Praise for the Precision Guide Series

Invaluable reference material that was a fantastic resource for my MCITP exam preparations! Terry Silva (MCTS) Melbourne, Australia. Just wanted to drop you a note of appreciation for the study guide you put together. I'm taking my last test soon and your study guide was helpful Joe Stocker in Austin. Kurt, your study guides are fantastic! Tina Thorson at www.pcrepairnorthshore.com in New York. "Would like to use this opportunity to thank you for the time and effort you put in this book, I will be taking my exam in a few month for the second time since I failed the first attempt, and I hope with the help of this book I'll pass" Mubiana Mubiana in Namibia. The study guides look great! Nik in Sydney, Australia. Thanks for publishing the study guides. With your help, I should be able to pass 70-640! Mike Brown. Great book, concise, accurate, well written, hard to believe it was self-published. James in Lebanon, PA. Now that you're done will you finally help Ariana with her homework? Beatriz in Argentina.

About the Book

In todays competitive IT job market, few things increase your value like professional distinctions, such as the Microsoft Certified IT Professional: Enterprise Administrator certification. This precision guide provides complete coverage for the exam; its packed with information and challenging example test questions. Kurt Dillard has passed the exams for this certification, and he has held the MCITP certification since its inception in 2008. He has also helped author questions for other Microsoft certification exams in the past. This guide is peppered with real life anecdotes that reinforce the learning and bring the text to life. Work at your own pace with this guide that covers all of the exam topics and is organized to follow the exam objectives published by Microsoft at http://www.microsoft.com/learning/en/us/certification/certdefault.aspx. This guide represents a tremendous value, as you will find that other published guides from covering the same certification exam cost many times more.

About the Author

Although I grew up in Boston and Austin, I relocated to Corrientes, Argentina a few years ago so that my family and I could be closer to my in-laws. I write books, articles, and other documents on the challenges of information security for a variety of organizations including Microsoft and the U.S. Federal Government. For some time now, Ive been answering technical inquiries sent to the mailing lists of NISTs Federal Desktop Core Configuration (FDCC) and the United States Government Configuration Baselines (USGCB), developing and maintaining Security Content Automation Protocol (SCAP) content, and assisting with the creation of other resources available on the FDCC and USGCB websites at http://usgcb.nist.gov. I have collaborated with other engineers and IT pros on numerous security guides and tools published by Microsoft, including the Windows Server 2008 Security Guide, Windows 7 Security Guide, and the Security Compliance Manager. For more information about these Microsoft resources and tools see the following websites at http://go.microsoft.com/fwlink/?LinkId=113939 and http://social.technet.microsoft.com/wiki/contents/articles/774.aspx. I have also co-authored several books on computer software and operating systems and served as a technical editor for many other titles. Periodically, I present at conferences including RSA, TechEd, NISTs Security Content Automation Conference, and the Microsoft Federal Security Summit. As of this writing these are some of the industry certifications that I hold: CISSP, ISSAP, CISM, MCITP: EA and MCSE + Security.

Kurt near the Parana River in Corrientes, Argentina

Acknowledgements
First, I need to thank my wonderful wife Beatriz and our two spectacular kids, Ariana and Federico. I also want to thank the two great editors who Ive been working with for the past 10 years on various projects: John Cobb and Steve Wacker. Thanks also to all of the readers who took the time to send their feedback and suggestions that helped to make this version of the book so much better. I also want to thank my chums in #banter, weve been through a lot together over the last 15 years! Last, but hardly least, my best friend of 25 years Jim Martin, who reviewed various drafts and made many useful suggestions, has my eternal gratitude.

The Precision Guide to Windows Server 2008 Active Directory Configuration: MCTS Exam 70-640 Study Guide Copyright 2011 by Kurt Dillard kurt@kurtdillard.com www.kurtdillard.com
While every precaution has been taken in the preparation of this book the author makes no warranties or guarantees regarding its accuracy or completeness. This book is published as is, the author does not make any warranty of fitness for a particular purpose. The book is offered with the understanding that the author is not engaged in offering professional services of any kind; if professional assistance is required the services of a competent professional person should be engaged. The publisher assumes no responsibility for errors or omissions or for damages arising from the use of information contained within the book.

Contents
Praise for the Precision Guide Series About the Book About the Author Acknowledgements Chapter 1: Configuring DNS for Active Directory Configuring DNS Zones Start of Authority (SOA) Managing Other Resource Records Understanding DNS Zones Expert Discussion: Why Background Zone Loading is Important Zone Aging and Scavenging Understanding Forward Lookups and Reverse Lookups Exercise 1: Prepare Your Practice Lab Configuring Zone Transfers and Replication Configuring Zone Transfers Configuring DNS Notify Using Secure Zone Transfers Exercise 2: Build Your AD DS Domain Defining Replication Scope for AD DS-Integrated Zones Expert Discussion: What is the GlobalNames Zone? Configuring Additional DNS Server Options Updating Root Hints Configuring Server Forwarding Configuring Round Robin DNS Disabling Recursion Securing the Cache from Names Pollution Implementing Zone Delegation Summary Chapter Review Questions Answers References Chapter 2: Configuring the Active Directory Infrastructure Managing Forests and Domains Implementing Domain Controllers Working with Previous Versions of AD DS Ensuring Group Policy Modeling Works Correctly Migrating from Windows NT 4.0 Domains Decommissioning Domain Controllers Configuring Trusts Other Management Tasks Configuring Sites and Replication Adding Sites Creating Active Directory Subnets Managing Site Links

Understanding Bridgehead Servers Exercise 1: Adding the Distributed File System Role Service Configuring Distributed File System Configuring the Global Catalog Adding and Removing the Global Catalog Managing Items in the Global Catalog Enabling Universal Group Membership Caching Managing Operations Masters Seizing and Transferring Operations Masters Introducing the Database Mounting Tool Configuring the Time Service Summary Chapter Review Questions Answers References Chapter 3: Configuring Additional Active Directory Server Roles Configuring Active Directory Lightweight Directory Services AD LDS Management Tools Creating Instances and Application Partitions Configuring AD LDS Data Configuring AD LDS Authentication Exercise 1: Preparing Your Lab for Additional Server Roles Configuring Active Directory Rights Management Services Understanding How AD RMS Works Installing AD RMS Managing AD RMS Provisioning RMS Clients Configuring Read-Only Domain Controllers Deploying Read-Only Domain Controllers Configuring RODC Password Replication Policy Administrator Role Separation Other RODC Considerations Configuring Active Directory Federation Services Installing AD FS Configuring the AD FS Proxy and AD FS Agents Configuring the Federation Service Summary Chapter Review Questions Answers References Chapter 4: Creating and Maintaining Active Directory Objects Creating and Maintaining Accounts Creating User Accounts Creating Group Accounts

