70 640

70 – 640 -Windows Server 2008 Active Directory,
Configuring:
Configuring DNS for Active Directory
-Configuring zones
-Configuring DNS server settings
-Configuring zone transfer and Replication
Chapter 1: Configuring DNS for Active Directory
The Domain Name System (DNS) is a highly scalable system for mapping hostnames with numerical
Internet Protocol (IP) addresses. On Transmission Control Protocol / Internet Protocol (TCP/IP) networks
such as the Internet computers are assigned unique IP addresses. These numerical addresses are not
particularly user friendly, so computers are also given a host name. The domain name system is a
hierarchical naming system for organizing computers into domains and mapping IP addresses to host
names. When a user enters a DNS name such as www.kurtkurtdillard.com into an application DNS services
is used to find the IP address assigned to that host name. DNS is a critical piece of a network that includes
AD DS, member computers use DNS to find domain controllers and other servers for various activities
such as authentication, accessing file shares, and browsing web servers. Understanding how to deploy and
manage the DNS Server role in Windows Server 2008 will help you to more effectively leverage Active
Directory Domain Services (AD DS) in your organization. In this chapter I will cover managing DNS
zones, replication, and other DNS settings. More specifically, you will learn about the following:
• Configure zones.
• Configure DNS server settings.
• Configure zone transfers and replication.
Configuring DNS Zones
DNS records are partitioned into zones, a zone contains resource records for the hosts that belong to the
corresponding portion of the DNS namespace. The namespace for a zone can include one or multiple DNS
domains. Zones are maintained by DNS servers, a zone can be stored as a file or within Active Directory.
In the latter case, the size of the zone impacts how long it takes for DNS to initialize because the zone data
must be retrieved from Active Directory, we’ll explore this further later in this section.

You may want to delegate a portion of the DNS namespace for a couple of reasons: in order to assign
management to a department within the organization or to improve performance by spreading the load of a
large DNS database across separate DNS servers. Consider an extended example, you might want to store
all of the records for your publicly accessible hosts in one zone, e.g. the zone might include
kurtkurtdillard.com, which could include hosts named www.kurtkurtdillard.com, ftp.kurtdillard.com; and
mail.kurtdillard.com. Internal hosts could be organized by geographic location within subdomains, each
stored as a separate zone, e.g. americas.kurtdillard.com and europe.kurtdillard.com. This example is
represented in figure 1 below. In the rest of this section we will explore the various kinds of zones available
in Windows Server 2008 and how to manage them.
Figure 1: DNS Zone Delegation
Start of Authority (SOA)
The first record in any DNS zone is the Start of Authority (SOA) Resource Record (RR). The SOA RR
specifies the authoritative DNS server for the zone, i.e., the best source of data for the zone. Depending
upon the installation options the SOA RR may or may not be automatically added for a new zone. Figure 2
shows DNS manager with various elements highlighted. In this case, this is the first domain controller in a

new domain within a new forest and the SOA record was automatically created during the installation of
AD DS.
Figure 2: DNS Manager
To manage the SOA record for a zone navigate to the desired zone within DNS Manager and then right-
click on the SOA record and select Properties. Figure 3 shows the SOA RR from my test domain. In most
cases the default values for refresh, expiration, and time to live (TTL) are sufficient however you may wish
to increase these values in order to reduce the amount of DNS traffic on your network. The downside of
increasing the values is that DNS clients will take longer to learn about configuration changes and therefore
are more likely to have problems finding other hosts on your network.

Figure 3: Start of Authority Resource Record
Managing Other Resource Records
There are other types of resource records in addition to the SOA RR. Each type has a specific purpose
related to helping clients locate remote hosts and services. The most common kinds are:
• Host (A) resource records: this type of record maps a hostname to a 32-bit IPv4 address.
• AAAA resource records: these map a hostname to a 128-bit IPv6 address.
• Name Service (NS) records: this kind of record maps a domain name to a list of DNS servers
authoritative for the domain.
• Service location (SRV) resource records: this type maps a DNS domain name to a list of
computers that provide a service, for example, an SRV RR is required for computers to locate
Active Directory domain controllers.
• Mail exchange (MX) resource records: this kind of record maps a DNS domain name to the name
of a mail exchange computer for the domain.
• Alias (CNAME) resource records: also called canonical name records, these allow you to
configure multiple DNS names to resolve to a single host.
• Pointer (PTR) resource records: this type of record is used for the reverse lookup process, which
is discussed in more detail later in this chapter.

Resource records can be added and updated to the database manually or automatically. The manual
process, also referred to as Non-Dynamic DNS (NDDNS), is useful when adding records that are unlikely
to change for a long time such as public facing web and mail servers. To manually add a static record using
DNS Manager:
1. Right-click on the desired zone and select Other New Records.
2. Select the type of record to create from the Select a resource record type drop-down list.
3. Click Create Record.
4. Enter the information for the new record in the New Resource Record dialog box, click
OK to add the record to the database. The type of information required for the new record
will vary depending upon its type.
To manually add a record using a command prompt open a command prompt with administrative
privileges, type the following command, and press ENTER.
Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] <RRType>
<RRData>
As you can see, the command has many options, Table 1 briefly explains each. You can view more detailed
information about all of these options by entering the following command:
Dnscmd /RecordAdd /help
Parameter Description
<ServerName> This is a required parameter. You specify either the host name or IP address of
the DNS server where the record is to be created.
/RecordAdd This is a required parameter, it specifies what action is to be taken, in this case
to add a new record.
<ZoneName> This is a required parameter. The fully qualified domain name (FQDN) of the
zone.
<NodeName> This is a required parameter. The FQDN of the node.
[/Aging] This optional parameter specifies that the record may be aged and scavenged.
[OpenAcl] This optional parameter specifies that the record may be modified by any user,
without this parameter only administrators are able to do so.
[TTL] This optional parameter specifies the time to live (TTL) for the record.
<RRType> This is a required parameter. It specifies what kind of record to add, e.g.: A,
AAAA, MX, NS, CNAME, SRV, or PTR.
<RRData> These are required parameters that vary depending upon the type of record
being added. Each of these parameters must be separated by a space.
Table 1: Dnscmd options when adding records.
Enterprise networks can be large with hundreds of thousands of hosts, managing static records for so many
hosts isn’t feasible, to address this challenge Windows Server 2008 also supports dynamically updated
records. There are two ways in which records can be dynamically updated. First, the DCHP Client Service
on the client computer can register itself with the DNS server upon boot-up. Second, you can configure
DHCP servers, if they support the feature, to register clients when they assign an address to a host. There
are two methods available for dynamic updates: Dynamic DNS (DDNS) and Secure Dynamic DNS

