Your network contains an Active Directory domain named contoso.com. The network contains a member
server named Server1 that runs Windows Server 2012.Server1 has the DNS Server server role installed and
has a primary zone for contoso.com.
The Active Directory domain contains 500 client computers. There are an additional 20 computers in a
workgroup.
You discover that every client computer on the network can add its record to the contoso.com zone.
You need to ensure that only the client computers in the Active Directory domain can register records in the
contoso.com zone.
What should you do first?
A.
Move the contoso.com zone to a domain controller that is configured as a DNS server.
B.
Configure the Dynamic updates settings of the contoso.com zone.
C.
Sign the contoso.com zone by using DNSSEC.
D.
Configure the Security settings of the contoso.com zone.
Explanation:
If you install DNS server on a non-DC, then you arenot able to create AD-integrated zones.
DNS update security is available only for zones that are integrated into AD DS. When you directory-integrate a
zone, access control list (ACL) editing features are available in DNS Managerso that you can add or remove
users or groups from the ACL for a specified zone or resource record.
http://technet.microsoft.com/en-us/library/cc771255.aspx http://social.technet.microsoft.com/Forums/en-US/
winserverNIS/thread/9b041bbc-0765- 4eed-bd1cd65027f05e9f/
http://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules- of-engagement/
1. Active Directory’s DNS Domain Name is NOT a single label name (“DOMAIN” vs the minimal requirement
of”domain.com.” “domain.local,” etc).
2. The Primary DNS Suffix MUST match the zone name that is allowing updates. Otherwise the client
doesn’tknow what zone name to register in. You can also have a different Conneciton Specific Suffix inaddition
to thePrimary DNS Suffix to register into that zoneas well.
3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure.
For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not registereither.
4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get
tothem. Do not use your ISP’s, an external DNS adddress, your router as a DNS address, or any other DNS
thatdoes not have a copy of the AD zone. Internet resolution for your machines will be accomplished bythe
Rootservers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution. .
5. The domain controller is multihomed (which meansit has more than one unteamed, active NIC, more
thanone IP address, and/or RRAS is installed on theDC).
6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s)
hostingthe AD zone you want to update in. This means that you must NOT use an external DNS in any
machine’s IP property in an AD environment.
You can’t mix them either. That’s because of the way the DNS Client side resolver service works. Even if
youmix up internal DNS and ISP’s DNS addresses, theresolver algorithm can still have trouble asking the
correctDNS server. It will ask the first one first.If it doesn’t get a response, it removes the firstone from the
eligibleresolvers list and goes to the next in the list. It will not go back to the first one unless y ou restart the
machine,restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule isto ONLY
use yourinternal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution.
This is the reg entry to cut the query to 0 TTL:
The DNS Client service does not revert to using thefirst server …The Windows 2000 Domain Name System
(DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the
DNSservers …
http://support.microsoft.com/kb/286834
For more info, please read the following on the client side resolver service:
DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB
(DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if youhave
multiple forwarders. http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-clientside-resolver-browserservice-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is- down-does-a-clientlogon-to-another-dcand-dns-forwarders-algorithm.aspx
7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.
8. If using DHCP, DHCP server must only be referencing the same exact DNSserver(s) in it’s own IP properties
in order for it to ‘force’ (if you setthat setting)registration into DNS. Otherwise, how would it know which DNSto
send the reg data to?
9. If the AD DNS Domain name is a single label name, such as “EXAMPLE”, and not the proper format
of”example.com” and/or any child of that format, such as “child1.example.com”, then we have a real big
problem.
DNS will not allow registration into a single labeldomain name.
This is for two reasons:
1. It’s not the proper hierachal format. DNS is hierarchal, but a single label name has no hierarchy. It’s just
asingle name.
2. Registration attempts causes major Internet queriesto the Root servers. Why? Because it thinks thesingle
label name, such as “EXAMPLE”, is a TLD(Top Level Domain), such as “com”, “net”, etc. Itwill now try to find
what Root name server out therehandles that TLD: Inthe end it comes back to itselfand then attempts to
register. Unfortunately it doe NOTask
itself first for the mere reason it thinks it’s a TLD.
(Quoted from Alan Woods, Microsoft, 2004):
“Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS
serversare causing excessive traffic because of single label names, Microsoft, being an internet friendly
neighbor andwanting to stop this problem for their neighbors, stopped the ability to register into DNSwith
Windows 2000SP4, XP SP1, (especially XP,which causelookup problems too), and Windows 2003. After all,
DNS ishierarchal, so therefore why even allow single label DNS domain names?”
The above also *especially* App1ies to Windows Vista, &, 2008, 2008 R2, and newer.
10. ‘Register this connection’s address” on the client is not enabled under the NIC’s IP properties, DNS tab.
11. Maybe there’s a GPO set to force Secure updatesand the machine isn’t a joined member of the domain.
12. ON 2000, 2003 and XP, the “DHCP client” Servicenot running. In 2008/Vista and newer, it’s the DNSClient
Service. This is a requirement for DNS registrationand DNS resolution even if the client is not actuallyusing
DHCP.
13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old
orduplicate entries. See the link I posted in my previous post.
Currently it appears like BlogEngine is the preferred blogging
platform available right now. (from what I’ve read) Is that what you’re using on your blog?
A
A