Creating Computer Accounts Maintaining Accounts Creating Organizational Units and Delegating Administration Creating and Maintaining Group Policy Objects How Group Policy Objects Work Creating and Applying Group Policy Objects Introducing Group Policy Preferences Configuring Group Policy Settings A Brief History of Security Guidance for Windows Using Group Policy to Deploy Software Configuring Account Policies Configuring Audit Policies Summary Chapter Review Questions Answers References Chapter 5: Maintaining the Active Directory Environment Configuring Backup and Recovery Real World Example of Why You Want to Verify Your Backups Work! Using Windows Server Backup Restoring Active Directory Data Using the Database Mounting Tool Performing Offline Maintenance Conducting Offline Defragmentation Configuring Active Directory Database Storage Allocation Understanding Restartable Active Directory Monitoring Active Directory Using Task Manager Using Event Viewer Monitoring Active Directory Replication Using the Reliability and Performance Monitor Using Windows System Resource Manager Using Network Monitor Troubleshooting Group Policy Using RSoP Summary Chapter Review Questions Answers References Chapter 6: Configuring Active Directory Certificate Services Installing Active Directory Certificate Services Comparing Stand-alone and Enterprise Certificate Authorities Understanding Certificate Authority Hierarchies Creating a Certificate Practice Statement Configuring CA Server Settings

Archiving Certificate Authority Keys Backing Up and Restoring the Certificate Authority Database Delegating Certificate Authority Administration Managing Certificate Templates Configuring Certificate Template Security Managing Multiple Certificate Template Versions Managing Certificate Enrollment Processing Certificate Requests Configuring Autoenrollment Configuring Web Enrollment Configuring Smart Card Enrollment Configuring Enrollment Agents Configuring the Network Device Enrollment Service Managing Certificate Revocation Managing Certificate Revocation Lists Configuring a CRL Distribution Point Configuring Online Responders Summary Chapter Review Questions Answers References

Chapter 1: Configuring DNS for Active Directory

The Domain Name System (DNS) is a highly scalable system for mapping hostnames with numerical Internet Protocol (IP) addresses. On Transmission Control Protocol / Internet Protocol (TCP/IP) networks such as the Internet, computers are assigned unique IP addresses. These numerical addresses are not very user friendly, so computers are also given a host name. The domain name system is a hierarchical naming system for organizing computers into domains and mapping IP addresses to host names. When a user enters a DNS name such as www.kurtkurtdillard.com into an application, DNS services find the IP address assigned to that host name. DNS is a critical piece of any network that includes Active Directory Domain Services (AD DS). Member computers use DNS to find domain controllers and other servers for various activities such as authentication, accessing file shares, and browsing web servers. Understanding how to deploy and manage the DNS Server role in Windows Server 2008 will help you to more effectively leverage AD DS in your organization. This chapter explains managing DNS zones, replication, and other DNS settings; you will learn how to achieve the following tasks: Configure zones Configure DNS server settings Configure zone transfers and replication

Configuring DNS Zones

DNS records are partitioned into zones, which contain resource records for the hosts that belong to the corresponding portion of the DNS namespace. The namespace for a zone can include one or multiple DNS domains. Zones are maintained by DNS servers, and a zone can be stored as a file or within AD DS. If stored within AD DS, the size of the zone affects how long it takes for DNS to initialize because the zone data must be retrieved from AD DS. Well explore this topic more later in this section. You might want to delegate a portion of the DNS namespace for a couple of reasons. For example, you might want to assign management to a department within the organization, or improve performance by spreading the load of a large DNS database across separate DNS servers. Or, in a more extended example, you might want to store all of the records for your publicly accessible hosts in one zone; for example, the zone might include kurtkurtdillard.com, which could include hosts named www.kurtkurtdillard.com, ftp.kurtdillard.com, and mail.kurtdillard.com. Internal hosts could be organized by geographic location within subdomains, with each stored as a separate zone; for example, americas.kurtdillard.com and europe.kurtdillard.com. This example is represented in the following figure. In the rest of this section we will explore the various kinds of zones available in Windows Server 2008 and how to manage them.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

Figure 1.1. DNS Zone Delegation example

Start of Authority (SOA)

The first record in any DNS zone is the Start of Authority (SOA) Resource Record (RR). The SOA RR specifies the authoritative DNS server for the zone; that is, the best source of data for the zone. Depending upon the installation options, the SOA RR may or may not be automatically added for a new zone. The following screenshot shows DNS Manager Microsoft Management Console (MMC) with various elements highlighted. This example shows the first domain controller in a new domain within a new forest, and the SOA record was automatically created during the installation of AD DS.

Chapter 6: Configuring Active Directory Certificate Services

Figure 1.2. DNS Manager To manage the SOA record for a zone, navigate to the desired zone within DNS Manager and then rightclick the SOA record and select Properties. The following screenshot shows the properties of the SOA RR from my test domain. In most cases, the default values for refresh, expiration, and time to live (TTL) are sufficient. You may wish to increase these values to reduce the amount of DNS traffic on your network. However, increasing the values will cause DNS clients to take longer to learn about configuration changes, and its likely they will have problems finding other hosts on your network.

Figure 1.3. Start of Authority Resource Record

Managing Other Resource Records

There are other types of resource records in addition to the SOA RR. Each type has a specific purpose that is related to helping clients locate remote hosts and services. The most common kinds are: Host (A) resource records. This type of record maps a hostname to a 32-bit IPv4 address. AAAA resource records. This type of record maps a hostname to a 128-bit IPv6 address. Name Service (NS) records. This type of record maps a domain name to a list of DNS servers that are authoritative for the domain. Service location (SRV) resource records. This type of record maps a DNS domain name to a list of computers that provide a service. For example, an SRV RR is required for computers to locate AD DS domain controllers. Mail exchange (MX) resource records. This type of record maps a DNS domain name to the name of a mail exchange computer for the domain. Alias (CNAME) resource records. Also called canonical name records, this type of record allows you to configure multiple DNS names to resolve to a single host.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

Pointer (PTR) resource records. This type of record is used for the reverse lookup process, which is discussed in more detail later in this chapter. Resource records can be added and updated to the database manually or automatically. The manual process, also referred to as Non-Dynamic DNS (NDDNS), is useful when adding records that are unlikely to change for a long time, such as public facing web and mail servers. To manually add a static record using DNS Manager 1. Right-click the desired zone and select Other New Records. 2. Select the type of record to create from the Select a resource record type drop-down list. 3. Click Create Record. 4. Enter the information for the new record in the New Resource Record dialog box, and click OK to add the record to the database. The type of information required for the new record will vary depending upon its type. To manually add a record using a command prompt, open a command prompt with administrative privileges, type the following command, and press Enter. Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] <RRType> <RRData> As you can see, the command has many options. The following table briefly explains each option. You can view more detailed information about all of these options by entering the following command: Dnscmd /RecordAdd /help Table 1.1. Dnscmd Options when Adding Records Parameter <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] <RRType> <RRData> Description This is a required parameter. Specify either the host name or IP address of the DNS server where the record is to be created. This is a required parameter that specifies what action is to be taken, in this case to add a new record. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This is a required parameter. The FQDN of the node. This optional parameter specifies that the record may be aged and scavenged. This optional parameter specifies that the record may be modified by any user; without this parameter only administrators are able to do so. This optional parameter specifies the time to live (TTL) for the record. This is a required parameter. It specifies what kind of record to add; for example, A, AAAA, MX, NS, CNAME, SRV, or PTR. These are required parameters that vary depending upon the type of record being added. Each of these parameters must be separated by a space.