(SDDNS). DDNS is the least secure choice because in this configuration updates can be accepted from
untrusted hosts, however it is supported by a wider range of operating systems. SDDNS is only available
for Active Directory-integrated zones, and it’s the preferred configuration whenever possible. The default
setting for new zones is NDDNS, that is, to disable dynamic updates unless the new zone is integrated with
Active Directory, in which case SDDNS is the default setting.
To enable or disable dynamic updates in DNS Manager right-click on the desired zone and select
Properties, then make the appropriate selection in the Dynamic Updates drop-down list and press OK. To
configure dynamic updates from a command prompt type the following command and press ENTER:
Dnscmd <ServerName> /Config {<ZoneName or ..AllZones>} AllowUpdate 2
Table 2 briefly explains what each of the command line options mean.
the DNS server where the zone is stored.
/Config This is a required parameter. The second parameter specifies what action is to
be taken, in this case to modify the specified zone.
<ZoneName or
..AllZones>
This is a required parameter. The fully qualified domain name (FQDN) of the
zone. To configure all zones stored on the server type ..AllZones.
AllowUpdate This is a required parameter, it enables dynamic updates.
2 This optional parameter specifies secure updates only, if it is omitted then the
zone will only allow standard dynamic updates.
Table 2: Dnscmd parameters when configuring a zone.
Tip: The graphical tool for DNS administration in Windows Server 2008 is the DNS Manager Microsoft
Management Console console, henceforth referred to as “DNS Manager.” There is also a command prompt
tool available which is useful for managing Server Core installations and scripting of administrative tasks,
it is called dnscmd. While many administrators will be most comfortable using DNS Manager you may
also want to familiarize yourself with the command prompt tool.
Understanding DNS Zones
The DNS Server role supports three different types of zones: primary, secondary, and stub. Only primary
and stub zones can be configured as Active Directory-integrated zones if the server is a domain controller
in an Active Directory domain. The difference between integrated and non-integrated zones is where zone
information is stored. Active Directory-integrated zones are stored within the AD DS. Zones that are not
integrated are stored as text files, by default in %windir%System32dns.
Caution: Although it may be tempting to edit these DNS text files in Notepad or some other text editor
Microsoft strongly recommends that you do not. Instead, you should always use the built-in tools such as
DNS Manager to configure zones and resource records to ensure proper formatting and versioning.

Primary
A primary zone is the writable master copy of a zone. A DNS server hosting the primary zone is the
authoritative source for information about that zone.
Secondary
A secondary zone is a read-only copy of a zone. A server hosting a secondary zone must download the
zone data and ongoing updates to the data from another server hosting the same zone. A secondary copy
cannot be stored in AD DS because it is merely a copy of a primary zone stored on another server.
Stub
A stub zone is a copy of the primary zone that only contains resource records for the authoritative DNS
servers for that zone. A server hosting a stub zone must download the zone data and ongoing updates to the
data from another server hosting the same zone. When properly implemented stub zones can improve name
resolution efficiency by allowing DNS servers to complete recursive queries without having to query the
Internet or internal root servers. Stub zones also tend to be less processor intensive than conditional
forwarding.
Expert Discussion: Why Background Zone Loading is Important
Background zone loading is a new feature in Windows Server 2008 that large organizations my find to be
very useful. In previous versions of the DNS Server service all of the DNS data stored in AD DS had to be
downloaded before the server would start responding to DNS queries. Some enterprises had to endure waits
of an hour or more when restarting their DNS Servers. In Windows Server 2008 the DNS Server service
can start responding to client request much more quickly because it is able to do so while continuing to
retrieve zone data from AD DS. When clients request data for a zone that has already been loaded the DNS
server responds normally, when they request data for a zone that hasn’t been loaded yet it retrieves the
information from AD DS and then responds to the client.
Creating New Zones
To create a new zone in DNS Manager right-click on either the DNS Server, Forward Lookup Zones, or
Reverse Lookup Zones. If the first option is used then the wizard will display an additional page asking
whether to create a forward or reverse lookup zone. The wizard will prompt you to specify information
that’s described earlier in this chapter such as zone type, zone name, and dynamic updates; however, the
wizard will also ask you to specify the replication scope as shown in figure 4. Replication scope is
discussed in more detail later in this chapter.

Figure 4: Selecting the Active Directory replication scope in the New Zone Wizard
To create a new zone from a command prompt type the following command and press ENTER:
dnscmd <ServerName> /ZoneAdd <ZoneName> {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file
<FileName>] [/load] [/a <AdminEmail>] [/DP <FQDN>]
Once again, there are many options available, table 3 briefly explains each.
<ServerName> This is a required parameter. You specify
either the host name or IP address of the DNS
server where the zone is stored.
/ZoneAdd This is a required parameter, it specifies what
action is to be taken, in this case to add a new
zone.
<ZoneName> This is a required parameter. The fully
qualified domain name (FQDN) of the zone.
{/Primary|/DsPrimary|/Secondary|/Stub|/DsStub This is a required parameter for defining the
zone type; /DsPrimary and /DsStub indicate
AD DS-integrated zones.
[/file <FileName>] This is required only when creating a primary
zone that is not integrated with AD DS.
[/load] This optional parameter loads an existing file
otherwise the default zone records are
automatically generated.

[/a <AdminEmail>] Use this optional parameter to specify an email
address for the zone’s administrator.
[/DP <FQDN>] Use this optional parameter to specify the
FQDN for an application directory where the
zone is to be added.
Table 3: Dnscmd parameters when creating a zone
Zone Aging and Scavenging
Out-of-date resource records can accrete in a zone database much like barnacles on a freighter. If the
number of stale records becomes substantial it could impact performance by consuming disk space,
slowing down response to queries, and sending outdated information to clients. In some cases, stale records
may prevent the use of a name being used by other hosts in the domain. By observing the time stamps on
resource records the DNS Server service can automatically remove records when they’ve aged beyond the
time limit you have specified. To use these features they must be enabled at both the DNS server and zone
levels.
Caution: There is a reason why the aging and scavenging features are disabled by default: when
implemented incorrectly records may be deleted that are still needed. For this reason only implement these
features once you fully understand all of the options available.
Normally only dynamically updated records are configured to be scavenged because in most cases when
you configure a static record it’s for a server that is going to be sharing resources for a relatively long time.
By default static records are given a time stamp of zero which exempts them from aging and scavenging.
You can change this by modifying the records individually to permit them to use a current time stamp
instead. The aging and scavenging concepts introduce some terms that you may not be familiar with:
• No-refresh interval: The period of time between the last refresh and the moment when the
timestamp can be refreshed again.
• Refresh interval: The period of time from when a record is refreshed to when it can be scavenged.
This must be greater than the maximum refresh period.
• Scavenging period: The period of time between scavenging operations.
• Record refresh: This occurs when a dynamic update is processed and the only change made to the
record is to update its time stamp. This happens when a computer restarts, every 24 hours when the
computer attempts to update its record, and when other network services attempt a fresh.
• Record update: This occurs when a dynamic update is processed and other characteristics are
modified in addition to its time stamp.
• Scavenging servers: Its possible to restrict scavenging to a specific list of DNS servers, identified
by their IP address.
To configure aging and scavenging for a zone in DNS Manager:
1. Right-click on the zone and select Properties.
2. Click Aging on the General tab of the dialog box.
3. Select the Scavenge stale resource records check box.
4. Modify the other properties as appropriate.

