Module 5: Integrating Domain Name System and Active Directory

Transcription

1 Module 5: Integrating Domain Name System and Active Directory Contents Overview 1 Lesson: Configuring Active Directory Integrated Zones 2 Lesson: Configuring DNS Dynamic Updates 14 Lesson: Understanding How Active Directory Uses DNS 26 Lab: Integrating DNS and Active Directory 35

2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Microsoft Corporation. All rights reserved. Microsoft, Active Directory, PowerPoint, Windows, Windows Media, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

3 Module 5: Integrating Domain Name System and Active Directory iii Instructor Notes Presentation: 120 minutes Lab: 20 minutes This module provides students with the ability to manage integration between Active Directory directory service and Domain Name System (DNS). After completing this module, students will be able to:! Describe how Active Directory integrated zones function.! Configure DNS to support dynamic updates.! Explain how Active Directory uses DNS. Required materials To teach this module, you need the following materials:! Microsoft Office PowerPoint file 2277c_05.ppt! The multimedia presentation Overview of DNS Dynamic Updates Important It is recommended that you use PowerPoint 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, some features of the slides may not be displayed correctly. Preparation Tasks To prepare for this module:! Read all of the materials for this module.! Complete the practices and lab.! Review the multimedia presentation Overview of DNS Dynamic Updates.! Review prerequisite courses and modules.

4 iv Module 5: Integrating Domain Name System and Active Directory How to Teach This Module Practices and Labs Practices Labs This section contains information that will help you to teach this module. Explain to the students how the practices and labs are designed for this course. A module includes two or more lessons. Most lessons include a practice. After completing all of the lessons for a module, students finish the module with a lab. This course does not include instructor demonstrations, but you should demonstrate many of the administrative tasks as you teach them. After you have covered the contents of the lesson, explain that a practice will give students a chance for hands-on learning of all the tasks discussed in the lesson. At the end of each module, the lab enables the students to practice the tasks that are discussed and applied in the module. Using scenarios that are relevant to the job role, the lab gives students a set of instructions in a two-column format. The left column provides the task (for example, Create a group ). In the right column are specific instructions that the students will need to perform the task (for example, From Active Directory Users and Computers, double-click the domain node ). An answer key for each lab exercise is located on the Student Materials CD, in case the students need step-by-step instructions to complete the lab. They can also refer to the practices and How To pages in the module.

5 Module 5: Integrating Domain Name System and Active Directory v Lesson: Configuring Active Directory Integrated Zones Active Directory Integrated Zones This section describes the instructional methods for teaching this lesson.! Briefly describe the benefits of Active Directory integrated zones.! Describe Active Directory features in relation to data storage.! Describe Active Directory replication.! Explain the requirements for Active Directory integrated zones. Why Use Active Directory Integrated Zones? Replicating Active Directory Integrated Zones DNS and Active Directory Partitions Configuring DNS to Use Active Directory Partitions Practice: Creating Active Directory Integrated Zones! Review standard zone transfer topology.! Explain Active Directory replication topology.! Compare standard zone replication to Active Directory replication.! Describe intrasite replication.! Describe intersite replication.! Explain that application partitions can be used to store data for network applications.! Describe the default Active Directory partitions.! Describe the new application partitions for DNS in Microsoft Windows Server 2003.! Explain that applications partitions are available only in Windows Server 2003.! Demonstrate how to create new application partitions.! Describe the replication scope available to DNS in Windows Server 2003 for Active Directory integrated zones.! Explain which systems receive a copy of the zones.! Direct the students to complete the following practice tasks: Create an Active Directory integrated zone. Change the replication scope of an Active Directory integrated zone. Create an application directory partition.! Reconvene class after all students have completed the practice and discuss the results of the practice.

6 vi Module 5: Integrating Domain Name System and Active Directory Lesson: Configuring DNS Dynamic Updates Multimedia: Overview of DNS Dynamic Updates This section describes the instructional methods for teaching this multimedia presentation.! The multimedia files are installed on the instructor computer. To open a multimedia presentation, click the animation icon on the slide for that multimedia presentation.! Explain that this multimedia presentation provides a visual and high-level overview of DNS dynamic updates, the difference between manual and dynamic updates, and how Dynamic Host Configuration Protocol (DHCP) interoperates with DNS. Details are provided in the topic and How To pages.! Estimated time required for the multimedia presentation is five minutes. What Are Dynamic Updates? How DNS Clients Register Resource Records How DHCP Servers Register Resource Records How Active Directory Integrated DNS Zones Use Secure Dynamic Updates Practice: Configuring DNS Dynamic Updates! Define dynamic update and manual update.! Explain the purpose of dynamic updates.! Discuss circumstances in which it may be necessary to manually configure dynamic updates.! Discuss types of DNS clients that can dynamically register and update resource records.! Describe the process of dynamically updating DNS clients. Refer to the illustrations in the slide.! Define downlevel client.! Explain the purpose of using a DHCP server to perform DNS dynamic updates.! Discuss types of DHCP clients that can dynamically register and update resource records.! Describe the process of dynamically updating downlevel clients. Refer to the illustrations in the slide.! Describe the process of dynamically updating Microsoft Windows XP clients.! Define secure dynamic update.! Explain the purpose of secure dynamic updates.! Explain the difference between nonsecure and secure-only dynamic updates.! Describe the sequence of events in the secure dynamic update process. This topic has a detailed animated slide, so be sure to review the slide prior to class.! Direct the students to complete the following practice tasks: Verify secure dynamic updates. Verify dynamic update settings in DNS.! Reconvene class after all students have completed the practice and discuss the results of the practice.