Enterprise networks can be large, with hundreds of thousands of hosts, and managing static records for so many hosts isnt feasible. To address this challenge, Windows Server 2008 also supports dynamically updated records. Records can be dynamically updated by the DHCP Client Service on the client computer when it registers itself with the DNS server upon boot-up, Alternatively, DHCP servers (if they support the feature) can be configured to register clients when they assign an address. There are two methods available for dynamic updates: Dynamic DNS (DDNS) and Secure Dynamic DNS (SDDNS). DDNS is the least secure choice, because updates can be accepted from untrusted hosts. However, DDNS is supported by a wider range of operating systems. SDDNS is only available for AD DS-integrated zones, and its the preferred

Chapter 6: Configuring Active Directory Certificate Services

configuration whenever possible. The default setting for new zones is NDDNS, that is, to disable dynamic updates unless the new zone is integrated with AD DS, in which case SDDNS is the default setting. To enable or disable dynamic updates in DNS Manager, right-click the desired zone and select Properties, then make the appropriate selection in the Dynamic Updates drop-down list and press OK. To configure dynamic updates from a command prompt, type the following command and press Enter: Dnscmd <ServerName> /Config {<ZoneName or ..AllZones>} AllowUpdate 2 The following table briefly explains what each of the command line options mean. Table 1.2. Dnscmd Parameters when Configuring a Zone Parameter <ServerName> /Config <ZoneName or ..AllZones> AllowUpdate 2 Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to modify the specified zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. To configure all zones stored on the server type ..AllZones. This is a required parameter, it enables dynamic updates. This optional parameter specifies secure updates only. If it is omitted, the zone will only allow standard dynamic updates.

Tip: The graphical tool for DNS administration in Windows Server 2008 is the DNS Manager MMC, referred to in the rest of this chapter as DNS Manager. There is also a command prompt tool available which is useful for managing Server Core installations and scripting of administrative tasks called dnscmd. Although many administrators will be most comfortable using DNS Manager, you may also want to familiarize yourself with the command prompt tool.

Understanding DNS Zones

The DNS Server role supports three different types of zones: primary, secondary, and stub. Only primary and stub zones can be configured as AD DS-integrated zones if the server is a domain controller in an AD DS domain. The difference between integrated and non-integrated zones is where zone information is stored. AD DS-integrated zones are stored within Active Directory itself. Zones that are not integrated are stored as text files; their default location is %windir%\System32\dns.
Caution: Although it may be tempting to edit these DNS text files in Notepad or some other text editor, Microsoft strongly recommends that you do not. Instead, you should always use the built-in tools such as DNS Manager to configure zones and resource records to ensure proper formatting and versioning.

Primary
A primary zone is the writable master copy of a zone. A DNS server that hosts the primary zone is the authoritative source for information about that zone.

Secondary
A secondary zone is a read-only copy of a zone. A server that hosts a secondary zone must download the zone data and ongoing updates to the data from another server hosting the same zone. A secondary copy cannot be stored in AD DS because it is merely a copy of a primary zone stored on another server.

Stub
A stub zone is a copy of the primary zone that only contains resource records for the authoritative DNS servers for that zone. A server that hosts a stub zone must download the zone data and ongoing updates to the data from another server hosting the same zone. When properly implemented, stub zones can improve name resolution efficiency by allowing DNS servers to complete recursive queries without having to query the Internet or internal root servers. Stub zones also tend to be less processor-intensive than conditional forwarding.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

Expert Discussion: Why Background Zone Loading is Important

Background zone loading is a new feature in Windows Server 2008 that large organizations may find to be very useful. In previous versions of the DNS Server service, all of the DNS data stored in AD DS had to be downloaded before the server would start responding to DNS queries. Some large organizations had to endure waits of an hour or more when restarting their DNS servers. In Windows Server 2008, the DNS Server service can start responding to client request much more quickly because it is able to do so while continuing to retrieve zone data from AD DS. When a client requests data for a zone that has already been loaded, the DNS server responds as it typically would. When a client requests data for a zone that hasnt been loaded yet, the information is retrieved from AD DS and provided to the client.

Creating New Zones

To create a new zone in DNS Manager, right-click either the DNS Server, Forward Lookup Zones, or Reverse Lookup Zones. If the first option is used, the wizard will display an additional page asking whether to create a forward or reverse lookup zone. The wizard will prompt you to specify information such as zone type, zone name, and dynamic updates (described earlier in this chapter); however, the wizard will also ask you to specify the replication scope as shown in the following screenshot. Replication scope is discussed in more detail later in this chapter.

Figure 1.4. Selecting the Active Directory replication scope in the New Zone Wizard To create a new zone from a command prompt, type the following command and press Enter: dnscmd <ServerName> /ZoneAdd <ZoneName> {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file <FileName>] [/load] [/a <AdminEmail>] [/DP <FQDN>] Again, there are many options available. The following table briefly explains each option. Table 1.3. Dnscmd Parameters when Creating a Zone Parameter Description

Chapter 6: Configuring Active Directory Certificate Services

Parameter <ServerName>

Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to add a new zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This is a required parameter for defining the zone type; /DsPrimary and /DsStub indicate AD DSintegrated zones. This parameter is required only when creating a primary zone that is not integrated with AD DS. This optional parameter loads an existing file otherwise the default zone records are automatically generated. Use this optional parameter to specify an email address for the zones administrator. Use this optional parameter to specify the FQDN for an application directory where the zone is to be added.

/ZoneAdd

<ZoneName> {/Primary | /DsPrimary | /Secondary | /Stub | /DsStub [/file <FileName>] [/load]

[/a <AdminEmail>] [/DP <FQDN>]

Zone Aging and Scavenging

Out-of-date resource records can accrete in a zone database much like barnacles on a freighter. If the number of stale records becomes substantial, performance could be affected in the following ways: unnecessary consumption of disk space, slowed down responses to queries, and sending of outdated information to clients. In some cases, stale records may prevent the use of a name being used by other hosts in the domain. By observing the time stamps on resource records, the DNS Server service can automatically remove records when theyve aged beyond the time limit you have specified. To use these features they must be enabled at both the DNS server and zone levels.
Caution: There is a reason why the aging and scavenging features are disabled by default: if implemented incorrectly, records may be deleted that are still needed. For this reason, only implement these features when you fully understand all of the options that are available.