To configure aging and scavenging for a zone from a command prompt enter the following command:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval
<Value>}
Table 4 briefly explains each option.
/Config This is a required parameter. The second
parameter specifies what action is to be taken,
in this case to modify the specified zone.
/Aging <Value> This is required, set the value to 1 to enable
aging, or 0 to disable it.
/RefreshInterval <Value> This is required, it specifies the refresh interval
in hours, 168 by default.
/NoRefreshInterval <Value> This is required, it specifies the no-refresh
interval in seconds, 3600 by default
Table 4: Dnscmd parameters for scavenging at the zone level
To configure aging and scavenging for a DNS server in DNS Manager right-click on the server and click
Set Aging/Scavenging for all zones, then select the Scavenge stale resource records check box and
modify the other properties as appropriate.
To configure aging and scavenging for a DNS server from a command prompt enter the following
command:
dnscmd <ServerName> /Config {/ScavengingInterval <Value>|/DefaultAgingState
<Value>|/DefaultNoRefreshInterval <Value>|/DefaultRefreshInterval <Value>}
/Config This is a required parameter. The second
in this case to modify the specified zone.
/ScavengingInterval <Value> This required parameter specifies the
scavenging frequency for all zones enabled for
scavenging.
/DefaultAgingState <Value> This required parameter sets the default aging

configuration for all zones, 1 enables aging
and 0 disables it.
/DefaultRefreshInterval <Value> This is required, it specifies the default refresh
interval in hours.
/DefaultNoRefreshInterval <Value> This is required, it specifies the default no-
refresh interval in seconds.
Table 5: Dnscmd parameters for scavenging at the server level
Understanding Forward Lookups and Reverse Lookups
A forward lookup occurs when a client looks for the IP address assigned to a particular hostname. How the
hostname is resolved to an IP address can happen in several different ways. First, if the hostname is less
than 16 bytes long it will attempt to resolve it using NetBIOS. If that fails, or if the hostname is longer the
client will check its own local cache of recent DNS queries, this includes the local hosts file since it is pre-
cached during boot up. The DNS server will answer the query directly if the information is in its database,
then it checks its own cache of previous queries. Then the DNS server will start the recursion process, it
uses the list of root hints to find a list of DNS servers authoritative for the domain where the host is located.
By default, the list of root hints points to the publicly available list of root servers that host the top-level
domains such as “com,” “info,” “org,” and “us.” So if the host name is www.kurtdillard.com the DNS
server will query one of the root servers to find the IP address of an authoritative DNS server for the
kurtdillard.com domain. Next, it will query the macgrawhill.com DNS server to find the IP address for the
host named www. It then returns the answer back to the original client machine. Figure 5 illustrates the
lookup process from the point where the client queries its primary DNS server.

Figure 5: Recursive forward lookup
DNS also supports reverse lookups in which the client knows the IP address but wants to learn the primary
hostname assigned to it. Why would anyone want to do that? There are many situations where it could be
useful, for example, when parsing a web site’s log files knowing the domains your visitors are coming
from helps to better understand their usage patterns. An organization hosting a publicly available Internet
Relay Chat (IRC) service might want to track both hostnames and IP addresses in real-time to facilitate any
complaints of harassment or other unauthorized behavior. Reverse lookups were not part of the original
specification for DNS, the way domain names are organized and indexed is very different from how IP
addresses are assigned. Additionally, while domain names are interpreted from right to left IP addresses are
read in the opposite direction. That’s why the IP address octets are reversed when building the reverse
lookup domain tree. A special domain is reserved to facilitate reverse lookups, the in-addr.arpa domain. A
new reverse lookup zone consists of the reverse address of a subnet prepended to adr.arpa. That is, the
subnet 192.168.2/24 would correspond to a zone named 2.168.192.in-addr.arpa. The DNS service can
create a pointer (PTR) RR for each host record added to the original zone.

The reverse lookup process is similar to forward lookups. The client queries the DNS server for a PTR RR
that maps to the IP address. The DNS server then reverses the address and appends the in-addr.arpa domain
to it. It then performs the lookup process normally, first looking locally and then performing a recursive
query if necessary. Figure 6 illustrates a simple reverse lookup where the server named
www.kurtdillard.com wants to know the hostname for the client that has initiated communications.
Figure 6:
Exercise 1: Prepare Your Practice Lab

