Académique Documents
Professionnel Documents
Culture Documents
Invaluable reference material that was a fantastic resource for my MCITP exam preparations! Terry Silva (MCTS) Melbourne, Australia. Just wanted to drop you a note of appreciation for the study guide you put together. I'm taking my last test soon and your study guide was helpful Joe Stocker in Austin. Kurt, your study guides are fantastic! Tina Thorson at www.pcrepairnorthshore.com in New York. "Would like to use this opportunity to thank you for the time and effort you put in this book, I will be taking my exam in a few month for the second time since I failed the first attempt, and I hope with the help of this book I'll pass" Mubiana Mubiana in Namibia. The study guides look great! Nik in Sydney, Australia. Thanks for publishing the study guides. With your help, I should be able to pass 70-640! Mike Brown. Great book, concise, accurate, well written, hard to believe it was self-published. James in Lebanon, PA. Now that you're done will you finally help Ariana with her homework? Beatriz in Argentina.
Acknowledgements
First, I need to thank my wonderful wife Beatriz and our two spectacular kids, Ariana and Federico. I also want to thank the two great editors who Ive been working with for the past 10 years on various projects: John Cobb and Steve Wacker. Thanks also to all of the readers who took the time to send their feedback and suggestions that helped to make this version of the book so much better. I also want to thank my chums in #banter, weve been through a lot together over the last 15 years! Last, but hardly least, my best friend of 25 years Jim Martin, who reviewed various drafts and made many useful suggestions, has my eternal gratitude.
The Precision Guide to Windows Server 2008 Active Directory Configuration: MCTS Exam 70-640 Study Guide Copyright 2011 by Kurt Dillard kurt@kurtdillard.com www.kurtdillard.com
While every precaution has been taken in the preparation of this book the author makes no warranties or guarantees regarding its accuracy or completeness. This book is published as is, the author does not make any warranty of fitness for a particular purpose. The book is offered with the understanding that the author is not engaged in offering professional services of any kind; if professional assistance is required the services of a competent professional person should be engaged. The publisher assumes no responsibility for errors or omissions or for damages arising from the use of information contained within the book.
Contents
Praise for the Precision Guide Series About the Book About the Author Acknowledgements Chapter 1: Configuring DNS for Active Directory Configuring DNS Zones Start of Authority (SOA) Managing Other Resource Records Understanding DNS Zones Expert Discussion: Why Background Zone Loading is Important Zone Aging and Scavenging Understanding Forward Lookups and Reverse Lookups Exercise 1: Prepare Your Practice Lab Configuring Zone Transfers and Replication Configuring Zone Transfers Configuring DNS Notify Using Secure Zone Transfers Exercise 2: Build Your AD DS Domain Defining Replication Scope for AD DS-Integrated Zones Expert Discussion: What is the GlobalNames Zone? Configuring Additional DNS Server Options Updating Root Hints Configuring Server Forwarding Configuring Round Robin DNS Disabling Recursion Securing the Cache from Names Pollution Implementing Zone Delegation Summary Chapter Review Questions Answers References Chapter 2: Configuring the Active Directory Infrastructure Managing Forests and Domains Implementing Domain Controllers Working with Previous Versions of AD DS Ensuring Group Policy Modeling Works Correctly Migrating from Windows NT 4.0 Domains Decommissioning Domain Controllers Configuring Trusts Other Management Tasks Configuring Sites and Replication Adding Sites Creating Active Directory Subnets Managing Site Links
Understanding Bridgehead Servers Exercise 1: Adding the Distributed File System Role Service Configuring Distributed File System Configuring the Global Catalog Adding and Removing the Global Catalog Managing Items in the Global Catalog Enabling Universal Group Membership Caching Managing Operations Masters Seizing and Transferring Operations Masters Introducing the Database Mounting Tool Configuring the Time Service Summary Chapter Review Questions Answers References Chapter 3: Configuring Additional Active Directory Server Roles Configuring Active Directory Lightweight Directory Services AD LDS Management Tools Creating Instances and Application Partitions Configuring AD LDS Data Configuring AD LDS Authentication Exercise 1: Preparing Your Lab for Additional Server Roles Configuring Active Directory Rights Management Services Understanding How AD RMS Works Installing AD RMS Managing AD RMS Provisioning RMS Clients Configuring Read-Only Domain Controllers Deploying Read-Only Domain Controllers Configuring RODC Password Replication Policy Administrator Role Separation Other RODC Considerations Configuring Active Directory Federation Services Installing AD FS Configuring the AD FS Proxy and AD FS Agents Configuring the Federation Service Summary Chapter Review Questions Answers References Chapter 4: Creating and Maintaining Active Directory Objects Creating and Maintaining Accounts Creating User Accounts Creating Group Accounts