Typically, only dynamically updated records are configured to be scavenged, because static records are usually for servers that are going to be sharing resources for a relatively long time. By default, static records are given a time stamp of zero, which exempts them from aging and scavenging. You can change this by modifying the records individually to permit them to use a current time stamp instead. The zone aging and scavenging concepts use the following terms, with which you should familiarize yourself: No-refresh interval. The period of time between the last refresh and the moment when the timestamp can be refreshed again. Refresh interval. The period of time from when a record is refreshed to when it can be scavenged. This interval must be greater than the maximum refresh period. Scavenging period. The period of time between scavenging operations. Record refresh. Refresh occurs when a dynamic update is processed and the only change made to the record is to update its time stamp. This happens when a computer restarts, every 24 hours when the computer attempts to update its record, and when other network services attempt a refresh.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

Record update. Update occurs when a dynamic update is processed and other characteristics are modified in addition to its time stamp. Scavenging servers. Its possible to restrict scavenging to a specific list of DNS servers, identified by their IP address. To configure aging and scavenging for a zone in DNS Manager 1. Right-click the zone and select Properties. 2. Click Aging on the General tab of the dialog box. 3. Select the Scavenge stale resource records check box. 4. Modify the other properties as appropriate. To configure aging and scavenging for a zone from a command prompt, type the following command and press Enter: dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval <Value>} The following table briefly explains each option. Table 1.4. Dnscmd Parameters for Scavenging at the Zone Level Parameter <ServerName> /Config <ZoneName> /Aging <Value> /RefreshInterval <Value> /NoRefreshInterval <Value> Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to modify the specified zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This is a required parameter. Set the value to 1 to enable aging, or 0 to disable it. This is a required parameter. It specifies the refresh interval in hours, 168 by default. This is a required parameter. It specifies the no-refresh interval in seconds, 3600 by default

To configure aging and scavenging for a DNS server, in DNS Manager right-click the server and click Set Aging/Scavenging for all zones; then select the Scavenge stale resource records check box and modify the other properties as appropriate. To configure aging and scavenging for a DNS server from a command prompt, type the following command and press Enter: dnscmd <ServerName> /Config {/ScavengingInterval <Value>|/DefaultAgingState <Value>|/DefaultNoRefreshInterval <Value>|/DefaultRefreshInterval <Value>} The following table briefly explains each option. Table 1.5. Dnscmd Parameters for Scavenging at the Server Level Parameter <ServerName> /Config /ScavengingInterval <Value> Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to modify the specified zone. This required parameter specifies the scavenging frequency for all zones enabled for scavenging.

Chapter 6: Configuring Active Directory Certificate Services

Parameter /DefaultAgingState <Value> /DefaultRefreshInterval <Value> /DefaultNoRefreshInterval <Value>

Description This required parameter sets the default aging configuration for all zones. 1 enables aging and 0 disables it. This is a required parameter. It specifies the default refresh interval in hours. This is a required parameter. It specifies the default no-refresh interval in seconds.

Understanding Forward Lookups and Reverse Lookups

A forward lookup occurs when a client looks for the IP address assigned to a particular hostname. How the hostname is resolved to an IP address can happen in several different ways. If the hostname is less than 16 bytes long, the client will first attempt to resolve it using NetBIOS. If that fails, or if the hostname is longer, the client will check its own local cache of recent DNS queries, which includes the local hosts file (because it is pre-cached during bootup). The DNS server will answer the query directly if the information is in its database; if not, it checks its own cache of previous queries. If the hostname is still not resolved, the DNS server will start the recursion process using the list of root hints to find a list of DNS servers that are authoritative for the domain where the host is located. By default, the list of root hints points to the publicly available list of root servers that host the top-level domains such as .com, .info, .org, and .us. So if the host name is www.kurtdillard.com, the DNS server will query one of the root servers to find the IP address of an authoritative DNS server for the kurtdillard.com domain. Next, it will query the macgrawhill.com DNS server to find the IP address for the host named www. It then returns the answer to the original client that requested it. The following figure illustrates the lookup process from the point where the client queries its primary DNS server.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

Figure 1.5. Recursive forward lookup DNS also supports reverse lookups in which the client knows the IP address but wants to learn the primary hostname assigned to it. Why would anyone want to do that? There are many situations where it could be useful; for example, when parsing a websites log files, knowing the domains your visitors are coming from helps to better understand their usage patterns. An organization that hosts a publicly available Internet Relay Chat (IRC) service might want to track both hostnames and IP addresses in realtime to facilitate any complaints of harassment or other unauthorized behavior. Reverse lookups were not part of the original specification for DNS, and the way domain names are organized and indexed is very different from how IP addresses are assigned. In addition, domain names are interpreted from right to left, and IP addresses are read in the opposite direction. This is the reason why the IP address octets are reversed when building the reverse lookup domain tree. A special domain is reserved to facilitate reverse lookups, the in-addr.arpa domain. A new reverse lookup zone consists of the reverse address of a subnet prepended to adr.arpa. That is, the subnet 192.168.2/24 would correspond to a zone named 2.168.192.in-addr.arpa. The DNS service can create a pointer (PTR) RR for each host record added to the original zone. The reverse lookup process is similar to forward lookups. The client queries the DNS server for a PTR RR that maps to the IP address. The DNS server then reverses the address and appends the in-addr.arpa domain to it. It then performs the lookup process normally, first looking locally and then performing a recursive query if necessary. The following figure illustrates a simple reverse lookup in which the server named www.kurtdillard.com wants to know the hostname for the client that has initiated communications.

Chapter 6: Configuring Active Directory Certificate Services

Figure 1.6. Reverse lookup

Exercise 1: Prepare Your Practice Lab

To ensure that you understand how to perform the tasks related to managing Windows Server 2008, its helpful to get hands-on experience with the software. The availability of free virtualization software and evaluation copies of Microsoft operating systems means that even students with very tight budgets can build themselves a flexible environment for becoming familiar with Windows Server 2008. There are numerous software-based virtualization products available; because its free, easy to use, and reliable, I recommend that you download and install Microsoft Virtual PC. As with many of their products, if you simply append the product name to their public web address youll get forwarded to the homepage for Virtual PC, where you can access the free download: www.microsoft.com/virtualpc. Install Virtual PC on your test computer; in most cases the default settings are sufficient. If you have multiple computers available, use the one with the most physical memory installed. A speedy hard drive and CPU also help, but RAM is the most important component for performance when using software virtualization. You can download ISO images for both 32- and 64-bit versions of Windows Server 2008 from the Try It webpage: www.microsoft.com/windowsserver2008/en/us/try-it.aspx. Click the download link for trial software; I suggest that you do these exercises with the 64-bit build if your computer will support it. If this URL has changed, you should be able to find links to the evaluation software on the Windows Server 2008 webpage at www.microsoft.com/windowsserver2008. These files are very large, however I am able to download them overnight and I live in Argentina; surely you can find a way too! You could also try the virtual labs and the virtual hard drives. However, I prefer to