To ensure that you understand how to perform that tasks related to managing Windows Server 2008 its
helpful to get hands-on with the software. The availability of free virtualization software and evaluation
copies of Microsoft’s operating systems means that even students with very tight budgets can build
themselves a flexible environment for becoming familiar with Windows Server 2008. There are numerous
software-based virtualization products available, since its free, easy to use, and reliable I recommend that
you download and install Microsoft’s Virtual PC. As with many of their products, if you simply append the
product name to their public web address you’ll get forwarded to the homepage for Virtual PC where you
can access the free download: http://www.microsoft.com/virtualpc. Install Virtual PC on your test machine,
in most cases the default settings are sufficient. If you have multiple machines available use the one with
the most physical memory installed, a speedy hard drive and CPU also helps but RAM is the most
important component for performance when using software virtualization.
You can download ISO images for both 32- and 64-bit versions of Windows Server 2008 from the Try It
webpage. Click on the download link for trial software, I suggest that you do these exercises with the 64-bit
build if your computer will support it. If this URL has changed you should be able to find links to the
evaluation software on the Windows Server 2008 webpage. These files are very large, however I am able to
download them overnight and I live in Buenos Aires, surely you can find a way too! You could also try the
virtual labs and the virtual hard drives, however I prefer to download and build my servers because the
virtual labs aren’t as flexible and the virtual hard drive images currently available were built with pre-
release versions of the operating system.
Once you have downloaded the ISO image you can burn it to a DVD but its not necessary to do so because
Virtual PC is able to mount ISO images as if they were an actual DVD or CD. If you are unfamiliar with
Virtual PC it includes extensive documentation in its help file. To create a new virtual machine with
Windows Server 2008 installed start Virtual PC and do the following:
1. Click New…
2. The New Virtual Machine Wizard starts, click Next.
3. On the Options page make sure that Create a new virtual machine is selected and click Next.
4. Type a name for your new virtual machine, click the Browse… if you want to specify a location
other than the default for storing the configuration file for the virtual machine.
5. Click Next, click Next again on the Operating System page.
6. Select Adjusting the RAM and type 512 in the text box, then click Next.
7. Select A new virtual hard disk and click Next.
8. Specify a path and file name for the virtual hard disk and click Next
9. Click Finish.
10. Ensure that the new virtual machine is selected and click Start to launch it.
11. Click the CD menu and select Capture ISO Image…
12. Navigate to where you saved the ISO image and select it, then click Open. If the virtual machine
boot process is already too far along you can reboot it from the Action menu by selecting Reset.
13. You should be able to install Windows Server 2008 the same way you would if you were installing
it on a physical machine. Use the default options throughout the installation but be sure to select a
sensible hostname when given the opportunity.
To make it easier to tear down and restart your practice lab I suggest that you make a copy of the virtual
hard disk file once the operating system installation is complete. Some of the other exercises require two
servers so you ought to make yet another copy.

Configuring Zone Transfers and Replication
Zone transfers were once the most common way to replicate DNS database updates between servers, in
recent years other replication mechanisms have become increasingly popular. There are two types of zone
transfers: full and incremental. The DNS Server service in Windows Server 2008 supports zone transfers as
well as AD DS replication. This section explorers each of these features.
Configuring Zone Transfers
A full zone transfer is fairly simple, the client, also called the “secondary” or “slave” server requests a copy
of the zone from the server, also called the “primary” or “master.” The transfer initiates with the SOA
resource record. Since the serial number of the SOA RR is incremented each time there is a change to the
zone the client can compare the serial number for the current version of the SOA with its own copy, if they
are identical then the client concludes that there haven’t been any changes to the zone and the transfer is
terminated. If the serial numbers differ the client requests all of the remaining records for the zone. An
incremental zone transfer differs in that the client sends its own copy of the SOA RR to the server, the
server then compares the serial number with that of its own copy and only sends changes that have
occurred since that version of the SOA RR.
Active Directory-integrated zones rely on AD DS for replication between domain controllers; whenever
feasible it’s the preferred method. However, when file-based zone transfers are used incremental zone
transfers consume less network bandwidth than full transfers and therefore they are the next best choice.
For this reason the DNS Server service in Windows Server 2008 requests incremental zone transfers when
retrieving a zone from a primary server. To configure zone transfers using DNS Manager do the following:
1. Right-click on the desired zone, and then select Properties.
2. Click the Zone Transfers tab.
3. Enable or disable the Allow zone transfers check box.
4. If you have enabled transfers select the appropriate radio button: To any server, Only to the
servers listed on the Name Servers tab, or Only to the following servers; as shown in figure 7.
5. If the last button is selected click Edit and enter the IP addresses for each desired DNS server, as
shown in figure 8.

Figure 7: Specifying what servers are allowed to request zone transfers.

Figure 8: Defining the list of IP addresses for servers allowed to request zone transfers.
To configure zone transfers from a command prompt enter the following command:
dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList
[<SecondaryIPAddress...>]}
Table 6 briefly explains each of the command line options.
/ZoneResetSecondaries This is a required parameter. The second
in this case to configure zone transfers for the
specified zone.
/NoXfr This option disables transfers.
/NonSecure This option permits transfers to any DNS
server.
/SecureNs This option permits transfers to servers listed

in the zone using name server resource
records.
/SecureList This option permits transfers to the list of
servers specified by SecondaryIPAddress
<SecondaryIPAddress> Required if /SecureList is used, a list of one or
more IP address for DNS servers to be allowed
to obtain transfers.
Table 6: Dnscmd parameters for zone transfers.
Configuring DNS Notify
When DNS Notify is enabled for a zone the primary server will send messages to the secondary servers
notifying them when changes have occurred. You enable DNS Notify from the Zone Transfers tab of the
zone’s properties dialog box by clicking on the Notify… button. You can indicate a specific list of servers
or specify all servers on the Name Servers tab. When secondary servers receive the notification they can
initiate the normal zone transfer process. Configuring DNS Notify from the command prompt is a simple
variation on configuring zone transfers, to do so enter the following:
dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoNotify|/Notify|/NotifyList <IPaddress>}
/ZoneResetSecondaries This is a required parameter. The second
in this case to configure zone transfers for the
specified zone.
/NoNotify This option disables notification for the zone.
/Notify This option enables notification for all servers
on the name server tab.
/NotifyList <IPaddress list> This option enables notification for all servers
provided in the subsequent list of IP addresses.
Table 7: Dnscmd parameters for DNS Notify.
Note: DNS Notify is not necessary for AD-integrated zones because the DNS servers automatically poll the
directory for changes on a regular basis.
Using Secure Zone Transfers
It is possible for nefarious individuals to learn a great deal about your network from your DNS servers. If
they are able to initiate full zone transfers for your internal and external zones they can learn the host
names and IP addresses for all of the computers listed in those zones. For this reason it’s a good idea to