7 Module 5: Integrating Domain Name System and Active Directory vii Lesson: Understanding How Active Directory Uses DNS What Are Service Locator Records? This section describes the instructional methods for teaching this lesson.! Explain situations in which computers reference service locator (SRV) records.! Describe the SRV record format.! Give an example of an SRV record. How SRV Records Are Registered How Domain Controllers Are Located Locating Domain Controllers in the Closest Site Practice: Understanding How Active Directory Uses DNS! Explain that the Net Logon service is responsible for registering SRV records for domain controllers.! Discuss the Netlogon.dns file.! Discuss the records that are registered by domain controllers.! Provide examples of SRV records that are registered by domain controllers.! Briefly describe the purpose of the locator.! Explain that the locator is used to locate domain controllers by using DNS and network basic input/output system (NetBIOS).! Explain that the locator is responsible for gathering client information and passing it to the Net Logon service.! Describe the process for locating a domain controller.! Explain situations in which clients might contact a domain controller that is not in an optimal site.! Describe the process for determining whether a domain controller is in an optimal site.! Direct the students to complete the following practice tasks: Examine the Netlogon.dns file. Verify SRV records.! Reconvene class after all students have completed the practice and discuss the results of the practice. Lab: Integrating DNS and Active Directory Remind the students that they can review the module for assistance in completing the lab. Tell students that a detailed answer key for each lab is provided in the Labdocs folder on the Student Materials CD.

8

9 Module 5: Integrating Domain Name System and Active Directory 1 Overview *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Objectives The Active Directory directory service stores information about network resources such as users, computers, and shared resources. It provides networks with security and authentication services as well as a searchable directory that is used to locate resources on the network. Active Directory requires a Domain Name System (DNS) infrastructure to allow users and computers to locate the physical components of Active Directory, such as domain controllers. Because Active Directory relies on DNS and will not function properly without it, you must give special attention to your DNS infrastructure to ensure the proper operation of Active Directory. Additionally, several enhancements have been made to DNS, allowing it to take advantage of your Active Directory environment to streamline replication and increase security. After completing this module, you will be able to:! Describe how Active Directory integrated zones function.! Configure DNS to support dynamic updates.! Explain how Active Directory uses DNS.

10 2 Module 5: Integrating Domain Name System and Active Directory Lesson: Configuring Active Directory Integrated Zones *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Lesson objectives Active Directory can be used to store DNS zones. This allows the DNS service to take advantage of the Active Directory environment for security and replication services. Active Directory integrated zones can take advantage of the advanced replication topology provided by Active Directory. The Active Directory replication topology is fault-tolerant and resilient. After completing this lesson, you will be able to:! Define Active Directory integrated zones.! List valid reasons for using Active Directory integrated zones.! Describe the process of Active Directory integrated zone replication.! Explain the concept of Active Directory partitions.! Explain how DNS uses Active Directory partitions.! Configure Active Directory integrated zones.

11 Module 5: Integrating Domain Name System and Active Directory 3 Active Directory Integrated Zones *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Requirements for Active Directory integrated zones Active Directory integrated zones store DNS data in the Active Directory database rather than in a standard zone file. Storing zones in this manner allows an administrator to take advantage of the Active Directory topology to manage zone replication. Active Directory integrated DNS zones must be hosted on domain controllers running Microsoft Windows 2000 Server or Microsoft Windows Server Domain controllers may also host other types of zones, such as standard primary and standard secondary zones. Domain controllers can host a copy of an Active Directory integrated zone even if they do not have the DNS service installed; however, they cannot provide DNS name resolution services. Member servers cannot host Active Directory integrated zones because they host no copy of Active Directory. However, member servers that have the DNS service installed may replicate a secondary zone by using a domain controller as their replication master. This replication uses standard zone transfers. Note For more information on the features and benefits of Active Directory, see Introduction to Active Directory in Windows Server 2003 Help and Support..

12 4 Module 5: Integrating Domain Name System and Active Directory Why Use Active Directory Integrated Zones? *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Standard zone topology Active Directory integrated zone topology Active Directory integrated zones enhance DNS replication by relying on the Active Directory replication topology, which provides a resilient and efficient DNS environment. Standard zone replication uses a single master topology. One DNS server hosts a primary zone, and other DNS servers can be configured to host a secondary zone. The primary zone is the only writable version of the zone information. Secondary zones contain a read-only copy of the zone. Servers hosting a secondary zone replicate zone information from the master server. The master server can be a server that hosts the primary zone or a secondary zone. Administrators manually define master servers. In a standard zone replication topology, if the server acting as a master server fails, servers that are configured to replicate zone information from that server will no longer receive zone updates. An administrator must manually repair the error or redefine the zone transfer topology to ensure that name resolution continues without interruption. Additionally, if the DNS server that hosts the primary zone fails, no modifications can be made to the zone. When you use integrated zones in Active Directory, the zone transfer process is replaced by Active Directory replication. The DNS replication topology does not need to be manually defined, because Active Directory generates the replication topology automatically. If a single server fails, Active Directory will replicate with a more suitable partner. As more domain controllers are added to the network that host the Active Directory integrated zone, the domain controllers are automatically made a part of the replication topology. Additionally, because Active Directory is a multimaster environment, updates to the zone can occur on any server that hosts the Active Directory integrated zone. A single server failure will not prevent updates as long as more than one domain controller hosts a copy of the zone. Active Directory integrated zones provide better security than standard zones. Active Directory replication is encrypted, and security is added to the Active Directory integrated zones to control who modifies zone data.

13 Module 5: Integrating Domain Name System and Active Directory 5 Replicating Active Directory Integrated Zones *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Active Directory replication topology Replication for Active Directory integrated zones is accomplished through the Active Directory replication process. With Active Directory replication, an administrator can control replication by implementing Active Directory sites. Active Directory replication occurs at the attribute level, which helps to reduce overall replication traffic on the network. The replication process for Active Directory varies depending on whether the replication needs to occur within a site (intrasite replication) or between sites (intersite replication). When you use Active Directory integrated zones, the zone data is replicated along with other Active Directory changes, as they occur. This replication process is encrypted. Active Directory replication is fault-tolerant and resilient. Domain controllers host Active Directory and participate in Active Directory replication. Internal processes on domain controllers determine how Active Directory replication occurs. This includes choosing replication partners based on the organization of the (site) topology. This process is dynamic, which means that as new domain controllers are added to or removed from the network, the replication topology automatically self-adjusts to ensure that replication of Active Directory data continues.