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

download and build my servers because the virtual labs arent as flexible and the virtual hard drive images currently available were built with pre-release versions of the operating system. After you download the ISO image you can burn it to a DVD, but it not necessary to do so because Virtual PC is able to mount ISO images as if they were actual DVDs or CDs. If you are unfamiliar with Virtual PC, it includes extensive documentation in its help file. To create a new virtual machine with Windows Server 2008 installed 1. Start Virtual PC and click New 2. The New Virtual Machine Wizard starts. Click Next. 3. On the Options page, ensure that Create a new virtual machine is selected and then click Next. 4. Type a name for your new virtual machine. Click Browse if you want to specify a location other than the default for storing the configuration file for the virtual machine. 5. Click Next, then click Next again on the Operating System page. 6. Select Adjusting the RAM and type 512 in the text box, then click Next. 7. Select A new virtual hard disk and click Next. 8. Specify a path and file name for the virtual hard disk and click Next. 9. Click Finish. 10. Ensure that the new virtual machine is selected and click Start to launch it. 11. Click the CD menu and select Capture ISO Image 12. Navigate to where you saved the ISO image and select it, then click Open. If the virtual machine boot process is already too far along to launch the installation from the ISO image, you can reboot it from the Action menu by selecting Reset. 13. You should be able to install Windows Server 2008 the same way you would if you were installing it on a physical computer. Use the default options throughout the installation, but be sure to select a sensible hostname when given the opportunity. To make it easier to tear down and restart your practice lab, I suggest that you make a copy of the virtual hard disk file after the operating system installation is complete. Some of the other exercises require two servers, so you ought to make yet another copy.

Configuring Zone Transfers and Replication

Zone transfers were once the most common way to replicate DNS database updates between servers. In recent years, however, other replication mechanisms have become increasingly popular. There are two types of zone transfers: full and incremental. The DNS Server service in Windows Server 2008 supports zone transfers as well as AD DS replication. This section explores each of these features.

Configuring Zone Transfers

A full zone transfer is fairly simple. The client, also called the secondary or slave server, requests a copy of the zone from the server, also called the primary or master. The transfer initiates with the SOA resource record. Because the serial number of the SOA RR is incremented each time there is a change to the zone, the client can compare the serial number for the current version of the SOA with its own copy; if theyre identical, the client concludes that there havent been any changes to the zone and the transfer is terminated. If the serial numbers differ, the client requests all of the remaining records for the zone. An incremental zone transfer differs in that the client sends its own copy of the SOA RR to the server, the server then compares the serial number with that of its own copy, and only sends changes that have occurred since that version of the SOA RR. Whenever it is feasible, AD DS-integrated zones rely on AD DS for replication between domain controllers.. However, when file-based zone transfers are used, incremental zone transfers consume less network bandwidth than full transfers and therefore they are the next best choice. For this reason, the DNS Server service in Windows Server 2008 requests incremental zone transfers when retrieving a zone from a primary server.

Chapter 6: Configuring Active Directory Certificate Services

To configure zone transfers using DNS Manager 1. Right-click the desired zone, and then select Properties. 2. Click the Zone Transfers tab. 3. Enable or disable the Allow zone transfers check box. 4. If you have enabled transfers, select the appropriate radio button: To any server, Only to the servers listed on the Name Servers tab, or Only to the following servers, as shown in the following figure. 5. If you select the last button, click Edit and enter the IP addresses for each desired DNS server, as shown in figure 1.8.

Figure 1.7. Specifying what servers are allowed to request zone transfers.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

Figure 1.8. Defining the list of IP addresses for servers allowed to request zone transfers. To configure zone transfers from a command prompt, type the following command and press Enter: dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList [<SecondaryIPAddress...>]} The following table briefly explains each of the command line options. Table 1.6. Dnscmd Parameters for Zone Transfers Parameter <ServerName> /ZoneResetSecondaries Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to configure zone transfers for the specified zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This option disables transfers. This option permits transfers to any DNS server. This option permits transfers to servers listed in the zone using name server resource records. This option permits transfers to the list of servers specified by SecondaryIPAddress

<ZoneName> /NoXfr /NonSecure /SecureNs /SecureList

Chapter 6: Configuring Active Directory Certificate Services

Parameter <SecondaryIPAddress>

Description Required if /SecureList is used, a list of one or more IP address for DNS servers to be allowed to obtain transfers.

Configuring DNS Notify

When DNS Notify is enabled for a zone, the primary server will send messages to the secondary servers notifying them when changes have occurred. You enable DNS Notify from the Zone Transfers tab of the zones properties dialog box by clicking the Notify button. You can indicate a specific list of servers or specify all servers on the Name Servers tab. When secondary servers receive the notification, they can initiate the normal zone transfer process. Configuring DNS Notify from the command prompt is a simple variation on configuring zone transfers. To do so, type the following command and press Enter: dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoNotify|/Notify|/NotifyList <IPaddress>} Table 1.7. Dnscmd Parameters for DNS Notify Parameter <ServerName> /ZoneResetSecondaries Description This is a required parameter. Specify either the host name or IP address of the DNS server where the zone is stored. This is a required parameter that specifies what action is to be taken, in this case to configure zone transfers for the specified zone. This is a required parameter. The fully qualified domain name (FQDN) of the zone. This option disables notification for the zone. This option enables notification for all servers on the Name Server tab. This option enables notification for all servers provided in the subsequent list of IP addresses.

<ZoneName> /NoNotify /Notify /NotifyList <IPaddress list>

Note: DNS Notify is not necessary for AD DS-integrated zones because the DNS servers automatically poll the directory for changes on a regular basis.

Using Secure Zone Transfers

It is possible for malicious individuals to learn a great deal about your network from your DNS servers. If they are able to initiate full zone transfers for your internal and external zones, they can learn the host names and IP addresses for all of the computers listed in those zones. For this reason, its a good idea to limit zone transfers to a list of authorized DNS servers when using file-based replication. You can accomplish this configuration within DNS Manager by selecting either Only to the servers listed on the Name Servers tab or Only to the following servers when configuring zone transfers, or by specifying either /SecureNs or /SecureList when using dnscmd from a command prompt.

Exercise 2: Build Your AD DS Domain

The next step in preparing your practice lab is to build an AD DS domain, which is quite easy to do in a test environment because you do not have to spend much time planning details such as your domain namespace, your zone configuration, and your replication configuration. However, these and other considerations are critical to a successful deployment in a production environment. To get started, you first have to install the Active Directory Domain Services role and then launch the installation wizard by executing dcpromo.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

To add the Active Directory Domain Services role 1. Navigate to Roles in the navigation pane and then select Add Roles in the Roles Summary pane. 2. Click Next. 3. Select Active Directory Domain Services on the Select Server Roles page, and click Add Required Features when prompted. 4. Click Next. 5. Complete the Add Roles wizard using the default settings. 6. On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard. 7. Use the default settings throughout the installation, including installing the DNS Server role. You will need to specify values for some options such as the AD DS restore mode password and an FQDN for your domain; I suggest you pick something that is completely unresolvable from the Internet, such as domain.test or testing.domain. 8. You will also need to specify that this is the first domain controller in a new domain, and the first domain in a new forest. 9. After the wizard has gathered all of the necessary information from you, the installation will proceed automatically; how long it takes will depend upon the hardware capacity of your test system.