Creating Computer Accounts Maintaining Accounts Creating Organizational Units and Delegating Administration Creating and Maintaining Group Policy Objects How Group Policy Objects Work Creating and Applying Group Policy Objects Introducing Group Policy Preferences Configuring Group Policy Settings A Brief History of Security Guidance for Windows Using Group Policy to Deploy Software Configuring Account Policies Configuring Audit Policies Summary Chapter Review Questions Answers References Chapter 5: Maintaining the Active Directory Environment Configuring Backup and Recovery Real World Example of Why You Want to Verify Your Backups Work! Using Windows Server Backup Restoring Active Directory Data Using the Database Mounting Tool Performing Offline Maintenance Conducting Offline Defragmentation Configuring Active Directory Database Storage Allocation Understanding Restartable Active Directory Monitoring Active Directory Using Task Manager Using Event Viewer Monitoring Active Directory Replication Using the Reliability and Performance Monitor Using Windows System Resource Manager Using Network Monitor Troubleshooting Group Policy Using RSoP Summary Chapter Review Questions Answers References Chapter 6: Configuring Active Directory Certificate Services Installing Active Directory Certificate Services Comparing Stand-alone and Enterprise Certificate Authorities Understanding Certificate Authority Hierarchies Creating a Certificate Practice Statement Configuring CA Server Settings
Archiving Certificate Authority Keys Backing Up and Restoring the Certificate Authority Database Delegating Certificate Authority Administration Managing Certificate Templates Configuring Certificate Template Security Managing Multiple Certificate Template Versions Managing Certificate Enrollment Processing Certificate Requests Configuring Autoenrollment Configuring Web Enrollment Configuring Smart Card Enrollment Configuring Enrollment Agents Configuring the Network Device Enrollment Service Managing Certificate Revocation Managing Certificate Revocation Lists Configuring a CRL Distribution Point Configuring Online Responders Summary Chapter Review Questions Answers References
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
Figure 1.2. DNS Manager To manage the SOA record for a zone, navigate to the desired zone within DNS Manager and then rightclick the SOA record and select Properties. The following screenshot shows the properties of the SOA RR from my test domain. In most cases, the default values for refresh, expiration, and time to live (TTL) are sufficient. You may wish to increase these values to reduce the amount of DNS traffic on your network. However, increasing the values will cause DNS clients to take longer to learn about configuration changes, and its likely they will have problems finding other hosts on your network.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
Pointer (PTR) resource records. This type of record is used for the reverse lookup process, which is discussed in more detail later in this chapter. Resource records can be added and updated to the database manually or automatically. The manual process, also referred to as Non-Dynamic DNS (NDDNS), is useful when adding records that are unlikely to change for a long time, such as public facing web and mail servers. To manually add a static record using DNS Manager 1. Right-click the desired zone and select Other New Records. 2. Select the type of record to create from the Select a resource record type drop-down list. 3. Click Create Record. 4. Enter the information for the new record in the New Resource Record dialog box, and click OK to add the record to the database. The type of information required for the new record will vary depending upon its type. To manually add a record using a command prompt, open a command prompt with administrative privileges, type the following command, and press Enter. Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] <RRType> <RRData> As you can see, the command has many options. The following table briefly explains each option. You can view more detailed information about all of these options by entering the following command: Dnscmd /RecordAdd /help Table 1.1. Dnscmd Options when Adding Records Parameter <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] <RRType> <RRData> Description This is a required parameter. Specify either the host name or IP address of the DNS server where the record is to be created. This is a required parameter that specifies what action is to be taken, in this case to add a new record. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This is a required parameter. The FQDN of the node. This optional parameter specifies that the record may be aged and scavenged. This optional parameter specifies that the record may be modified by any user; without this parameter only administrators are able to do so. This optional parameter specifies the time to live (TTL) for the record. This is a required parameter. It specifies what kind of record to add; for example, A, AAAA, MX, NS, CNAME, SRV, or PTR. These are required parameters that vary depending upon the type of record being added. Each of these parameters must be separated by a space.