14 6 Module 5: Integrating Domain Name System and Active Directory The following list describes Active Directory replication:! All information replicated between domain controllers is secure and encrypted.! Active Directory replication uses multimaster replication. This is a replication model in which any domain controller accepts and replicates directory changes to any other domain controller. This model differs from other replication models, in which one computer stores the single modifiable copy of the directory and other computers store backup copies.! Active Directory replication can take advantage of network topology. An administrator can create sites in Active Directory. A site is defined as one or more well-connected Internet Protocol (IP) subnets. These sites allow Active Directory to make efficient replication decisions. Replication within a site happens frequently, but it may consume more bandwidth than replication between sites.! Replication between sites can be scheduled and is compressed, which allows an administrator to control traffic over potentially saturated wide area network (WAN) links.

15 Module 5: Integrating Domain Name System and Active Directory 7 DNS and Active Directory Partitions *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Default Active Directory partitions The Active Directory database is divided into several directory partitions. Each directory partition is replicated to specific domain controllers. Additional application directory partitions can be created to store information for network applications and services such as DNS. By default, Active Directory contains three directory partitions: the schema, the configuration, and the domain partition. The default directory partitions are described in the following list. Note Application partitions are a feature of Windows Server Domain controllers running Window 2000 Server cannot participate in the replication of application partitions.! The schema partition contains information on what types of objects can be created in Active Directory. It is replicated to all domain controllers that are in the Active Directory forest. DNS zones cannot be stored as part of the schema partition.! The configuration partition contains Active Directory configurations information such as sites and site links. The partition is replicated to all domain controllers in the Active Directory forest. DNS zones cannot be stored as part of the configuration partition.! The domain partition contains domain objects such as users and computers. There is one domain partition per domain. It is replicated to all domain controllers in a given domain. DNS zones can be stored as part of the domain partition.

16 8 Module 5: Integrating Domain Name System and Active Directory Default DNS application partitions Creating new application partitions When implementing a new Active Directory forest on Windows Server 2003, you have the option to install DNS as part of the Active Directory installation. During this process, two default application partitions are created: the domaindnszones application partition and the forestdnszones application partition. Windows Server 2003 domain controllers within a domain that has the DNS service installed automatically receive a copy of the domaindnszones application partition. All Windows Server 2003 domain controllers within the forest, if they have the DNS service installed, receive a copy of the forestdnszones application partition. If DNS has already been implemented in your environment and you use the existing DNS servers for Active Directory, the default application partitions will not be created during Active Directory installation. You can create these partitions on a computer running Windows Server 2003 by using the DNS console. Additional application partitions can be created and used to store information. When you create an application partition, you must define which domain controllers in the forest will participate in its replication. You can create application partitions and enlist servers to replicate application partitions by using the Dnscmd.exe Windows support tool or by using the Ntdsutil.exe Active Directory command-line management tool.

17 Module 5: Integrating Domain Name System and Active Directory 9 Configuring DNS to Use Active Directory Partitions *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Defining the replication scope When choosing to use Active Directory integrated zones, you can control which domain controllers receive a zone by using Active Directory partitions. You can define which domain controllers within your Active Directory forest receive a copy of a given application partition. This helps reduce replication traffic by allowing Active Directory to replicate the zone data only to domain controllers that require the information. You can define the replication scope when you create an Active Directory integrated zone, or you can change the scope later. The replication scope options available are as follows:! To all DNS servers in the Active Directory forest. When you select this option, the zone is stored in the forestdnszones application partition. All domain controllers in the forest, if they have DNS installed, receive a copy of the zone. This configuration is recommended for zones that need to be accessed throughout the Active Directory forest by all clients. For example, the _msdcs zone includes information about global catalog servers and domain controllers that may be required by hosts anywhere in the forest. This zone should be stored in the forestdnszones partition if your forest includes multiple domains and locations.! To all DNS servers in the Active Directory domain. When you select this option, the zone is stored in the domaindnszones application partition. Only domain controllers in the same domain, with the DNS service installed, receive a copy of the zone.

18 10 Module 5: Integrating Domain Name System and Active Directory! To all domain controllers in the Active Directory domain. When you select this option, the zone is stored as part of the domain partition. All domain controllers in the domain receive a copy of the zone, even if they do not have the DNS service installed. This may cause unwanted replication traffic. Domain controllers running Windows 2000 Server and Windows Server 2003 can participate in the replication of zones stored as part of the domain partition.! To all domain controllers specified in the replication scope of the following application directory partition. When you select this option, domain controllers that are enlisted to receive a copy of the application partition will receive a copy of the zone. You must create the application partition in advance.

19 Module 5: Integrating Domain Name System and Active Directory 11 Practice: Configuring Active Directory Integrated Zones *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objective Instruction Practice In this practice, you will:! Create an Active Directory integrated zone.! Change the replication scope of an Active Directory integrated zone.! Create an application directory partition. Ensure that the DEN-DC1 and DEN-SRV1 virtual machines are started.! Prepare for this practice 1. Log on to DEN-DC1 and DEN-SRV1 as Contoso\Administrator, with a password of Pa$$w0rd. 2. On DEN-SRV1, click Start and then click Run. 3. In the Open box, type \\DEN-DC1\Mod05\InstallDC.bat and then click OK. Click Run at the Open File Security Warning. Active Directory will be installed on DEN-SRV1. DEN-SRV1 will become a domain controller in a new child domain named Training.contoso.msft. After the process is complete, the server should restart. This process should take about 10 minutes.! Create an Active Directory integrated zone 1. On DEN-DC1, click Start, point to Administrative Tools, and then click DNS. 2. In the DNS console tree, expand DEN-DC1 and then expand Forward Lookup Zones. 3. Right-click Forward Lookup Zones, click New Zone, and then click Next. 4. Ensure that Primary Zone and Store this zone in Active Directory are selected and then click Next.