Defining Replication Scope for AD DS-Integrated Zones

When a DNS zone is integrated with AD DS, you need to specify where it will be stored and its replication scope. You can specify the replication scope when creating a new zone and you can change it at any time after creation. The following storage options are available for AD DS-integrated zones: Forest-wide DNS application directory partition. This option corresponds to To all DNS servers in this forest in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored in the forest-wide partition are replicated to all DNS servers running on domain controllers in the forest. This partition is automatically created when DNS is installed on the first domain controller in a new forest, and provides the broadest scope of replication but generates the most replication traffic. Domain-wide DNS application directory partition. This option corresponds to To all DNS servers in this domain in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored in this partition are replicated to all DNS servers running on domain controllers in the domain. This partition is automatically created when DNS is installed on the first domain controller in a new domain. Domain partition. This option corresponds to To all domain controllers in this domain in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored in this partition are replicated to all domain controllers in the zone, even those that are not running the DNS Server service. This is the only option for zones that are replicated to domain controllers running Windows 2000 Server. Custom DNS application directory partition. This option corresponds to To all domain controllers in the scope of this directory partition in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored in this partition are replicated to all DNS servers running on domain controllers that enlist in the partition. To use this type of partition, you must first create the application directory partition from a command prompt using dnscmd. To create a DNS application directory partition, enter the following at a command prompt and press Enter: Dnscmd <ServerName> /CreateDirectoryPartition <FQDN> You specify the name of the new DNS application directory partition by entering a FQDN. After creating the partition, you are able to select it from the drop-down list, as shown in the following figure.

Chapter 6: Configuring Active Directory Certificate Services

Figure 1.9. Selecting a custom directory partition for replication scope To enlist a DNS server in an application directory partition, enter the following at a command prompt: Dnscmd <ServerName> /EnlistDirectoryPartition <FQDN> To remove a DNS server in an application directory partition, enter the following at a command prompt: Dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN> In each case, you specify the name of the DNS application directory partition by entering its FQDN.

Expert Discussion: What is the GlobalNames Zone?

Windows Internet Name System (WINS) is a name resolution system that can be deployed independently of or integrated with the DNS Server service. WINS will become obsolete though, because it relies on NetBIOS over TCP/IP, which is an older protocol that Microsoft (and many Windows sysadmins!) hope to avoid in the future. One of the things that people like about WINS is that it facilitates using single-label names for hosts. For example, on a WINS-enabled network you could connect to a shared folder by specifying \\servername\sharename, but on a network that only uses DNS for name resolution you would have to specify the entire hostname like this: \\servername.domainname.suffix\sharename. To help organizations migrate to all-DNS networks, Windows Server 2008 introduces support for a new type of DNS zone called the GlobalNames zone. It provides support for single-label name resolution for a limited number of hosts. The number should be kept relatively small because the records in this zone must be managed manually; it is not feasible to maintain records for every user PC in this type of zone. When the GlobalNames zone is properly implemented, a client attempting to resolve a single-label name will first append its primary DNS suffix to the name. If resolution fails, it will attempt resolution using its DNS suffix search list. If that also fails, the client attempts resolution using the single-label name; if the name appears in the GlobalNames zone the DNS server will provide the answer to the client. If that also doesnt work, the query fails over to WINS. This feature has to be enabled and configured manually. To enable and configure the GlobalNames zone 1. Create an AD DS-integrated forward lookup zone named GlobalNames. 2. Enable support for the GlobalNames zone by running the following command for every authoritative DNS server in the forest: dnscmd <ServerName> /config /enableglobalnamessupport 1

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

(Replace <ServerName> with the name of the authoritative DNS server.) 3. Replicate the new zone to all domain controllers in the forest. 4. Add the desired alias (CNAME) resource records to the new zone. 5. Publish the location of the new GlobalNames zone in other forests as appropriate by adding service location to the forest-wide DNS application partition, using the service name _globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames zone.

Configuring Additional DNS Server Options

There are additional significant settings in the DNS Server service that you should understand. This section briefly discusses each.

Updating Root Hints

As discussed previously, DNS servers use the list of root hint servers to located authoritative name servers for domains at a higher level or in other subtrees of the DNS namespace. When you add the DNS server role, a file called cache.dns is written to %systemroot%\System32\dns. This file includes the NS and A resource records for the Internets root servers. If you are using DNS in a network that is not connected to the Internet you may wish to replace this list of root hints with your own. To modify the root hints list in DNS Manager 1. Right-click the server and select Properties. 2. Click the Root Hints tab. 3. Modify the list as appropriate, as shown in the following figure: a. Click Add to create a new record. b. Select a record and click Edit to modify an existing record. c. Select a record and click Remove to delete an existing record. d. Click Copy from Server and then specify the IP address to retrieve the list of root hints from another DNS server. This action will not overwrite any existing root hints.

Chapter 6: Configuring Active Directory Certificate Services

Figure 1.10. Updating the Root Hints in Server Manager

Configuring Server Forwarding

A forwarder is a DNS query for external DNS names to DNS servers outside of the network. You use forwarders to manage DNS traffic sent from your internal network to the Internet. Conditional forwarders forward queries for specific domain names to certain servers. For example, you may want to configure conditional forwarding to more quickly resolve hostnames for your organizations most important business partners. To configure forwarders 1. Configure the networks firewalls to block outbound DNS traffic from all DNS servers except the forwarders. 2. Specify the IP addresses of the forwarders on the other DNS servers in your network. To define the list of forwarders in DNS Manager, click the Forwarders tab in the Properties dialog box for the DNS server, click Edit, and enter the list of IP address in the Edit Forwarders dialog box. 3. To define a conditional forwarder, select a DNS domain name before entering the IP address of the DNS server.

Configuring Round Robin DNS

Round robin DNS is a rudimentary form of load balancing in which the multiple IP addresses are assigned to the same hostname. The DNS server responds to queries for that hostname by sending the entire list, and the order of the addresses is rotated each time the server responds. Clients use the first entry and discard the rest, which should result in queries being evenly distributed across all of the hosts assigned that hostname. This form of load balancing is much less robust than others because the DNS server will

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

continue to respond with the address of a server even if it is no longer available. In addition, round robin DNS does not make provisions for the differing capacities of the servers; all of them will receive the same amount of traffic. This feature is turned on and off in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In the list of server options, enable or disable the checkbox for Enable round robin.

Disabling Recursion
As described previously, the DNS Server service automatically performs recursive queries on behalf of its clients by querying other DNS servers for information about hosts when it is unable to resolve the name locally. Recursion should be disabled on externally facing DNS servers because attackers may be able to flood the DNS server with unresolvable queries, leading to a denial-of-service condition. This feature is controlled in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In the list of server options, enable or disable the checkbox for Disable recursion (also disables forwarders).

