You need to ensure that only the client computers in the Active Directory domain can register records in the contoso.com zone

Your network contains an Active Directory domain named contoso.com. The network contains a
member server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server
server role installed and has a primary zone for contoso.com. The Active Directory domain contains
500 client computers. There are an additional 20 computers in a workgroup. You discover that every
client computer on the network can add its record to the contoso.com zone.
You need to ensure that only the client computers in the Active Directory domain can register
records in the contoso.com zone.
What should you do first?

Your network contains an Active Directory domain named contoso.com. The network contains a
member server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server
server role installed and has a primary zone for contoso.com. The Active Directory domain contains
500 client computers. There are an additional 20 computers in a workgroup. You discover that every
client computer on the network can add its record to the contoso.com zone.
You need to ensure that only the client computers in the Active Directory domain can register
records in the contoso.com zone.
What should you do first?

A.
Move the contoso.com zone to a domain controller that is configured as a DNS server

B.
Configure the Dynamic updates settings of the contoso.com zone

C.
Sign the contoso.com zone by using DNSSEC

D.
Configure the Security settings of the contoso.com zone.

Explanation:
If you install DNS server on a non-DC, then you are not able to create AD-integrated zones. DNS
update security is available only for zones that are integrated into AD DS. When you directoryintegrate a zone, access control list (ACL) editing features are available in DNS Managerso that you
can add or remove users or groups from the ACL for a specified zone or resource record.
1. Active Directory’s DNS Domain Name is NOT a single label name (“DOMAIN” vs. the minimal
requirement of”domain.com.” “domain.local”, etc.).
2. The Primary DNS Suffix MUST match the zone name that is allowing updates. Otherwise the client
doesn’t know what zone name to register in. You can also have a different Conneciton Specific Suffix
in addition to the Primary DNS Suffix to register into that zone as well.

3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and NonSecure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it
will not register either.
4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to
get to them. Do not use your ISP’s, an external DNS address, your router as a DNS address, or any
other DNS that does not have a copy of the AD zone. Internet resolution for your machines will be
accomplished by the Rootservers (Root Hints), however it’s recommended to configure a forwarder
for efficient Internet resolution.
5. The domain controller is multihomed (which means it has more than one unteamed, active NIC,
more than one IP address, and/or RRAS is installed on the DC).
6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s)
hosting the AD zone you want to update in. This means that you must NOT use an external DNS in
any machine’s IP property in an AD environment. You can’t mix them either. That’s because of the
way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP’s DNS
addresses, the resolver algorithm can still have trouble asking the
correct DNS server. It will ask the first one first. If it doesn’t get a response, it removes the first one
from the eligible resolvers list and goes to the next in the list. It will not go back to the first one
unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query
TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP’s
DNS for efficient Internet resolution.
This is the reg entry to cut the query to 0 TTL:
The DNS Client service does not revert to using the first server. The Windows 2000 Domain Name
System (DNS) Client service (DNS cache) follows a certain algorithm when it decides the order in
which to use the DNS servers.
http://support.microsoft.com/kb/286834
For more info, please read the following on the client side resolver service:
DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted
SMB (Direct SMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders
Algorithm if you have multiple forwarders.
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-clientsideresolverbrowserservice-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-isdown-does-aclient-logon-toanother-dcand-dns-forwarders-algorithm.aspx
7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.
8. If using DHCP, DHCP server must only be referencing the same exact DNS server(s) in its own IP
properties in order for it to ‘force’ (if you set that setting) registration into DNS. Otherwise, how
would it know which DNS to send the reg data to?
9. If the AD DNS Domain name is a single label name, such as “EXAMPLE”, and not the proper format
of ”example.com” and/or any child of that format, such as “child1.example.com”, then we have a
real big problem.
DNS will not allow registration into a single label domain name.
This is for two reasons:
1. It’s not the proper hierarchal format. DNS is hierarchal, but a single label name has no hierarchy.
It’s just a single name.
2. Registration attempts cause major Internet queries to the Root servers. Why? Because it thinks
the single label name, such as “EXAMPLE”, is a TLD (Top Level Domain), such as “com”, “net”, etc. It
will now try to find what Root name server out there handles that TLD. In the end it comes back to
itself and then attempts to register. Unfortunately it does NOT ask itself first for the mere reason it
thinks it’s a TLD. (Quoted from Alan Woods, Microsoft, 2004):
“Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft
DNS servers are causing excessive traffic because of single label names, Microsoft, being an internet
friendly neighbor and wanting to stop this problem for their neighbors, stopped the ability to
register into DNS with Windows 2000SP4, XP SP1, (especially XP, which cause lookup problems too),
and Windows 2003. After all, DNS is hierarchal, so therefore why even allow single label DNS domain
names?” The above also *especially* applies to Windows Vista, 7, 2008, 2008 R2, and newer.

10. ‘Register this connection’s address” on the client is not enabled under the NIC’s IP properties,
DNS tab.
11. Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined member of the
domain.
12. ON 2000, 2003 and XP, the “DHCP client” Service not running. In 2008/Vista and newer, it’s the
DNS Client Service. This is a requirement for DNS registration and DNS resolution even if the client is
not actually using DHCP.
13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean
of old or duplicate entries. See the link I posted in my previous post.



Leave a Reply 7

Your email address will not be published. Required fields are marked *


Leanne

Leanne

B

“If you install DNS server on a non-DC, then you are not able to create AD-integrated zones. DNS update security is available only for zones are integrated into AD DS. When you integrate a zone Directory, Access Control List (ACL) editing features are available in DNS Managers That You can add or remove users or groups from the ACL for a specified zone or resource record.”

Here is following listed: “Your network contains Active Directory domain named contoso.com The DNS zone for contoso.com is Active Directory integrated.”.

I therefore believe the correct answer is “B – Configure the Dynamic updates settings of the contoso.com zone”.

https://technet.microsoft.com/en-us/library/cc771255.aspx

chaserZX

chaserZX

True but question states what should you do first. You can’t do B without doing A

shawn

shawn

But it already an ADI zone, it already on a DC

As in :
Secure dynamic updates in Active Directory-integrated zones.

You can configure Active Directory-integrated zones for secure dynamic updates so that only authorized users can make changes to a zone or to a record.

http://support.microsoft.com/kb/816592

billkom

billkom

Server 1 is a member server, not a DC, hence the zone is not AD Integrated

Mike

Mike

Answer is confirmed A. Tested in lab.

You cannot change the dynamic properties of zone to “Secure Only” if the DNS Role that holds that zone is not located on a domain controller.

ChaserZX is right. You cannot do B without A first.

The question does not say DNS is on a DC. They use the term “Server1” which means it is only on a member server. Microsoft likes to use names like DC01 and Server01 to show you what the roles of the server are.

In this case, DNS is not on a DC which invalidates B as an answer.

Proper answer is “A”.