b>Windows </b>
<b>Vista</b> <b>Windows XP </b>
<b>1</b>
<b>1</b>
<b>3</b>
<b>3</b>
<b>4</b>
<b>4</b>
<b>2</b>
<b>2</b>
<b>5</b>
<b>5</b>
<b>1</b>
</div>
<span class='text_page_counter'>(14)</span><div class='page_container' data-page=14>
How Secure Dynamic DNS Updates Work
Find authoritative server
Result
Find authoritati<sub>ve server</sub>
Result
Attempt nonse<sub>cure update</sub>
Refused
Secure update <sub>negotiation</sub>
Accepted
<i><b>A secure dynamic update is accepted only if the client has </b></i>
<b>the proper credentials to make the update </b>
<i><b>A secure dynamic update is accepted only if the client has </b></i>
<b>the proper credentials to make the update </b>
</div>
<span class='text_page_counter'>(15)</span><div class='page_container' data-page=15>
Demonstration: Configuring AD DS
Integrated Zones
In this demonstration, you will see how to configure:
•
A DNS zone as AD DS integrated
•
Dynamic updates on DNS zones
•
Dynamic update settings on a network connection
</div>
<span class='text_page_counter'>(16)</span><div class='page_container' data-page=16>
How Background Zone Loading Works
<b>When a domain controller with Active Directory integrated </b>
<b>DNS zones starts, it:</b>
•<b> Enumerates all zones to be loaded </b>
• <b>Loads root hints from files or AD DS servers </b>
• <b>Loads all zones that are stored in files rather than in AD DS </b>
• <b>Begins responding to queries and RPCs </b>
</div>
<span class='text_page_counter'>(17)</span><div class='page_container' data-page=17>
Lesson 3: Configuring Read-Only DNS
•
What Is Read-Only DNS?
•
How Read-Only DNS Works
</div>
<span class='text_page_counter'>(18)</span><div class='page_container' data-page=18>
What Is Read-Only DNS?
•<b> A feature supported on Read-Only Domain Controllers </b>
• <b>All application partitions containing DNS information are </b>
<b>replicated to the RODC </b>
<b>Benefits:</b>
•<b> DNS information required for Active Directory name </b>
<b> resolution is available for clients in the same site as </b>
<b> the RODC </b>
</div>
<span class='text_page_counter'>(19)</span><div class='page_container' data-page=19>
How Read-Only DNS Works
<b>Read-only DNS is installed on an RODC when AD DS </b>
<b>is installed and the DNS option is selected </b>
<b>Read-only DNS is installed on an RODC when AD DS </b>
<b>is installed and the DNS option is selected </b>
•<b> Read-only DNS zone data can be viewed, but cannot </b>
<b> be updated</b>
• <b>Dynamic DNS updated clients using the RODC are referred </b>
<b>to a DNS server with a writeable copy of the zones</b>
• <b>Records cannot be manually added to the read-only zone</b>
<b>1</b>
<b>1</b>
<b>2</b>
<b>2</b>
<b>3</b>
</div>
<span class='text_page_counter'>(20)</span><div class='page_container' data-page=20>
Discussion: Comparing DNS Options for
Branch Offices
•
What options other than read-only DNS are available for
implementing DNS in the branch office?
</div>
<span class='text_page_counter'>(21)</span><div class='page_container' data-page=21>
Lab: Configuring AD DS and DNS Integration
•
Exercise 1: Configuring Active Directory Integrated Zones
•
Exercise 2: Configuring Read-Only DNS Zones
Logon information
Virtual machine
<b>NYC-DC1, MIA-RODC </b>
User name
<b>Administrator</b>
Password
<b>Pa$$w0rd</b>
</div>
<span class='text_page_counter'>(22)</span><div class='page_container' data-page=22>
Lab Review
•
What would be the advantage to storing the Active
Directory integrated DNS zones in a custom application
partition instead of the default partitions?
•
What steps could you take to recover the SRV resource
records if they were deleted or corrupted?
</div>
<span class='text_page_counter'>(23)</span><div class='page_container' data-page=23>
Module Review and Takeaways
•
Review questions
</div>
<span class='text_page_counter'>(24)</span><div class='page_container' data-page=24>
Beta Feedback Tool
•
Beta feedback tool helps:
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
</div>
<span class='text_page_counter'>(25)</span><div class='page_container' data-page=25>
Beta Feedback
•
<b>Overall flow of module:</b>
Which topics did you think flowed smoothly from topic to
topic?
Was something taught out of order?
•
<b>Pacing:</b>
Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
•
<b>Learner activities:</b>
Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
that really made you think? Were there questions you
</div>
<!--links-->