Securing the Cache from Names Pollution

By default, the DNS Server service is configured to protect itself from cache pollution by rejecting resource records that it did not request. In some cases its possible for a remote DNS server to provide information about records for which it is not authoritative. Although this may speed up a recursive query, its possible for an attacker to include corrupt information in such a response that could cause clients to be redirected to servers under the attackers control. With names pollution enabled, the DNS Server service will ignore these types of records and instead perform the lookup itself by contacting each authoritative server as needed. This feature is controlled in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In the list of server options enable or disable the checkbox for Secure cache against pollution.

Implementing Zone Delegation

You can delegate management of portions of your DNS namespace by delegating management of the corresponding zone. Zone delegation can also be used to distribute workload across several servers by dividing one large zone into several smaller ones. To create a zone delegation using DNS Manager, right-click the desired sub-domain, and then click New Delegation. Use the New Delegation Wizard to complete the process. To create a zone delegation from a command prompt, type the following command and press Enter: Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] NS {<Hostname>|<FQDN>} The following table briefly explains each option. Table 1.8. Dnscmd Parameters for Zone Delegation Parameter <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] Description This is a required parameter. Specify either the host name or IP address of the DNS server where the record is to be created. This is a required parameter that specifies what action is to be taken, in this case to add a new record. This is a required parameter. It specifies the fully qualified domain name (FQDN) of the zone. This is a required parameter. It specifies the FQDN of the node. This optional parameter specifies that the record may be aged and scavenged.

Chapter 6: Configuring Active Directory Certificate Services

Parameter [OpenAcl]

Description This optional parameter specifies that the record may be modified by any user; without this parameter only administrators are able to do so. This optional parameter specifies the time to live (TTL) for the record. This required parameter specifies that you are adding a new NS record to the zone. These required parameters specify the hostname or FQDN of the new authoritative server.

[TTL] NS <Hostname>|<FQDN>

Summary
This chapter showed you how to install and manage the DNS Server role in Windows Server 2008. It explained the common administrative tasks and introduced you to the key features that are new in this version of Windows Server, such as the GlobalNames zone and background zone loading. To effectively prepare for the examination, it is important that you understand the concepts discussed here. It is also important that you are familiar with each of the procedures described in the chapter. It would be ideal if you also spent some time exploring DNS Manager to familiarize yourself with the less commonly used configuration options. Although they are less likely to appear on the exam, doing so will increase your chances of success.

Chapter Review
This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply, a few questions may require you to examine DNS Manager or dnscmd rather than rereading the chapter.

Questions
1. You want to add an AD DS-integrated secondary zone to your DNS server, but you see an error message stating Command failed: ERROR_INVALID_PARAMETER 87 after entering the following at a command prompt: dnscmd dc1 /zoneadd NewZone /secondary /dp /domain. What should you do to correct this problem? a. The command needs to include the /filename option with the path to the file, so it should read something like this: dnscmd dc1 /zoneadd NewZone /secondary /dp /domain /file c:\data\ZoneFile.dns b. The zone type needs to be corrected to /dssecondary, so it should read like this: dnscmd dc1 /zoneadd NewZone /dssecondary /dp /domain c. Secondary zones cannot be AD DS-integrated, therefore the zone type should be changed to /dsprimary or /dsstub, or you should remove the /dp /domain options and specify the master IP address for the zone. d. The DNS Server service doesnt support creating AD DS-integrated zones from the command prompt. Jump to answers. 2. You manage an enterprise network that consists primarily of Windows clients and servers, and other platforms are deployed in small numbers. Active Directory is deployed on domain controllers running Windows Server 2003 and AD DS on servers running Windows Server 2008; the domain controllers are the only servers hosting the DNS Server service. There are three domains in a single forest. You want to configure replication of the DNS in such a way that network utilization is kept relatively low

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

while ensuring that all of the domain controllers have up-to-date resource records in their DNS databases. Which approach to replication should you consider first? a. Configuring incremental zone transfers and enabling DNS Notify. b. AD DS replication with zones stored in the domain-wide DNS application directory partition. c. Configuring full zone transfers and enabling DNS Notify. d. AD DS replication with zones stored in the forest-wide DNS application directory partition. Jump to answers. 3. Match the list of use cases in the following table with the kind of resource record that will most likely contain the required data. Table 1.9. Use Cases and Resource Records Use case a. An SMTP server attempting to forward mail to your organization. b. A user browsing to a website hosted on several servers that use round robin DNS for load balancing. c. A web server log file analysis tool generating reports on web site usage. d. A client trying to connect to another host on a network that uses IPv6. e. A domain-joined laptop computer that has just been turned on by its user. Resource record 1. AAAA 2. MX 3. SRV 4. PTR 5. CNAME

Jump to answers. 4. Users have started reporting problems connecting to servers within your organizations network. You are able to connect to some servers, such as the domain controllers for the AD DS domain for your user account, but others do not respond. Which of the following is the best tool to quickly determine whether or not the problem is related to name resolution? a. Ping b. DNS Manager c. Arp d. Dnscmd e. nslookup Jump to answers. 5. You have deployed AD DS for a domain named kurtdillard.com, but have only installed the DNS Server service on a subset of the domain controllers. You want to create a DNS zone named finance for a set of servers that will only be replicated to a DNS server in your organization, and you are currently logged into the local console of the domain controller named NS1. Which is the correct command to create the desired DNS application directory partition? a. nslookup ns1 /CreateDirectoryPartition finance.kurtdillard.com b. dnscmd ns1 /EnlistDirectoryPartition finance.kurtdillard.com c. dnscmd /CreateDirectoryPartition finance.kurtdillard.com ns1 d. dnscmd ns1 /CreateDirectoryPartition finance.kurtdillard.com Jump to answers. 6. Examine the following figure. You want to add a Host Information (HINFO) resource record to the selected zone, but that kind of record doesnt appear on the menu. What steps should you take to add a record of this type?

Chapter 6: Configuring Active Directory Certificate Services

Figure 1.11. DNS Zone context menu a. Click Other new recordsfrom the menu, then select the HINFO RR in the dialog box that appears and click Create Record b. Click Properties, then click the Advanced Tab and turn on the option to enable advanced resource record types. c. Click All Tasks, then select Add/Remove record types and enable the HINFO record type. d. Click View, then select Customize, and enable the checkbox to display advanced record types. Jump to answers. 7. When would background zone loading have a significant positive impact? a. For any domain controllers running DNS with AD DS-integrated zones, regardless of the database size. b. For domain controllers running DNS with AD DS-integrated zones that include tens of thousands of resource records. c. For DNS servers that host zones stored as files and include tens of thousands of resource records. d. Both B and C are correct. Jump to answers. 8. What type of query is a DNS server performing when it contacts one of the Internets root servers to learn the IP address of the authoritative name server of a DNS domain? a. Forwarding query b. Authoritative query c. Root lookup d. Recursive query e. External query Jump to answers. 9. Your organization uses WINS for name resolution between user computers so that staff members are able to use a collaboration tool that requires direct connections between those computers. You know that WINS is an old protocol and it is approaching its end of life. Would enabling a GlobalNames zone be a good way to completely replace WINS? a. Yes b. No Jump to answers.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