Enterprise networks can be large, with hundreds of thousands of hosts, and managing static records for so many hosts isnt feasible. To address this challenge, Windows Server 2008 also supports dynamically updated records. Records can be dynamically updated by the DHCP Client Service on the client computer when it registers itself with the DNS server upon boot-up, Alternatively, DHCP servers (if they support the feature) can be configured to register clients when they assign an address. There are two methods available for dynamic updates: Dynamic DNS (DDNS) and Secure Dynamic DNS (SDDNS). DDNS is the least secure choice, because updates can be accepted from untrusted hosts. However, DDNS is supported by a wider range of operating systems. SDDNS is only available for AD DS-integrated zones, and its the preferred
configuration whenever possible. The default setting for new zones is NDDNS, that is, to disable dynamic updates unless the new zone is integrated with AD DS, in which case SDDNS is the default setting. To enable or disable dynamic updates in DNS Manager, right-click the desired zone and select Properties, then make the appropriate selection in the Dynamic Updates drop-down list and press OK. To configure dynamic updates from a command prompt, type the following command and press Enter: Dnscmd <ServerName> /Config {<ZoneName or ..AllZones>} AllowUpdate 2 The following table briefly explains what each of the command line options mean. Table 1.2. Dnscmd Parameters when Configuring a Zone Parameter <ServerName> /Config <ZoneName or ..AllZones> AllowUpdate 2 Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to modify the specified zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. To configure all zones stored on the server type ..AllZones. This is a required parameter, it enables dynamic updates. This optional parameter specifies secure updates only. If it is omitted, the zone will only allow standard dynamic updates.
Tip: The graphical tool for DNS administration in Windows Server 2008 is the DNS Manager MMC, referred to in the rest of this chapter as DNS Manager. There is also a command prompt tool available which is useful for managing Server Core installations and scripting of administrative tasks called dnscmd. Although many administrators will be most comfortable using DNS Manager, you may also want to familiarize yourself with the command prompt tool.
Primary
A primary zone is the writable master copy of a zone. A DNS server that hosts the primary zone is the authoritative source for information about that zone.
Secondary
A secondary zone is a read-only copy of a zone. A server that hosts a secondary zone must download the zone data and ongoing updates to the data from another server hosting the same zone. A secondary copy cannot be stored in AD DS because it is merely a copy of a primary zone stored on another server.
Stub
A stub zone is a copy of the primary zone that only contains resource records for the authoritative DNS servers for that zone. A server that hosts a stub zone must download the zone data and ongoing updates to the data from another server hosting the same zone. When properly implemented, stub zones can improve name resolution efficiency by allowing DNS servers to complete recursive queries without having to query the Internet or internal root servers. Stub zones also tend to be less processor-intensive than conditional forwarding.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
Figure 1.4. Selecting the Active Directory replication scope in the New Zone Wizard To create a new zone from a command prompt, type the following command and press Enter: dnscmd <ServerName> /ZoneAdd <ZoneName> {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file <FileName>] [/load] [/a <AdminEmail>] [/DP <FQDN>] Again, there are many options available. The following table briefly explains each option. Table 1.3. Dnscmd Parameters when Creating a Zone Parameter Description
Parameter <ServerName>
Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to add a new zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This is a required parameter for defining the zone type; /DsPrimary and /DsStub indicate AD DSintegrated zones. This parameter is required only when creating a primary zone that is not integrated with AD DS. This optional parameter loads an existing file otherwise the default zone records are automatically generated. Use this optional parameter to specify an email address for the zones administrator. Use this optional parameter to specify the FQDN for an application directory where the zone is to be added.