20 12 Module 5: Integrating Domain Name System and Active Directory 5. Ensure that To all domain controllers in the Active Directory domain contoso.msft is selected and then click Next. 6. In the Zone name field, type test.msft and then click Next. 7. Click Next and then click Finish.! Change the replication scope of an Active Directory integrated zone 1. On DEN-SRV1, log off and then log on as Contoso\Administrator, with a password of Pa$$w0rd. 2. Click Start, point to Administrative Tools, and then click DNS. 3. In the DNS console tree, expand DEN-SRV1 and then expand Forward Lookup Zones. Do you see the zone test.msft? Why or why not? No, it has not been replicated. 4. Right-click DEN-SRV1 and then click Create Default Application Directory Partitions. 5. Click Yes. If a warning message appears, click Yes. 6. Click Forward Lookup Zones. Do you see the zone test.msft? Why or why not? No, it is configured to replicate only to the domain controllers in the Contoso.msft domain. 7. On DEN-DC1, from the DNS console tree, right-click Test.msft and then click Properties. 8. On the General tab, beside Replication, click Change to change the replication scope. 9. Click To all DNS servers in the Active Directory forest Contoso.msft and then click OK. Click OK again. 10. On DEN-DC1, click Start, point to Administrative Tools, and then click Active Directory Sites and Services. 11. In the console tree, expand Sites, expand Default-First-Site-Name, expand Servers, expand DEN-SRV1, and then click NTDS Settings. 12. In the details pane, right-click the connection object for DEN-DC1 and then click Replicate Now. Click OK. Note If the connection object is not present, right-click NTDS Settings, point to All Tasks, and then click Check Replication Topology. Refresh the view. You may have to wait a few minutes for the connection object to appear. 13. From the DNS console tree, right-click Forward Lookup Zones and then click Refresh. Do you see the zone test.msft? Why or why not? Yes, the zone has been replicate to DEN-SRV1 as part of the ForestDNSZones partition.

21 Module 5: Integrating Domain Name System and Active Directory 13! Create an application directory partition 1. On DEN-DC1, click Start, point to All Programs, point to Windows Support Tools, and then click Command Prompt. 2. At the command prompt, type dnscmd.exe /enumdirectorypartitions and then press ENTER. For which directory partition is DEN-DC1 enlisted? DomainDNSZones.contoso.msft, ForestDNSZones.contoso.msft 3. At the command prompt, type dnscmd.exe /createdirectorypartition testdnszones.contoso.msft and then press ENTER. 4. At the command prompt, type dnscmd.exe /enumdirectorypartitions. For which directory partition is DEN-DC1 enlisted? DomainDNSZones.contoso.msft, ForestDNSZones.contoso.msft, testdnszones.contoso.msft Note After creating the application directory partition, you can configure DNS zones so that the data is stored in the partition, or you can store other application data in the partition. In the lab for this module, you will configure a DNS zone so that the data is stored in an application directory partition.! Prepare for the next practice 1. Ensure that the DEN-DC1 and DEN-SRV1 virtual machines are started. 2. Start the DEN-CL1 virtual machine.

22 14 Module 5: Integrating Domain Name System and Active Directory Lesson: Configuring DNS Dynamic Updates *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Lesson objectives Because DNS is the primary name resolution mechanism for Active Directory networks, it is important to make sure that all DNS data is up to date so that users can reliably access resources. Maintaining DNS records manually is labor intensive and difficult to manage consistently. Securing zone data against unauthorized modification is also important to administrators who maintain network reliability. DNS dynamic updates can support these objectives. After completing this lesson, you will be able to:! Understand the purpose of dynamic updates.! Explain how DNS dynamic updates function.! Explain how DNS clients register and update their resource records by using dynamic update.! Explain how DHCP Servers register and update resource records by using dynamic update.! Describe how Active Directory integrated DNS zones use secure dynamic updates.! Configure Active Directory integrated DNS zones to use secure dynamic updates.

23 Module 5: Integrating Domain Name System and Active Directory 15 Multimedia: Overview of DNS Dynamic Updates *****************************ILLEGAL FOR NON-TRAINER USE****************************** File location Key points To start the Overview of DNS Dynamic Updates presentation, open the Web page on the Student Materials CD, click Multimedia, and then click the title of the presentation. While you watch the multimedia presentation, the following key points will be introduced:! For users to successfully access DNS resources, it is vital that DNS resource records reflect the current Transmission Control Protocol/Internet Protocol (TCP/IP) configuration of both server computers and client computers.! DNS resource records can be updated either by the DNS clients themselves or by DHCP on behalf of the clients.! Various types of DNS resource records, such as host (A) records and pointer (PTR) records, provide DNS clients with various types of information.! You can use a manual update process to add and update DNS resource records, or you can enable client computers to dynamically update and maintain their own resource records in DNS.! Secure dynamic update is a secure way to update DNS resource records.

24 16 Module 5: Integrating Domain Name System and Active Directory What Are Dynamic Updates? *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Purpose of dynamic updates DNS resource records can be created, registered, and updated in the DNS database in two ways: through dynamic updates and through manual updates. A dynamic update is the process of a DNS client dynamically creating, registering, or updating its records in zones that are maintained by DNS servers that can accept and process messages for dynamic updates. A manual update is the process of an administrator manually creating, registering, or updating the resource record. The process of manually updating client resource records requires too much effort in large organizations that have continuous changes to DNS resource records. These organizations benefit significantly from the dynamic method of updating DNS resource records. Dynamic registration and update enables DNS client computers to interact automatically with the DNS server to register and update their own resource records. In a DNS implementation that uses a DNS server running Microsoft Windows NT Server 4.0 and Berkeley Internet Name Domain (BIND) versions older than version 8.2.1, the administrator edits the appropriate zone file manually if the authoritative information of a resource record must be changed.