10. You are about to enable record aging and scavenging for a new AD DS-integrated zone. You expect to add manual records for many servers that will not need to be updated very often. How can you ensure that these static records are not deleted when scavenging occurs? a. Be sure to mark each record as exempt when creating them with the New Resource Record wizard b. After creating a static record, manually edit the time stamp and set it to zero. c. Do nothing. By default, static records are given a time stamp of zero and any record with such a time stamp is exempt from aging and scavenging. d. Set the TTL for the record to zero. Jump to answers. 11. Which of the following is not a way for a Windows Server 2008 server running the DNS Server service to learn about updates to resource records? a. Initiating push-pull replication with a root server. b. Receiving a DNS Notify message. c. Initiating a zone transfer. d. AD DS-integrated replication. e. Accepting dynamic updates from a DHCP server or client. f. The DNS administrator editing a static resource record. Jump to answers. 12. You manage a new public-facing server that is designed to share information with a select group of your organizations business partners. Ideally, both organizations would deploy a robust federated identity solution to ensure that only authorized users connect to the server. However, its going to take a lot of time to negotiate arrangements with each partner. In the interim, you recommend leveraging _____________________ to provide some rudimentary security by limiting incoming traffic to certain domains. Jump to answers. 13. You want to customize what domain controllers will participate in replication of an AD DS-integrated zone. To do this you need to create a _____________________. Jump to answers. 14. Look at the following figure. Which tab would you click to enable or disable recursive queries?

Chapter 6: Configuring Active Directory Certificate Services

Figure 1.12. DNS Server properties dialog box a. Forwarders b. Advanced c. Root Hints d. Debug Logging e. Event Logging f. Monitoring g. Security Jump to answers. 15. Whats the recommended method for maintaining resource records for client computers that are members of an AD DS domain? a. Manually create and maintain a static record for each computer. b. Use incremental zone transfers. c. Use an AD DS-integrated zone with dynamic updates enabled. d. Use an AD DS-integrated zone configured to only allow secure dynamic updates. Jump to answers.

Answers
1. C is the correct answer. Secondary zones cannot be AD DS-integrated under any circumstances. Questions that involve negative cases such as this appear regularly in Microsoft exams; that is, scenarios in which you are told to do something that cannot or should not be done. Return to question.

The Precision Guide to Windows Server 2008 Active Directory Configuration (MCTS Exam 70-640)

2. B is the correct answer. Although you do not have enough information to make a complete design for replication, you certainly have enough to know which method will most likely meet the stated requirements. Using the forest-wide application directory partition will generate more replication traffic than the domain-wide one. You cannot force the use of full zone transfers, because the DNS Server service automatically attempts to use incremental zone transfers for zones that are not AD DSintegrated. However, because all of the DNS servers are also domain controllers, AD DS-integration ensures that updates are quickly replicated and that replicated traffic is compressed. Return to question. 3. The use cases and record types should be matched as follows: a. 2, because MX records contain information about mail hosts for a DNS domain. b. 5, because multiple CNAME records can be used to map the same hostname to multiple IP addresses. c. 4, because PTR records are used for reverse lookups, and a web server log tool is likely to use reverse lookups to determine what domains host the various clients that have visited the site. d. 1, because AAAA records are used for IPv6 addresses. e. 3, because SRV records are used to identify domain controllers for an Active Directory domain, and computers that belong to such a domain attempt to authenticate themselves and download configuration information during the operating system boot process. Return to question. 4. D is the best answer. With the limited information available, nslookup is a good tool to begin troubleshooting. Nslookup is a command prompt diagnostic tool for DNS; you can use it to extract information about DNS zones and their contents from DNS servers that allow your host to connect. Although the exam probably will not include extensive questions about nslookup, it is likely that you will encounter some, and therefore you should familiarize yourself with its basic functionality. Ping is useful for determining whether there are network issues at the IP layer, but DNS name resolution occurs above that and therefore its not a good tool for this scenario. Arp is a tool for examining and configuring the address resolution protocol (ARP) cache; ARP is the protocol that is used to map IP addresses to physical network addresses that are assigned to network interface cards. DNS Manager and dnscmd are tools for configuring the DNS Server service; although they might be needed to correct problems, they may not be ideal for initial diagnostics. Return to question. 5. D is the correct answer. Nslookup is not used to configure the DNS Server service, /EnlistDirectoryPartition is the wrong option for making a new partition, and the name of the DNS server should be the first option in the command. This question may appear to be capricious, requiring you to memorize all of the arcane options of dnscmd, but similar questions do appear on the exams. Rather than trying to memorize every single option available, make sure you remember the basic syntax used on nearly every action, such as the DNS server name is always the first option; the second always specifies the action to take; and parameters to apply to the action come next. Also memorize the most common actions, such as creating zones and records, delegating zones, and configuring zone transfers. Finally, memorize the procedures that can only be performed from the command prompt, such as enabling the GlobalNames zone. Return to question. 6. A is the correct answer. Return to question. 7. B is correct. Although background zone loading will reduce the time needed to start the DNS Server service, the impact will probably only be noticeable for very large zones. Return to question. 8. D is correct. DNS servers contact the root servers that are listed in their root hints to learn the IP addresses for authoritative name servers for other domains. Typically, they do this while performing a recursive query on the part of a client computer. Return to question. 9. No is correct. Although the new GlobalNames zone feature is designed to help enterprises migrate away from WINS for name resolution, it is not sufficiently scalable for completely replacing WINS. There are other alternatives, though; perhaps the collaboration tool will work with DNS name resolution, or you could enable WINS integration for the zones that correspond to your AD DS

Chapter 6: Configuring Active Directory Certificate Services

10.

11.

12. 13. 14.

15.

domains. Return to question. C is correct. It is not possible to mark a record as exempt. Rather, there is a check box you can enable or disable entitled Delete this record when it becomes stale; however its not necessary to configure it because its automatically disabled when a static record is created. Its also not necessary to change the time stamp, because it is automatically set to zero for static records. The TTL has no impact on aging and scavenging. Return to question. A is correct. There are many ways in which a DNS server can learn about changes to resource records, but answer A is entirely fictional. Return to question. The correct term is reverse lookups. Return to question. The correct term is DNS application directory partition. Return to question. B is the correct answer. The first checkbox visible in the Server options text box is used to enable and disable recursive queries on the server. Return to question. D is the correct answer. Answer A is not scalable; answer B doesnt address the stated requirements; also, answer B is less desirable because malicious users could add records to the zone and potentially redirect clients to hostile servers under their control. Return to question.

References
How DNS Works, by Microsoft Corporation at: http://technet.microsoft.com/enus/library/dd197446(WS.10).aspx. RFC 1034, Domain NamesConcepts and Facilities, at http://www.ietf.org/rfc/rfc1034.txt. RFC 1035, Domain NamesImplementation and Specification, at http://www.ietf.org/rfc/rfc1035.txt.