/ZoneAdd
Typically, only dynamically updated records are configured to be scavenged, because static records are usually for servers that are going to be sharing resources for a relatively long time. By default, static records are given a time stamp of zero, which exempts them from aging and scavenging. You can change this by modifying the records individually to permit them to use a current time stamp instead. The zone aging and scavenging concepts use the following terms, with which you should familiarize yourself: No-refresh interval. The period of time between the last refresh and the moment when the timestamp can be refreshed again. Refresh interval. The period of time from when a record is refreshed to when it can be scavenged. This interval must be greater than the maximum refresh period. Scavenging period. The period of time between scavenging operations. Record refresh. Refresh occurs when a dynamic update is processed and the only change made to the record is to update its time stamp. This happens when a computer restarts, every 24 hours when the computer attempts to update its record, and when other network services attempt a refresh.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
Record update. Update occurs when a dynamic update is processed and other characteristics are modified in addition to its time stamp. Scavenging servers. Its possible to restrict scavenging to a specific list of DNS servers, identified by their IP address. To configure aging and scavenging for a zone in DNS Manager 1. Right-click the zone and select Properties. 2. Click Aging on the General tab of the dialog box. 3. Select the Scavenge stale resource records check box. 4. Modify the other properties as appropriate. To configure aging and scavenging for a zone from a command prompt, type the following command and press Enter: dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval <Value>} The following table briefly explains each option. Table 1.4. Dnscmd Parameters for Scavenging at the Zone Level Parameter <ServerName> /Config <ZoneName> /Aging <Value> /RefreshInterval <Value> /NoRefreshInterval <Value> Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to modify the specified zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This is a required parameter. Set the value to 1 to enable aging, or 0 to disable it. This is a required parameter. It specifies the refresh interval in hours, 168 by default. This is a required parameter. It specifies the no-refresh interval in seconds, 3600 by default
To configure aging and scavenging for a DNS server, in DNS Manager right-click the server and click Set Aging/Scavenging for all zones; then select the Scavenge stale resource records check box and modify the other properties as appropriate. To configure aging and scavenging for a DNS server from a command prompt, type the following command and press Enter: dnscmd <ServerName> /Config {/ScavengingInterval <Value>|/DefaultAgingState <Value>|/DefaultNoRefreshInterval <Value>|/DefaultRefreshInterval <Value>} The following table briefly explains each option. Table 1.5. Dnscmd Parameters for Scavenging at the Server Level Parameter <ServerName> /Config /ScavengingInterval <Value> Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to modify the specified zone. This required parameter specifies the scavenging frequency for all zones enabled for scavenging.
Description This required parameter sets the default aging configuration for all zones. 1 enables aging and 0 disables it. This is a required parameter. It specifies the default refresh interval in hours. This is a required parameter. It specifies the default no-refresh interval in seconds.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
Figure 1.5. Recursive forward lookup DNS also supports reverse lookups in which the client knows the IP address but wants to learn the primary hostname assigned to it. Why would anyone want to do that? There are many situations where it could be useful; for example, when parsing a websites log files, knowing the domains your visitors are coming from helps to better understand their usage patterns. An organization that hosts a publicly available Internet Relay Chat (IRC) service might want to track both hostnames and IP addresses in realtime to facilitate any complaints of harassment or other unauthorized behavior. Reverse lookups were not part of the original specification for DNS, and the way domain names are organized and indexed is very different from how IP addresses are assigned. In addition, domain names are interpreted from right to left, and IP addresses are read in the opposite direction. This is the reason why the IP address octets are reversed when building the reverse lookup domain tree. A special domain is reserved to facilitate reverse lookups, the in-addr.arpa domain. A new reverse lookup zone consists of the reverse address of a subnet prepended to adr.arpa. That is, the subnet 192.168.2/24 would correspond to a zone named 2.168.192.in-addr.arpa. The DNS service can create a pointer (PTR) RR for each host record added to the original zone. The reverse lookup process is similar to forward lookups. The client queries the DNS server for a PTR RR that maps to the IP address. The DNS server then reverses the address and appends the in-addr.arpa domain to it. It then performs the lookup process normally, first looking locally and then performing a recursive query if necessary. The following figure illustrates a simple reverse lookup in which the server named www.kurtdillard.com wants to know the hostname for the client that has initiated communications.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
download and build my servers because the virtual labs arent as flexible and the virtual hard drive images currently available were built with pre-release versions of the operating system. After you download the ISO image you can burn it to a DVD, but it not necessary to do so because Virtual PC is able to mount ISO images as if they were actual DVDs or CDs. If you are unfamiliar with Virtual PC, it includes extensive documentation in its help file. To create a new virtual machine with Windows Server 2008 installed 1. Start Virtual PC and click New 2. The New Virtual Machine Wizard starts. Click Next. 3. On the Options page, ensure that Create a new virtual machine is selected and then click Next. 4. Type a name for your new virtual machine. Click Browse if you want to specify a location other than the default for storing the configuration file for the virtual machine. 5. Click Next, then click Next again on the Operating System page. 6. Select Adjusting the RAM and type 512 in the text box, then click Next. 7. Select A new virtual hard disk and click Next. 8. Specify a path and file name for the virtual hard disk and click Next. 9. Click Finish. 10. Ensure that the new virtual machine is selected and click Start to launch it. 11. Click the CD menu and select Capture ISO Image 12. Navigate to where you saved the ISO image and select it, then click Open. If the virtual machine boot process is already too far along to launch the installation from the ISO image, you can reboot it from the Action menu by selecting Reset. 13. You should be able to install Windows Server 2008 the same way you would if you were installing it on a physical computer. Use the default options throughout the installation, but be sure to select a sensible hostname when given the opportunity. To make it easier to tear down and restart your practice lab, I suggest that you make a copy of the virtual hard disk file after the operating system installation is complete. Some of the other exercises require two servers, so you ought to make yet another copy.