25 Module 5: Integrating Domain Name System and Active Directory 17 Why use dynamic updates? Circumstances for manually configuring dynamic updates If a DNS resource record is created manually in DNS, the DNS administrator must manually update the DNS resource record to reflect the changes to the resource when the IP address of the resource changes. Because of the volume of resource records in DNS, manually updating the records quickly becomes overwhelming for a DNS administrator. The dynamic update alternative solves this problem by automating the process. To enable DNS updates to happen automatically, without DNS administrator interaction, the administrator must configure the DNS zone to allow dynamic updates. In addition, administrators must either configure the DNS clients to update DNS records in DNS, or configure the Dynamic Host Configuration Protocol (DHCP) server supporting the DNS clients to update the DNS records on behalf of the DNS clients. The DNS administrator may benefit from manually registering or updating the resource record if:! The resource records are in a small environment where few changes are made to resource records.! You require control over all entries in DNS, such as DNS servers that provide name resolution for Internet resources (for example, Web servers or servers).

26 18 Module 5: Integrating Domain Name System and Active Directory How DNS Clients Register Resource Records *****************************ILLEGAL FOR NON-TRAINER USE****************************** DNS clients that can dynamically register and update resource records DNS clients running Windows Server 2003, Windows 2000, and Windows XP are configured by default to dynamically register and update their host names and IP addresses in DNS. Regardless of whether a DNS client is assigned an IP address by using DHCP or assigned an IP address statically, a DNS client can dynamically register and update its host name and IP address in DNS. Important The component that registers the DNS resource record for a DNS client is the DHCP Client service. Even on clients that are configured with data for a static IP address, the DHCP Client service must be running to enable the statically configured client to register its resource records in DNS. Process for dynamically updating DNS clients The following process outlines the steps for dynamically updating DNS clients: 1. The DNS client sends a start of authority (SOA) query to the DNS server that is authoritative for the resource record with which the DNS client wants to register. Note A DNS server hosting an Active Directory integrated zone lists itself as the primary server in the SOA record. When clients attempt dynamic updates with a server that is hosting an Active Directory integrated zone, the clients will determine that the server is the primary server, which has a writable copy of the zone data. 2. The DNS server returns the zone name and IP address of the DNS server that is authoritative for the zone. 3. The DNS client verifies with the authoritative DNS server of the zone that no registration exists in the zone.

27 Module 5: Integrating Domain Name System and Active Directory The DNS server responds to the DNS client. 5. If no registration exists in the DNS zone, the DNS client sends a dynamic update package to register the resource record. If the DNS client fails to update its resource record in the DNS database as described in the previous process, the client continues to attempt updating its resource record in DNS as follows: 1. The DNS client attempts to register the record with other primary servers in the zone. Multiple primary servers are an option only when using Active Directory integrated zones. 2. If all the attempts fail, the client tries to register the record again after 5 minutes and then again after 10 minutes. 3. Failures result in a repeated pattern of attempts 50 minutes after the last retry. Note The process for dynamic updates on remote access clients is much the same as on clients that have static IP configurations. When the remote access client connects to the network, the client is responsible for dynamically updating both A and PTR resource records in DNS. If the client s connection fails unexpectedly, the remote access server attempts deregistration of the corresponding PTR record in DNS. The host record remains in the database until the client reconnects or until the record is scavenged from the database.

28 20 Module 5: Integrating Domain Name System and Active Directory How DHCP Servers Register Resource Records *****************************ILLEGAL FOR NON-TRAINER USE****************************** Definition Purpose of DNS dynamic updating by using a DHCP server DHCP clients that can dynamically register and update resource records Process for dynamic updating for downlevel clients A downlevel client is a DHCP client running Windows NT 4.0 or an earlier version. Downlevel clients cannot register or update their resource records in DNS on their own. Because downlevel clients cannot register or update their own resource records, Microsoft designed its implementation of the DHCP server with the ability to register DNS client resource records in DNS on behalf of the DHCP clients. On a DHCP server running Windows Server 2003 or Windows 2000, you can configure the DHCP server to dynamically update the resource records in DNS on behalf of DHCP clients on the network. DHCP servers can update DNS client resource records for the following client types:! Any downlevel DHCP clients that do not request dynamic updates! Any DHCP clients, including those that are running Windows XP and Windows 2000, regardless of whether they request a dynamic update In the preceding illustration, the DHCP server running Windows Server 2003 performs dynamic updates for a downlevel client by using the following process: 1. The DHCP client requests an IP lease. 2. The DHCP server grants an IP lease. 3. The DHCP server automatically generates the client s fully qualified domain name (FQDN) by appending the domain name that is defined for the DHCP scope to the client name. The client name is obtained from the DHCPREQUEST message that the client sends. 4. Using dynamic update the DHCP server updates the following names for the client: a. DNS forward (A) name b. DNS reverse (PTR) name

29 Module 5: Integrating Domain Name System and Active Directory 21 The ability to register both A and PTR record types allows a DHCP server running Windows Server 2003 to act as a proxy for downlevel clients for the purpose of DNS registration. Process for performing dynamic updates for a Windows XP client A DHCP server running Windows Server 2003, with the default configuration, performs DNS dynamic updates for a Windows XP client by using the following process: 1. The DHCP client makes an IP lease request that includes the client FQDN in option 81 of the DHCP request. 2. The DHCP server grants an IP lease. 3. The client connects to the DNS server to update the A record for itself. If the client is configured to update the A record, the DNS server does not update the same record. 4. The DHCP server updates the DNS reverse (PTR) name for the client by using the dynamic update protocol.