limit zone transfers to a list of authorized DNS servers when using file-based replication. You accomplish
this within DNS Manager by selecting either Only to the servers listed on the Name Servers tab or Only
to the following servers when configuring zone transfers, or by specifying either /SecureNs or /SecureList
when using dnscmd from a command prompt.
Exercise 2: Build Your Active Directory Domain
The next step in preparing your practice lab is to build an Active Directory domain. This is quite easy to do
in a test environment because you do not have to spend much time planning details such as your domain
namespace, your zone configuration, and your replication configuration whereas these and other
considerations are critical to a successful deployment in a production environment. To get started you first
have to install the Active Directory Domain Services role and then launch the installation wizard by
executing dcpromo. You can add the role from Server Manager by doing the following:
1. Navigate to Roles in the navigation pane and then select Add Roles in the Roles Summary pane.
2. Click Next
3. Select Active Directory Domain Services on the Select Server Roles page, click Add Required
Features when prompted.
4. Click Next.
5. Complete the Add Roles wizard using the default settings.
6. On the Installation Results page click Close this wizard and launch the Active Directory
Domain Services Installation Wizard.
7. Use the default settings throughout the installation including installing the DNS Server role. You
will need to specify values for some options such as the AD restore mode password and an FQDN
for your domain; I suggest you pick something that is completely unresolvable from the Internet
like domain.test or testing.domain.
8. You will also need to specify that this is the first domain controller in a new domain, and the first
domain in a new forest.
9. Once the wizard has gathered all of the necessary information from you the installation will proceed
automatically, how long it takes will depend upon the hardware capacity of your test system.
Defining Replication Scope for Active Directory-Integrated Zones
When a DNS zone is integrated with Active Directory you need to specify where it will be stored and its
replication scope. You can specify the replication scope when creating a new zone and you can change it at
any time after creation. The following storage options are available for Active Directory-integrated zones:
• Forest-wide DNS application directory partition – This corresponds to To all DNS servers in
this forest in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored
in the forest-wide partition are replicated to all DNS servers running on domain controllers in the
forest. This partition is automatically created when DNS is installed on the first domain controller
in a new forest. This provides the broadest scope of replication but generates the most replication
traffic.
• Domain-wide DNS application directory partition – This corresponds to To all DNS servers in
this domain in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones

stored in this partition are replicated to all DNS servers running on domain controllers in the
domain. This partition is automatically created when DNS is installed on the first domain controller
in a new domain.
• Domain partition – This corresponds to To all domain controllers in this domain in the Change
Zone Replication Scope dialog box in DNS Manager. DNS zones stored in this partition are
replicated to all domain controllers in the zone, even those that are not running the DNS Server
service. This is the only option for zones that are replicated to domain controllers running Windows
2000 Server.
• Custom DNS application directory partition – This corresponds to To all domain controllers in
the scope of this directory partition in the Change Zone Replication Scope dialog box in DNS
Manager. DNS zones stored in this partition are replicated to all DNS servers running on domain
controllers that enlist in the partition. To utilize this type of partition you must first create the
application directory partition from a command prompt using dnscmd.
To create a DNS application directory partition enter the following at a command prompt:
Dnscmd <ServerName> /CreateDirectoryPartition <FQDN>
You specify the name of the new DNS application directory partition by entering a FQDN. After creating
the partition you are able to select it from the drop-down list as shown in figure 9.
Figure 9: Selecting a custom directory partition for replication scope.
To enlist a DNS server in an application directory partition enter the following at a command prompt:
Dnscmd <ServerName> /EnlistDirectoryPartition <FQDN>
To remove a DNS server in an application directory partition enter the following at a command prompt:
Dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN>
In each case, you specify the name of the DNS application directory partition by entering its FQDN.

Expert Discussion: What is the GlobalNames Zone?
Windows Internet Name System (WINS) is a name resolution system that can be deployed independently
of or integrated with the DNS Server service. WINS will become obsolete though, it relies on NetBIOS
over TCP/IP which is an older protocol that Microsoft (and many Windows sysadmins!) hope to avoid in
the future. One of the things that people like about WINS is that it facilitates using single-label names for
hosts. For example, on a WINS-enabled network you could connect to a shared folder by specifying
servernamesharename but on a network that only uses DNS for name resolution you would have to
specify the entire hostname like this: servername.domainname.suffixsharename.
To help organizations migrate to all-DNS networks Windows Server 2008 introduces support for a new
type of DNS zone called the GlobalNames zone. It provides support for single-label name resolution for a
limited number of hosts. The number should be kept relatively small because the records in this zone must
be managed manually, it is not feasible to maintain records for every end-user PC in this type of zone.
When the GlobalNames zone is properly implemented a client attempting to resolve a single-label name
will first append its primary DNS suffix to the name. If resolution fails it will attempt resolution using its
DNS suffix search list. If that also fails the client attempts resolution using the single-label name, if the
name appears in the GlobalNames zone the DNS server will provide the answer to the client. If that also
doesn’t work the query fails over to WINS.
This feature has to be enabled and configured manually as follows:
1. Create an AD DS-integrated forward lookup zone named GlobalNames.
2. Enable support for the GlobalNames zone by running the following command for every
authoritative DNS server in the forest:
dnscmd <ServerName> /config /enableglobalnamessupport 1
Replace <ServerName> with the name of the authoritative DNS server.
3. Replicate the new zone to all domain controllers in the forest.
4. Add the desired alias (CNAME) resource records to the new zone.
5. Publish the location of the new GlobalNames zone in other forests as appropriate by adding service
location to the forest-wide DNS application partition, using the service name
_globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames
zone.
Configuring Additional DNS Server Options
There are additional significant settings in the DNS Server service that you should understand. This section
briefly discusses each.
Updating Root Hints
As discussed previously, DNS servers use the list of root hint servers to located authoritative name servers
for domains at a higher level or in other subtrees of the DNS namespace. When you add the DNS server
role a file called cache.dns is written to %systemroot%System32dns, this file includes the NS and A
resource records for the Internet’s root servers. If you are using DNS in a network that is not connected to
the Internet you may wish to replace this list of root hints with your own. You can modify the list in DNS
Manager by doing the following:

1. Right-click on the server and select Properties.
2. Click the Root Hints tab.
3. Modify the list as appropriate, as shown in figure 10:
a. Click Add… to create a new record.
b. Select a record and click Edit… to modify an existing record.
c. Select a record and click Remove to delete an existing record.
d. Click Copy from Server and then specify the IP address to retrieve the list of root hints
from another DNS server. This action will not overwrite any existing root hints.
Figure 10: Updating the Root Hints in Server Manager
Configuring Server Forwarding
A forwarder is a DNS queries for external DNS names to DNS servers outside of the network. You use
forwarders to manage DNS traffic sent from your internal network to the Internet. Conditional forwarders
forward queries for specific domain names do certain servers, for example, you may want to configure
conditional forwarding to more quickly resolve hostnames for your organization’s most important business
partners.
To configure forwarders you configure the network’s firewalls to block outbound DNS traffic from all
DNS servers except the forwarders. Then you specify the IP addresses of the forwarders on the other DNS
servers in your network. You define the list of forwarders in DNS Manager from the Forwarders tab in the