To configure zone transfers using DNS Manager 1. Right-click the desired zone, and then select Properties. 2. Click the Zone Transfers tab. 3. Enable or disable the Allow zone transfers check box. 4. If you have enabled transfers, select the appropriate radio button: To any server, Only to the servers listed on the Name Servers tab, or Only to the following servers, as shown in the following figure. 5. If you select the last button, click Edit and enter the IP addresses for each desired DNS server, as shown in figure 1.8.
Figure 1.7. Specifying what servers are allowed to request zone transfers.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
Figure 1.8. Defining the list of IP addresses for servers allowed to request zone transfers. To configure zone transfers from a command prompt, type the following command and press Enter: dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList [<SecondaryIPAddress...>]} The following table briefly explains each of the command line options. Table 1.6. Dnscmd Parameters for Zone Transfers Parameter <ServerName> /ZoneResetSecondaries Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to configure zone transfers for the specified zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This option disables transfers. This option permits transfers to any DNS server. This option permits transfers to servers listed in the zone using name server resource records. This option permits transfers to the list of servers specified by SecondaryIPAddress
Parameter <SecondaryIPAddress>
Description Required if /SecureList is used, a list of one or more IP address for DNS servers to be allowed to obtain transfers.
Note: DNS Notify is not necessary for AD DS-integrated zones because the DNS servers automatically poll the directory for changes on a regular basis.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
To add the Active Directory Domain Services role 1. Navigate to Roles in the navigation pane and then select Add Roles in the Roles Summary pane. 2. Click Next. 3. Select Active Directory Domain Services on the Select Server Roles page, and click Add Required Features when prompted. 4. Click Next. 5. Complete the Add Roles wizard using the default settings. 6. On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard. 7. Use the default settings throughout the installation, including installing the DNS Server role. You will need to specify values for some options such as the AD DS restore mode password and an FQDN for your domain; I suggest you pick something that is completely unresolvable from the Internet, such as domain.test or testing.domain. 8. You will also need to specify that this is the first domain controller in a new domain, and the first domain in a new forest. 9. After the wizard has gathered all of the necessary information from you, the installation will proceed automatically; how long it takes will depend upon the hardware capacity of your test system.
Figure 1.9. Selecting a custom directory partition for replication scope To enlist a DNS server in an application directory partition, enter the following at a command prompt: Dnscmd <ServerName> /EnlistDirectoryPartition <FQDN> To remove a DNS server in an application directory partition, enter the following at a command prompt: Dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN> In each case, you specify the name of the DNS application directory partition by entering its FQDN.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
(Replace <ServerName> with the name of the authoritative DNS server.) 3. Replicate the new zone to all domain controllers in the forest. 4. Add the desired alias (CNAME) resource records to the new zone. 5. Publish the location of the new GlobalNames zone in other forests as appropriate by adding service location to the forest-wide DNS application partition, using the service name _globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames zone.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
continue to respond with the address of a server even if it is no longer available. In addition, round robin DNS does not make provisions for the differing capacities of the servers; all of them will receive the same amount of traffic. This feature is turned on and off in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In the list of server options, enable or disable the checkbox for Enable round robin.