30 22 Module 5: Integrating Domain Name System and Active Directory How Active Directory Integrated DNS Zones Use Secure Dynamic Updates *****************************ILLEGAL FOR NON-TRAINER USE****************************** Definition Purpose of secure dynamic updates A secure dynamic update is when a client submits a dynamic update request to a DNS server and the server attempts the update only if the client can prove its identity and has the proper credentials to make the update. Secure dynamic updates are available only in Active Directory integrated zones. DNS on Windows Server 2003 supports secure dynamic updates. Secure dynamic updates provide several benefits, such as the following:! Protecting zones and resource records from unauthorized modification! Enabling you to specify which users and groups can modify zones and resource records By allowing dynamic updates on a DNS zone, you free yourself from the need to manually create and maintain all of the resource records. However, you cannot control which DNS clients can dynamically update their records. For example, if an external consultant brings a laptop that is not a part of the domain into your organization, and if the laptop dynamically updates in DNS, you could have a security threat. If this laptop s computer name is the same as the name of one of your servers, it could register that name in DNS, causing other clients to connect to the unauthorized system instead of the legitimate server. However, if a DNS server hosts the DNS zone in an Active Directory integrated zone, you can configure the DNS zone to allow only secure updates. This means that if the laptop that is not a member of the domain attempts to dynamically update in the DNS zone, it will be denied. By using domain security, you can control dynamic updates by allowing only domain members to dynamically update their records.

31 Module 5: Integrating Domain Name System and Active Directory 23 Note Because the DNS zone is Active Directory integrated, you can configure the access control list (ACL) on resource records to further secure DNS. For more information, see the Windows Server 2003 Help documentation about securing DNS by using ACLs. Nonsecure versus secure-only dynamic updates Process If a zone is Active Directory integrated, it can be configured as secure-only. A zone configured as secure-only authenticates the computer that is attempting to make the update and allows the update only if the permissions on the record allow it. Zones hosted in Active Directory, in addition to those that are not, can be configured to allow nonsecure updates, which allow DNS registrations and modifications without authenticating the client computer. The following procedure provides the sequence of events in the secure dynamic update process: 1. The client queries the local name server to discover which server is authoritative for the name that the client is attempting to update. The local name server responds with the reference to the authoritative server. 2. The client queries the authoritative server to verify that the DNS server is authoritative for the zone that the client is attempting to update. The server confirms the query. 3. The client attempts a nonsecure update, which the server refuses. (Had the server been configured for nonsecure dynamic updates for the appropriate zone, rather than for secure dynamic updates, the server would have attempted to make the update.) 4. The client attempts a secure update. If the update has the proper credentials, the authoritative DNS server accepts the update and responds to the DNS client. Note If a DHCP server performs the first secure dynamic update on a DNS resource record, that DHCP server becomes the owner of the record, and only that DHCP server can update the record. This can cause problems in various circumstances. For example, a DHCP server (DHCP1) could create a record for the name Nt4host1.contoso.msft and then stop responding. When a backup DHCP server (DHCP2) tries to update the name, the update fails because DHCP2 does not own the name. Therefore, if secure dynamic updates are enabled, all DHCP servers should be placed in a special security group called DNSUpdateProxy. Objects created by members of the DNSUpdateProxy group have no security; therefore, any authenticated user can take ownership of the objects. For more information about DNSUpdateProxy, or about secure dynamic updates, see the Windows Server 2003 Help documentation.

32 24 Module 5: Integrating Domain Name System and Active Directory Practice: Configuring DNS Dynamic Updates *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objective Instructions Practice In this practice, you will:! Verify secure dynamic updates.! Verify dynamic update settings in DHCP. Ensure that the DEN-DC1, DEN-SRV1, and DEN-CL1 virtual machines are started.! Prepare for this practice If necessary, log on to the DEN-DC1, DEN-SRV1, and DEN-CL1 virtual machines as Contoso\Administrator, with a password of Pa$$w0rd.! Verify secure dynamic updates 1. On DEN-CL1, click Start and then click Control Panel. 2. Double-click Network Connections and then double-click Local Area Connection. 3. Click Properties, click Internet Protocol (TCP/IP), and then click Properties. 4. Click Advanced. 5. On the DNS tab, in the DNS suffix for this connection field, enter test.msft. 6. Ensure that Register this connection s address in DNS is selected. 7. Click Use this connection s DNS suffix in DNS registration and then click OK. 8. Click OK three times. 9. Click Start, point to All Programs, point to Accessories, and then click Command Prompt. 10. At the command prompt, type ipconfig /registerdns and then press ENTER.

33 Module 5: Integrating Domain Name System and Active Directory On DEN-DC1, from the DNS console tree, right-click test.msft and then click Refresh. Does an entry for DEN-CL1.test.msft appear? Yes, the client registered the name using the connection suffix. 12. In the details pane, right-click the record for DEN-CL1, and then click Delete. Click Yes. 13. Right-click test.msft zone and then click Properties. 14. In the Dynamic Updates field, click None and then click OK. 15. On DEN-CL1, at the command prompt, type ipconfig /registerdns and then press ENTER. 16. On DEN-DC1, from the DNS console tree, right-click test.msft and then click Refresh. Does an entry for DEN-CL1.test.msft appear? No, because dynamic updates has been disabled.! Verify dynamic updates settings in DHCP 1. On DEN-SRV1, click Start, point to Administrative Tools, and then click Services. 2. In the details pane, right-click DHCP Server and then click Properties. 3. In the Startup Type field, click Automatic and then click Apply. 4. Click Start and then click OK. 5. Click Start, point to Administrative Tools, and then click DHCP. 6. Click den-srv1.training.contoso.msft. 7. Right-click den-srv1.training.contoso.msft and then click Properties. 8. Click the DNS tab. What are the default settings for dynamic updates? Dynamic updates are enabled, and the server will register A and PTR records only if requested by the DHCP client. A and PTR records will be deleted when the lease is deleted. How should you configure dynamic updates if you have downlevel clients such as Windows NT 4.0? Configure the DHCP server to always dynamically update the DNS records. 9. Close all open windows on DEN-SRV1 and DEN-DC1.! Prepare for the next practice 1. Ensure that the DEN-DC1 and DEN-SRV1 virtual machines are started. 2. Shut down the DEN-CL1 virtual machine and do not save changes.