Properties dialog box for the DNS server by clicking Edit and entering the list of IP address in the Edit
Forwarders dialog box. To define a conditional forwarder select a DNS domain name before entering the
IP address of the DNS server.
Configuring Round Robin DNS
Round robin DNS is a rudimentary form of load balancing in which the multiple IP addresses are assigned
to the same hostname. The DNS server responds to queries for that hostname by sending the entire list, the
order of the addresses is rotated each time the server responds. Clients use the first entry and discard the
rest, which should result in queries being evenly distributed across all of the hosts assigned that hostname.
This form of load balancing is much less robust than others because the DNS server will continue to
respond with the address of a server even if it is no longer available. Additionally, round robin DNS does
not make provisions for the differing capacities of the servers, all of them will receive the same amount of
traffic. This feature is turned on and off in DNS Manager from the Advanced tab in the Properties dialog
box for the DNS server. In the list of server options enable or disable the checkbox for Enable round
robin.
Disabling Recursion
As described previously, the DNS Server service automatically performs recursive queries on behalf of its
clients by querying other DNS servers for information about hosts when it is unable to resolve the name
locally. Recursion should be disabled on externally facing DNS servers because attackers may be able to
flood the DNS server with unresolvable queries leading to a denial-of-service condition. This feature is
controlled in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In
the list of server options enable or disable the checkbox for Disable recursion (also disables forwarders).
Securing the Cache from Names Pollution
By default the DNS Server service is configured to protect itself from cache pollution by rejecting resource
records that it did not request. In some cases its possible for a remote DNS server to provide information
about records for which it is not authoritative. While this may speed up a recursive query its possible for an
attacker to include corrupt information in such a response that could cause clients to be redirected to
servers under the attacker’s control. With names pollution enabled the DNS Server service will ignore
these types of records and instead perform the lookup itself by contacting each authoritative server as
needed. This feature is controlled in DNS Manager from the Advanced tab in the Properties dialog box
for the DNS server. In the list of server options enable or disable the checkbox for Secure cache against
pollution.
Implementing Zone Delegation
You can delegate management of portions of your DNS namespace by delegating management of the
corresponding zone. Zone delegation can also be used to distribute workload across several servers by
dividing one large zone into several smaller ones. To create a zone delegation using DNS Manager right-
click on the desired sub-domain, and then click New Delegation. Use the New Delegation Wizard to
complete the process. To create a zone delegation from a command prompt enter the following:

Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] NS {<Hostname>|
<FQDN>}
the DNS server where the record is to be created.
/RecordAdd This is a required parameter, it specifies what action is to be taken, in this case
to add a new record.
<ZoneName> This is a required parameter. The fully qualified domain name (FQDN) of the
zone.
<NodeName> This is a required parameter. The FQDN of the node.
[/Aging] This optional parameter specifies that the record may be aged and scavenged.
[OpenAcl] This optional parameter specifies that the record may be modified by any user,
without this parameter only administrators are able to do so.
[TTL] This optional parameter specifies the time to live (TTL) for the record.
NS This required parameter specifies that you are adding a new NS record to the
zone.
<Hostname>|<FQDN> These required parameters specify the hostname or FQDN of the new
authoritative server.
Table 8: Dnscmd parameters for zone delegation.
Summary
This chapter showed you how to install and manage the DNS Service role in Windows Server 2008. It
explained the common administrative tasks and introduced you to the key features that are new in this
version of Windows Server such as the GlobalNames zone and background zone loading. To effectively
prepare for the examination it is important that you understand the concepts discussed here. It is also
important that you are familiar with each of the procedures described in the chapter. It would be ideal if
you also spent some time exploring DNS manager to familiarize yourself with the less commonly used
configuration options. Although they are less likely to appear on the exam doing so will increase your
chances of success.
Chapter Review
This section presents a list of review questions designed to help reinforce the knowledge presented earlier
in the chapter. To persuade you to explore the management tools more deeply a few questions may require
you to examine DNS Manager or dnscmd rather than rereading the chapter.
Questions
1. You want to add an Active Directory-integrated secondary zone to your DNS server however you
receive a error message stating “Command failed: ERROR_INVALID_PARAMETER 87” after
entering the following at a command prompt: dnscmd dc1 /zoneadd NewZone /secondary /dp
/domain. What should you do to correct this problem?

a. The command needs to include the /filename option with the path to the file, so it should
read something like this: dnscmd dc1 /zoneadd NewZone /secondary /dp /domain /file
c:dataZoneFile.dns
b. The zone type needs to be corrected do /dssecondary, so it should read like this: dnscmd dc1
/zoneadd NewZone /dssecondary /dp /domain
c. Secondary zones cannot be AD-integrated, therefore the zone type should be changed to
/dsprimary or /dsstub, or you should remove the /dp /domain options and specify the master
IP address for the zone.
d. The DNS Server service doesn’t support creating AD-integrated zones from the command
prompt.
2. You manage an enterprise network that consists primarily of Windows clients and servers, other
platforms are deployed in small numbers. Active Directory is deployed on domain controllers
running Windows Server 2003 and Windows Server 2008, the domain controllers are the only
servers hosting the DNS Server service. There are three domains in a single forest. You want to
configure replication of the DNS in such a way that network utilization is kept relatively low while
ensuring that all of the domain controllers have up-to-date resource records in their DNS databases.
Which approach to replication should you consider first?
a. Configuring incremental zone transfers and enabling DNS Notify.
b. Active Directory replication with zones stored in the domain-wide DNS application
directory partition.
c. Configuring full zone transfers and enabling DNS Notify.
d. Active Directory replication with zones stored in the forest-wide DNS application directory
partition.
3. Match the list of use cases with the kind of resource record that will most likely contain the required
data.
Use case Resource record
a. An SMTP server attempting to forward mail to your organization. 1. AAAA
b. A user browsing to a website hosted on several servers that use round
robin DNS for load balancing.
2. MX
c. A web server log file analysis tool generating reports on web site
usage.
3. SRV
d. A client trying to connect to another host on a network that uses IPv6. 4. PTR
e. A domain-joined laptop computer that has just been turned on by its
user.
5. CNAME
4. Users have started reporting problems connecting to servers within your organization’s network,
you are able to connect to some servers such as the domain controllers for the Active Directory
domain for your user account but others do not respond. Which of the following is the best tool to
quickly determine whether or not the problem is related to name resolution?
a. Ping
b. DNS Manager
c. Arp
d. Dnscmd
e. nslookup
5. You have deployed AD DS for a domain named kurtdillard.com, but have only installed the DNS
Server service on a subset of the domain controllers. You want to create a DNS zone named finance

for a set of servers that will only be replicated to a DNS servers in your enterprise. You are
currently logged into the local console of the domain controller named NS1, which is the correct
command to create the desired DNS application directory partition?
a. nslookup ns1 /CreateDirectoryPartition finance.kurtdillard.com
b. dnscmd ns1 /EnlistDirectoryPartition finance.kurtdillard.com
c. dnscmd /CreateDirectoryPartition finance.kurtdillard.com ns1
d. dnscmd ns1 /CreateDirectoryPartition finance.kurtdillard.com
6. Examine figure 11. You want to add a Host Information (HINFO) resource record to the selected
zone but that kind of record doesn’t appear on the menu. What steps should you take to add a record
of this type?
Figure 11: DNS Zone context menu.
a. Click Other new records…from the menu, then select the HINFO RR in the dialog box
that appears and click Create Record…
b. Click Properties, then click the Advanced Tab and turn on the option to enable advanced
resource record types.
c. Click on All Tasks, then select Add/Remove record types and enable the HINFO record
type.
d. Click on View, then select Customize, and enable the checkbox to display advanced record
types.
7. When would background zone loading have a significant positive impact?