Disabling Recursion
As described previously, the DNS Server service automatically performs recursive queries on behalf of its clients by querying other DNS servers for information about hosts when it is unable to resolve the name locally. Recursion should be disabled on externally facing DNS servers because attackers may be able to flood the DNS server with unresolvable queries, leading to a denial-of-service condition. This feature is controlled in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In the list of server options, enable or disable the checkbox for Disable recursion (also disables forwarders).
Parameter [OpenAcl]
Description This optional parameter specifies that the record may be modified by any user; without this parameter only administrators are able to do so. This optional parameter specifies the time to live (TTL) for the record. This required parameter specifies that you are adding a new NS record to the zone. These required parameters specify the hostname or FQDN of the new authoritative server.
[TTL] NS <Hostname>|<FQDN>
Summary
This chapter showed you how to install and manage the DNS Server role in Windows Server 2008. It explained the common administrative tasks and introduced you to the key features that are new in this version of Windows Server, such as the GlobalNames zone and background zone loading. To effectively prepare for the examination, it is important that you understand the concepts discussed here. It is also important that you are familiar with each of the procedures described in the chapter. It would be ideal if you also spent some time exploring DNS Manager to familiarize yourself with the less commonly used configuration options. Although they are less likely to appear on the exam, doing so will increase your chances of success.
Chapter Review
This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply, a few questions may require you to examine DNS Manager or dnscmd rather than rereading the chapter.
Questions
1. You want to add an AD DS-integrated secondary zone to your DNS server, but you see an error message stating Command failed: ERROR_INVALID_PARAMETER 87 after entering the following at a command prompt: dnscmd dc1 /zoneadd NewZone /secondary /dp /domain. What should you do to correct this problem? a. The command needs to include the /filename option with the path to the file, so it should read something like this: dnscmd dc1 /zoneadd NewZone /secondary /dp /domain /file c:\data\ZoneFile.dns b. The zone type needs to be corrected to /dssecondary, so it should read like this: dnscmd dc1 /zoneadd NewZone /dssecondary /dp /domain c. Secondary zones cannot be AD DS-integrated, therefore the zone type should be changed to /dsprimary or /dsstub, or you should remove the /dp /domain options and specify the master IP address for the zone. d. The DNS Server service doesnt support creating AD DS-integrated zones from the command prompt. Jump to answers. 2. You manage an enterprise network that consists primarily of Windows clients and servers, and other platforms are deployed in small numbers. Active Directory is deployed on domain controllers running Windows Server 2003 and AD DS on servers running Windows Server 2008; the domain controllers are the only servers hosting the DNS Server service. There are three domains in a single forest. You want to configure replication of the DNS in such a way that network utilization is kept relatively low
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
while ensuring that all of the domain controllers have up-to-date resource records in their DNS databases. Which approach to replication should you consider first? a. Configuring incremental zone transfers and enabling DNS Notify. b. AD DS replication with zones stored in the domain-wide DNS application directory partition. c. Configuring full zone transfers and enabling DNS Notify. d. AD DS replication with zones stored in the forest-wide DNS application directory partition. Jump to answers. 3. Match the list of use cases in the following table with the kind of resource record that will most likely contain the required data. Table 1.9. Use Cases and Resource Records Use case a. An SMTP server attempting to forward mail to your organization. b. A user browsing to a website hosted on several servers that use round robin DNS for load balancing. c. A web server log file analysis tool generating reports on web site usage. d. A client trying to connect to another host on a network that uses IPv6. e. A domain-joined laptop computer that has just been turned on by its user. Resource record 1. AAAA 2. MX 3. SRV 4. PTR 5. CNAME
Jump to answers. 4. Users have started reporting problems connecting to servers within your organizations network. You are able to connect to some servers, such as the domain controllers for the AD DS domain for your user account, but others do not respond. Which of the following is the best tool to quickly determine whether or not the problem is related to name resolution? a. Ping b. DNS Manager c. Arp d. Dnscmd e. nslookup Jump to answers. 5. You have deployed AD DS for a domain named kurtdillard.com, but have only installed the DNS Server service on a subset of the domain controllers. You want to create a DNS zone named finance for a set of servers that will only be replicated to a DNS server in your organization, and you are currently logged into the local console of the domain controller named NS1. Which is the correct command to create the desired DNS application directory partition? a. nslookup ns1 /CreateDirectoryPartition finance.kurtdillard.com b. dnscmd ns1 /EnlistDirectoryPartition finance.kurtdillard.com c. dnscmd /CreateDirectoryPartition finance.kurtdillard.com ns1 d. dnscmd ns1 /CreateDirectoryPartition finance.kurtdillard.com Jump to answers. 6. Examine the following figure. You want to add a Host Information (HINFO) resource record to the selected zone, but that kind of record doesnt appear on the menu. What steps should you take to add a record of this type?