34 26 Module 5: Integrating Domain Name System and Active Directory Lesson: Understanding How Active Directory Uses DNS *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Lesson objectives Computers rely on DNS to locate the physical components of Active Directory. These components include domain controllers and related services that are required for authentication and replication. Computers can locate the physical components of Active Directory by querying DNS for service locator (SRV) records. After completing this lesson, you will be able to:! Explain what SRV records are.! Understand how SRV records are registered.! Explain what the domain controller locator service is.! Explain how domain controllers are located in the closest site.! Examine the DNS records required for Active Directory.

35 Module 5: Integrating Domain Name System and Active Directory 27 What Are Service Locator Records? *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When are SRV records used? SRV record format SRV records enable DNS clients to locate servers that provide a TCP/IP-based service. SRV records are used in an Active Directory network to locate domain controllers that provide specific services. SRV records may also be used to locate other network services such as third-party directory servers. Member computers in an Active Directory domain use SRV records to locate domain controllers on the network. SRV records might be used in the following situations:! A Windows XP or Windows 2000 client attempts to log on to an Active Directory domain.! A domain controller needs to contact another domain controller for replication.! A client searches Active Directory for resources, such as printers.! A user attempts to change his or her password.! A Microsoft Exchange Server 2003 performs a directory lookup.! An administrator uses an Active Directory administration tool to modify Active Directory information. SRV records use a standard format that is defined in RFC 2782: A DNS RR for specifying the location of services (DNS SRV). An SRV record contains information about the offered service, such as the port number that the service is available on and the host server that offers the service. An SRV record includes the following components:! Service: The type of service that is offered. Active Directory registers several different services, including _kerberos, _kpassword, _gc, and _ldap.! Protocol: The protocol that the service uses. This protocol can be TCP or User Datagram Protocol (UDP).! TTL: The default Time to Live for this record in seconds.

36 28 Module 5: Integrating Domain Name System and Active Directory! Class: Indication that the record is the standard Internet class.! Name: The domain to which this record refers.! Type: Indication that the record is an SRV record.! Priority: If multiple SRV records exist for the same service, clients will attempt to connect to the server that has the lowest priority.! Weight: If multiple records exist for the same service and they have the same priority, clients will attempt to connect more often to the server that has the higher weight. The weight can be used to provide load balancing.! Port: The port used by the service. Common ports for Active Directory include 389 for Lightweight Directory Access Protocol (LDAP), and 3268 for global catalog.! Target: The server that hosts the service. The syntax for an SRV record is as follows: service.protocol.name ttl class type preference weight port target The following is an example of an SRV record: _ldap._tcp.contoso.msft 600 IN SRV DEN-DC1.contoso.msft This record indicates that there is an LDAP server using TCP for the Contoso.msft domain. The TTL for the record is 600 seconds. The server that hosts this service is named DEN-DC1.contoso.msft. The SRV record points to a fully qualified host name rather than an IP address. This means that a host (A) record must also be registered for the domain controller.

37 Module 5: Integrating Domain Name System and Active Directory 29 How SRV Records Are Registered *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Registering records with DNS When an Active Directory domain controller starts, the Net Logon service uses dynamic updates to register SRV resource records in the DNS database. Multiple records are registered with DNS, indicating the various services that the domain controller offers. For the Net Logon service to register SRV records with DNS, dynamic updates must be enabled on the primary zone for the domain name. If dynamic updates are not enabled, you can manually create the records in DNS. The file named Netlogon.dns contains all of the records that a domain controller will register with DNS. The file is located in the %systemroot%\system32\config folder. This file contains only the default records created when the domain controller was initially configured. Note You can reregister a domain controller s SRV records with dynamic updates by restarting the Net Logon service. Records registered by Net Logon The SRV records that can be registered by the Net Logon service (if it is running on an Active Directory domain controller) include the following:! _ldap._tcp.dnsdomainname: Allows a client to locate a server that is running the LDAP service in the domain.! _ldap._tcp.sitename._sites.dnsdomainname: Allows a client to locate a server that is running the LDAP service in the domain in a specific site.! _ldap._tcp.dc._msdcs.dnsdomainname: Allows a client to locate a domain controller for a domain named.! _ldap._tcp.sitename._sites.dc._msdcs.dnsdomainname: Allows a client to locate a domain controller for a domain in a specific site.! _ldap._tcp.pdc._msdcs.dnsdomainname: Allows a client to locate the server that is acting as the primary domain controller (PDC).! _ldap._tcp.gc._msdcs.dnsforestname: Allows a client to locate a global catalog server for the forest.

38 30 Module 5: Integrating Domain Name System and Active Directory! _ldap._tcp.sitename._sites.gc._msdcs.dnsforestname: Allows a client to locate a global catalog server for the forest in a specific site.! _gc._tcp.dnsforestname: Allows a client to locate a global catalog server for the forest.! _gc._tcp.sitename._sites.dnsforestname: Allows a client to locate a global catalog server for the forest in a specific site.! _ldap._tcp.domainguid.domains._msdcs.dnsforestname: Allows a client to locate a domain controller in a domain on the basis of its globally unique identifier (GUID). A GUID is a 128-bit number that is automatically generated for referencing objects in Active Directory.! _kerberos._tcp.dnsdomainname: Allows a client to locate a server that is running the Kerberos key distribution center (KDC) service for the domain.! _kerberos._udp.dnsdomainname: Same as _kerberos._tcp.dnsdomainname, except that UDP is used.! _kerberos._tcp.sitename._sites.dnsdomainname: Allows a client to locate a server that is running the Kerberos KDC service for the domain.! _kerberos._tcp.dc._msdcs.dnsdomainname: Allows a client to locate a server that is running the Kerberos KDC service for the domain.! _kerberos.tcp.sitename._sites.dc._msdcs.dnsdomainname: Allows a client to locate a server that is running the Kerberos KDC service for the domain in a specific site.! _kpasswd._tcp.dnsdomainname: Allows a client to locate a Kerberos password change server for the domain.! _kpasswd._udp.dnsdomainname: Same as _kpasswd._tcp.dnsdomainname, except that UDP is used. Examples The following list provides some examples of SRV records:! A global catalog server for the forest named Contoso.msft would register the following SRV record: _ldap._tcp.gc._msdcs.contoso.msft! A domain controller for the Training.contoso.msft domain would register the following SRV record: _ldap._tcp.dc._msdcs.training.contoso.msft! A domain controller for the Contoso.msft domain in a site name Denver would register the following SRV record: _ldap._tcp.denver._sites.dc._msdcs.contoso.msft Note To control traffic to domain controllers in remote sites, you may want to prevent domain controllers from registering certain SRV records. Use Group Policy in Active Directory for this purpose. For more information on Group Policy, see Course 2279, Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