a. For any domain controllers running DNS with AD-integrated zones regardless of the
database size.
b. For domain controllers running DNS with AD-integrated zones that include tens of
thousands of resource records.
c. For DNS servers that host zones stored as files and include tens of thousands of resource
records.
d. Both B and C are correct.
8. What type of query is a DNS server performing when it contacts one of the Internet’s root servers to
learn the IP address of the authoritative name server of a DNS domain?
a. Forwarding query.
b. Authoritative query.
c. Root lookup.
d. Recursive query.
e. External query.
9. Your organization uses WINS for name resolution between end-user computers so that staff
members are able to use a collaboration tool that requires direct connections between those
computers. You know that WINS and old protocol and it is approaching its end of life. Would
enabling a GlobalNames zone be a good way to completely replace WINS?
a. Yes.
b. No.
10. You are about to enable record aging and scavenging for a new AD-integrated zone. You expect to
add manual records for many servers that will not need to be updated very often. How can you
ensure that these static records are not deleted when scavenging occurs?
a. Be sure to mark each record as exempt when creating them with the New Resource Record
wizard
b. After creating a static record manually edit the time stamp and set it to zero.
c. Do nothing, by default static records are given a time stamp of zero and any record with
such a time stamp is exempt from aging and scavenging.
d. Set the TTL for the record to zero.
11. Which of the following is not a way for a Windows Server 2008 server running the DNS Server
service to learn about updates to resource records?
a. Initiating push-pull replication with a root server.
b. Receiving a DNS Notify message.
c. Initiating a zone transfer.
d. AD DS-integrated replication.
e. Accepting dynamic updates from a DHCP server or client.
f. The DNS administrator editing a static resource record.
12. You manage a new public-facing server that is designed to share information with a select group of
your organization’s business partners. Ideally both organizations would deploy a robust federated
identity solution to ensure that only authorized users connected to the server however its going to

take a lot of time to negotiate arrangements with each partner. In the interrum, you recommend
leveraging _____________________ in order to provide some rudimentary security by limiting
incoming traffic to certain domains.
13. You want to customize what domain controllers will participate in replication of an AD DS-
integrated zone, to do this you need to create a _____________________.
14. Look at figure 12, which tab would you click on to enable or disable recursive queries?
Figure 12: DNS Server properties dialog box
a. Forwarders
b. Advanced
c. Root Hints
d. Debug Logging
e. Event Logging
f. Monitoring
g. Security
15. What’s the recommended method for maintaining resource records for client computers that are
members of an AD DS domain?
a. Manually create and maintain a static record for each computer.
b. Using incremental zone transfers.
c. Using an AD DS-integrated zone with dynamic updates enabled.

d. Using an AD DS-integrated zone configured to only allow secure dynamic updates.
Answers
1. C is the correct answer, secondary zones cannot be AD-integrated under any circumstances.
Questions involving negative cases such as this appear regularly in Microsoft’s exams, that is,
scenarios where you are told to do something that cannot or should not be done.
2. B is the correct answer, while you do not have enough information to make a complete design for
replication you certainly have enough to know what method will most likely meet the stated
requirements. Using the forest-wide application directory partition will generate more replication
traffic than the domain-wide one. You cannot force the use of full zone transfers because the DNS
Server service automatically attempts to use incremental zone transfers for zones that are not AD-
integrated, however since all of the DNS servers are also domain controllers AD-integration ensures
that updates are quickly replicated and that replicated traffic is compressed.
3. The use cases and record types should be matched as follows:
a. 2 because MX records contain information about mail hosts for a DNS domain.
b. 5 because multiple CNAME records can be used to map the same hostname to multiple IP
addresses.
c. 4 because PTR records are used for reverse lookups, and a web server log tool is likely to
use reverse lookups in order to determine what domains host the various clients that have
visited the site.
d. 1 because AAAA records are used for IPv6 addresses.
e. 3 because SRV records are used to identify domain controllers for an Active Directory
domain, and computers that belong to such a domain attempt to authenticate themselves and
download configuration information during the operating system boot process.
4. D is the best answer. With the limited information available nslookup is a good tool to begin
troubleshooting. Nslookup is a command prompt diagnostic tool for DNS, you can use it to extract
information about DNS zones and their contents from DNS servers that allow your host to connect.
While the exam probably will not include extensive questions about nslookup it is likely that you
will encounter some therefore you should familiarize yourself with its basic functionality. Ping is
useful for determining whether there are network issues at the IP layer, but DNS name resolution
occurs above that and therefore its not a good tool for this scenario. Arp isa tool for examining and
configuring the address resolution protocol (ARP) cache, ARP is the protocol used to map IP
addresses to physical network addresses that are assigned to network interface cards.DNS Manager
and dnscmd are tools for configuring the DNS Server service, while they might be needed to correct
problems they may not be ideal for initial diagnostics.
5. D is the correct answer. Nslookup is not used to configure the DNS Server service,
/EnlistDirectoryPartition is the wrong option for making a new partition, and the name of the DNS
server should be the first option in the command. This may appear to be a capricious question
requiring you to memorize all of the arcane options of dnscmd, similar questions do appear on the
exams. Rather than trying to memorize every single option available make sure you remember the
basic syntax used on nearly every action such as the DNS server name is always the first option; the
second always specifies the action to take; and parameters to apply to the action come next. Also
memorize the most common actions such as creating zones and records, delegating zones, and
configuring zone transfers. Finally, memorize the procedures that can only be performed from the
command prompt such as enabling the GlobalNames zone.
6. A is the correct answer.