Figure 1.11. DNS Zone context menu a. Click Other new recordsfrom the menu, then select the HINFO RR in the dialog box that appears and click Create Record b. Click Properties, then click the Advanced Tab and turn on the option to enable advanced resource record types. c. Click All Tasks, then select Add/Remove record types and enable the HINFO record type. d. Click View, then select Customize, and enable the checkbox to display advanced record types. Jump to answers. 7. When would background zone loading have a significant positive impact? a. For any domain controllers running DNS with AD DS-integrated zones, regardless of the database size. b. For domain controllers running DNS with AD DS-integrated zones that include tens of thousands of resource records. c. For DNS servers that host zones stored as files and include tens of thousands of resource records. d. Both B and C are correct. Jump to answers. 8. What type of query is a DNS server performing when it contacts one of the Internets root servers to learn the IP address of the authoritative name server of a DNS domain? a. Forwarding query b. Authoritative query c. Root lookup d. Recursive query e. External query Jump to answers. 9. Your organization uses WINS for name resolution between user computers so that staff members are able to use a collaboration tool that requires direct connections between those computers. You know that WINS is an old protocol and it is approaching its end of life. Would enabling a GlobalNames zone be a good way to completely replace WINS? a. Yes b. No Jump to answers.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
10. You are about to enable record aging and scavenging for a new AD DS-integrated zone. You expect to add manual records for many servers that will not need to be updated very often. How can you ensure that these static records are not deleted when scavenging occurs? a. Be sure to mark each record as exempt when creating them with the New Resource Record wizard b. After creating a static record, manually edit the time stamp and set it to zero. c. Do nothing. By default, static records are given a time stamp of zero and any record with such a time stamp is exempt from aging and scavenging. d. Set the TTL for the record to zero. Jump to answers. 11. Which of the following is not a way for a Windows Server 2008 server running the DNS Server service to learn about updates to resource records? a. Initiating push-pull replication with a root server. b. Receiving a DNS Notify message. c. Initiating a zone transfer. d. AD DS-integrated replication. e. Accepting dynamic updates from a DHCP server or client. f. The DNS administrator editing a static resource record. Jump to answers. 12. You manage a new public-facing server that is designed to share information with a select group of your organizations business partners. Ideally, both organizations would deploy a robust federated identity solution to ensure that only authorized users connect to the server. However, its going to take a lot of time to negotiate arrangements with each partner. In the interim, you recommend leveraging _____________________ to provide some rudimentary security by limiting incoming traffic to certain domains. Jump to answers. 13. You want to customize what domain controllers will participate in replication of an AD DS-integrated zone. To do this you need to create a _____________________. Jump to answers. 14. Look at the following figure. Which tab would you click to enable or disable recursive queries?
Figure 1.12. DNS Server properties dialog box a. Forwarders b. Advanced c. Root Hints d. Debug Logging e. Event Logging f. Monitoring g. Security Jump to answers. 15. Whats the recommended method for maintaining resource records for client computers that are members of an AD DS domain? a. Manually create and maintain a static record for each computer. b. Use incremental zone transfers. c. Use an AD DS-integrated zone with dynamic updates enabled. d. Use an AD DS-integrated zone configured to only allow secure dynamic updates. Jump to answers.
Answers
1. C is the correct answer. Secondary zones cannot be AD DS-integrated under any circumstances. Questions that involve negative cases such as this appear regularly in Microsoft exams; that is, scenarios in which you are told to do something that cannot or should not be done. Return to question.