39 Module 5: Integrating Domain Name System and Active Directory 31 How Domain Controllers Are Located *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction How the locator works When an application requests access to Active Directory, an Active Directory domain controller is located by a mechanism called the domain controller locator. The locator is an algorithm that runs in the context of the Net Logon service. The locator can find domain controllers by using DNS names or NetBIOS names, or it can be used on a network where IP transport is unavailable. To locate domain controllers in an Active Directory domain, the locator uses DNS. The locator uses NetBIOS name resolution to locate domain controllers in a Windows NT 4.0 domain and to locate domain controllers that cannot be located by using DNS. The locator gathers information about the client system (such as domain, site location, and domain GUID) and passes that information to the Net Logon service. The following sequence describes how the locator finds a domain controller in an Active Directory domain by using DNS: 1. On the client, the locator is initiated as a remote procedure call (RPC) to the local Net Logon service. The locator application programming interface (API), DsGetDcName, is implemented by the Net Logon service. 2. The client collects the information that is needed to select a domain controller and passes the information to the Net Logon service by using the DsGetDcName API.

40 32 Module 5: Integrating Domain Name System and Active Directory 3. The Net Logon service on the client uses the collected information to locate a domain controller for the specified domain and site. Net Logon queries DNS by using the IP/DNS-compatible locator to read the SRV records and A records from DNS. It then appends an appropriate string to the front of the domain name that specifies the SRV record. A workstation that is logging on to an Active Directory domain queries DNS for SRV records in following general form: _service._protocol.dnsdomainname. Active Directory servers offer the LDAP service over the TCP protocol; therefore, clients find an LDAP server by querying DNS for a record of the following form: _ldap._tcp.dnsdomainname. 4. The Net Logon service sends a datagram to the computer that registered the name. For DNS domain names, the datagram is implemented as an LDAP UDP search. 5. Each available domain controller responds to the datagram to indicate that it is currently operational and returns the information to DsGetDcName. 6. The Net Logon service returns the information to the client from the first domain controller that responded. 7. The Net Logon service caches the domain controller information so that subsequent requests need not repeat the discovery process.

41 Module 5: Integrating Domain Name System and Active Directory 33 Locating Domain Controllers in the Closest Site *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Locating domain controllers in the closest site Active Directory sites provide a mechanism to control network traffic related to Active Directory. This traffic includes logon authentication traffic, Active Directory replication traffic, and site-aware application traffic such as the Distributed File System (DFS). Clients and services attempt to communicate with domain controllers within their site, if possible. Communicating with local domain controllers helps reduce Active Directory related traffic over potentially slow or saturated WAN links. The SRV records registered by a domain controller include records that contain the site information for each domain controller. The site is associated with one or more IP subnets in Active Directory. Site membership for clients is dynamic and is based on IP address. A client s site membership can change periodically. For example, a mobile user who connects a laptop computer in a conference room or in the field might have a changed IP address and become part of a different site. If a client is aware of which site it belongs to, it will attempt locate domain controllers in its site. If a client is unaware of its site membership when it starts, the client will attempt to locate any domain controller within its domain. After the client locates a domain controller, the client establishes communication with the domain controller by using LDAP. As part of that negotiation, the domain controller uses the client IP address to identify the site in which the client is located. If the client is communicating with a domain controller that is not in the closest site, the domain controller informs the client of the name of the site in which the client is located. If the client has already tried to find domain controllers in that site, the client uses the domain controller that is not optimal. Otherwise, the client does a site-specific DNS lookup with the new optimal site name.

42 34 Module 5: Integrating Domain Name System and Active Directory Practice: Understanding How Active Directory Uses DNS *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objective Instructions Practice In this practice, you will verify SRV records. Ensure that the DEN-DC1 and DEN-SRV1 virtual machines are running.! Prepare for this practice If necessary, log on to DEN-DC1 and DEN-SRV1 as Contoso\Administrator, with a password of Pa$$w0rd.! Verify SRV records registered by DEN-DC1 1. On DEN-DC1, click Start and then click My Computer. 2. Browse to c:\windows\system32\config. 3. Double-click netlogon.dns. When prompted, select Select program from a list and then click OK. 4. Click Notepad and then click OK. View the SRV records that are registered by DEN-DC1. Close Notepad. 5. Click Start, point to Administrative Tools, and then click DNS. 6. From the DNS console tree, expand DEN-DC1, expand Forward Lookup Zones, and then expand Contoso.msft. 7. Right-click _tcp, click Delete, and then click Yes. 8. Click Start, point to All Programs, point to Accessories, and then click Command Prompt. 9. At the command prompt, type net stop netlogon & net start netlogon and then press ENTER. 10. In the DNS console tree, right-click Contoso.msft and then click Refresh. Verify that the _tcp subdomain has been re-created. 11. Close all open windows.

43 Module 5: Integrating Domain Name System and Active Directory 35 Lab: Integrating DNS and Active Directory *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives Instructions After completing this lab, you will be able to configure Active Directory integrated DNS zone. Ensure that the following virtual machines are running:! DEN-DC1! DEN-SRV1 Estimated time to complete this lab: 20 minutes