The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)
2. B is the correct answer. Although you do not have enough information to make a complete design for replication, you certainly have enough to know which method will most likely meet the stated requirements. Using the forest-wide application directory partition will generate more replication traffic than the domain-wide one. You cannot force the use of full zone transfers, because the DNS Server service automatically attempts to use incremental zone transfers for zones that are not AD DSintegrated. However, because all of the DNS servers are also domain controllers, AD DS-integration ensures that updates are quickly replicated and that replicated traffic is compressed. Return to question. 3. The use cases and record types should be matched as follows: a. 2, because MX records contain information about mail hosts for a DNS domain. b. 5, because multiple CNAME records can be used to map the same hostname to multiple IP addresses. c. 4, because PTR records are used for reverse lookups, and a web server log tool is likely to use reverse lookups to determine what domains host the various clients that have visited the site. d. 1, because AAAA records are used for IPv6 addresses. e. 3, because SRV records are used to identify domain controllers for an Active Directory domain, and computers that belong to such a domain attempt to authenticate themselves and download configuration information during the operating system boot process. Return to question. 4. D is the best answer. With the limited information available, nslookup is a good tool to begin troubleshooting. Nslookup is a command prompt diagnostic tool for DNS; you can use it to extract information about DNS zones and their contents from DNS servers that allow your host to connect. Although the exam probably will not include extensive questions about nslookup, it is likely that you will encounter some, and therefore you should familiarize yourself with its basic functionality. Ping is useful for determining whether there are network issues at the IP layer, but DNS name resolution occurs above that and therefore its not a good tool for this scenario. Arp is a tool for examining and configuring the address resolution protocol (ARP) cache; ARP is the protocol that is used to map IP addresses to physical network addresses that are assigned to network interface cards. DNS Manager and dnscmd are tools for configuring the DNS Server service; although they might be needed to correct problems, they may not be ideal for initial diagnostics. Return to question. 5. D is the correct answer. Nslookup is not used to configure the DNS Server service, /EnlistDirectoryPartition is the wrong option for making a new partition, and the name of the DNS server should be the first option in the command. This question may appear to be capricious, requiring you to memorize all of the arcane options of dnscmd, but similar questions do appear on the exams. Rather than trying to memorize every single option available, make sure you remember the basic syntax used on nearly every action, such as the DNS server name is always the first option; the second always specifies the action to take; and parameters to apply to the action come next. Also memorize the most common actions, such as creating zones and records, delegating zones, and configuring zone transfers. Finally, memorize the procedures that can only be performed from the command prompt, such as enabling the GlobalNames zone. Return to question. 6. A is the correct answer. Return to question. 7. B is correct. Although background zone loading will reduce the time needed to start the DNS Server service, the impact will probably only be noticeable for very large zones. Return to question. 8. D is correct. DNS servers contact the root servers that are listed in their root hints to learn the IP addresses for authoritative name servers for other domains. Typically, they do this while performing a recursive query on the part of a client computer. Return to question. 9. No is correct. Although the new GlobalNames zone feature is designed to help enterprises migrate away from WINS for name resolution, it is not sufficiently scalable for completely replacing WINS. There are other alternatives, though; perhaps the collaboration tool will work with DNS name resolution, or you could enable WINS integration for the zones that correspond to your AD DS
10.
11.
15.
domains. Return to question. C is correct. It is not possible to mark a record as exempt. Rather, there is a check box you can enable or disable entitled Delete this record when it becomes stale; however its not necessary to configure it because its automatically disabled when a static record is created. Its also not necessary to change the time stamp, because it is automatically set to zero for static records. The TTL has no impact on aging and scavenging. Return to question. A is correct. There are many ways in which a DNS server can learn about changes to resource records, but answer A is entirely fictional. Return to question. The correct term is reverse lookups. Return to question. The correct term is DNS application directory partition. Return to question. B is the correct answer. The first checkbox visible in the Server options text box is used to enable and disable recursive queries on the server. Return to question. D is the correct answer. Answer A is not scalable; answer B doesnt address the stated requirements; also, answer B is less desirable because malicious users could add records to the zone and potentially redirect clients to hostile servers under their control. Return to question.
References
How DNS Works, by Microsoft Corporation at: http://technet.microsoft.com/enus/library/dd197446(WS.10).aspx. RFC 1034, Domain NamesConcepts and Facilities, at http://www.ietf.org/rfc/rfc1034.txt. RFC 1035, Domain NamesImplementation and Specification, at http://www.ietf.org/rfc/rfc1035.txt.