7. B is correct. While background zone loading will reduce the time needed to start the DNS Server
service the impact will probably only be noticeable for very large zones.
8. D is correct. DNS servers contact the root servers that are listed in their root hints in order to learn
the IP addresses for authoritative name servers for other domains. Typically, they do this while
performing a recursive query on the part of a client computer.
9. No is correct. Although the new GlobalNames zone feature is designed to help enterprises migrate
away from WINS for name resolution it is not sufficiently scalable for completely replacing WINS.
There are other alternatives though, perhaps the collaboration tool will work with DNS name
resolution, or you could enable WINS integration for the zones that correspond to your AD DS
domains.
10. C is correct. It is not possible to mark a record as exempt, rather, there is a check box you can
enable or disable entitled Delete this record when it becomes stale; however its not necessary to
configure it because its automatically disabled when a static record is created. Its also not necessary
to change the time stamp because it is automatically set to zero for static records. The TTL has no
impact on aging and scavenging.
11. A is correct, there are many ways in which a DNS server can learn about changes to resource
records but answer A is entirely fictional.
12. The correct term is reverse lookups.
13. The correct term is DNS application directory partition.
14. B is the correct answer. The first checkbox visible in the Server options text box is used to enable
and disable recursive queries on the server.
15. D is the correct answer. Answer A is not scalable; answer B doesn’t address the stated
requirements; and Answer B is less desirable because malicious users could add records to the zone
and potentially redirect clients to hostile servers under their control.
-Configuring the AD infrastructure
-Configuring a forest or a domain
-Configuring trusts
-Configuring sites
-Configuring AD replication
Configuring the Active Directory Infrastructure
Active Directory Domain Services (AD DS) is the foundation for many network services in Windows-
based networks including authentication, authorization, and configuration management. While subsequent
chapters discuss implementing and managing these and other features available in Active Directory this
chapter focuses on managing the service itself. For example, its important to understand the basic
components used to build a hierarchy of domains, how to configure replication, and how to manage the

various operations masters roles used by AD DS domains and forests. In this chapter you will learn about
the following:
• Configure a forest or domain.
• Configure trusts.
• Configure sites.
• Configure Active Directory replication.
• Configure the global catalog.
• Configure operations masters.
Managing Forests and Domains
Domains are the basic building blocks of AD DS. At the risk of confusing you, AD DS domains are
discrete from and yet related to Domain Name Services (DNS) domains. They are distinct in that they
perform many functions that are entirely separate from DNS domains such as user authentication and group
policy. AD DS evolved from LAN Manager and Windows NT domains where the term was used with no
correlation to DNS domains. They are related to DNS in that AD DS integrates with DNS for name
resolution. Although it is possible to create an AD DS design that does not resemble the DNS namespace I
recommend against doing so to avoid confusing users.
In AD DS a domain is a logical group of computers that share a directory database. A tree is one or more
AD DS domains that have trust relationships with one another. Forests are one or more trees grouped
together. Organizations can use domains, trees, and forests to organize their directory services according to
the design of their business units, or their geographic distribution, or whatever combination works best for
their situation. Figure 1 presents a notional architecture, the rectangles represent the two forests, and ovals
represent the domains. In this example kurtdillard.com is the root domain for the entire organization, within
the same tree are two additional layers of domains, americas.kurtdillard.com is the second layer, the other
three form the third. All of the domains in the kurtdillard.com forest are located in the same tree. The other
tree, europe.kurtdillard.com, consists of only two layers. This logical architecture also reflects the DNS
namespace for the organization.

Figure 1: Hierarchy of Active Directory Forests and Domains
Production architecture could be as complex as the example, or even more complex, or it could be a simple
as a single domain within a single forest. What is suitable will vary from one organization to another,
however designing an optimum domain and forest structure is beyond the scope of this book, review the
references section at the end of the chapter. for resources on exploring this topic. Each domain has at least
one domain controller (DC) that hosts the AD DS database, best practices dictate that each domain have at
least two DCs to provide redundancy in case one of them fails. There are several additional roles assigned
to DCs, these are discussed later in this chapter. The objects and containers within an AD DS database are
discussed in Creating and Maintaining Active Directory Objects.
Implementing Domain Controllers

Installing new AD DS forests is straight-forward, as you saw in the first exercise in Configuring DNS for
Active Directory. Installing new domains and trees within an existing forest, and installing new DCs within
existing domains is even easier, to prepare for the exam you should familiarize yourself with each of the
options available in the Active Directory Domain Services Installation Wizard as it is likely you will
encounter at least a couple of questions relating to it. It is also important to understand the options available
for automating the installation using an answer file and manually installing from a command prompt,
especially with the advent of Server Core in Windows Server 2008.
You automate AD DS installations using an answer file. If you are familiar with the graphical installation
wizard answer files are easy to understand because you all you are doing is providing the same information
in a text file. You can create and modify answer files in any text editor including Notepad, you specify
parameter names and values on separate lines with an equal sign between, for example, including
InstallDNS=Yes will force the installation of the DNS Server role. The following list shows the parameters
available, which parameters are required depends upon what task you are accomplishing. For example
certain parameters needed when creating a new forest but others are needed when installing a new DC in an
existing domain. The parameter name appears first in bold; followed by the possible values; then the
default value, if any, in italics, and then a brief description
• AllowDomainControllerReinstall; Yes, No, NoAndNoPromptEither; No – Installation will
normally halt if another DC account with the same name is found, using this option allows you to
force the installation continue if you are certain that the account is no longer being used.
• AllowDomainReinstall; Yes, No, NoAndNoPromptEither; No – Specifies whether or not to
recreate an existing domain.
• ApplicationPartitionsToReplicate; "" – A space delimited list of application partitions to be
replicated in the format; entering * means that all partitions will be replicated.
• ChildName; "child_domain_name" – Use to specify the single-label DNS name of the child
domain.
• ConfirmGc; Yes, No – Use to specify that the DC will be a global catalog server.
• CreateDNSDelegation; Yes, No; Default is determined based on the environment – Determines
whether or not to create a DNS delegation in the parent zone.
• CriticalReplicationOnly; Yes, No; No – Using this parameter can decrease the installation time by
forcing the replication of only critical data until installation is complete.
• DatabasePath; "path_to_database_files"; %SYSTEMROOT%NTDS – Specifies the local directory
containing the domain database, e.g., C:WindowsNTDS.
• DelegatedAdmin; "name of user or group" – Used for read-only DCs, it specifies the name of user
or group that will administer it.
• DNSDelegationPassword; "password", * – Specifies the password for the credentials to use when
creating or removing DNS delegation. Use * to prompt the user to enter credentials.
• DNSDelegationUserName; “user_name" – Specifies the credentials to use when creating or
removing DNS delegation. If nothing is specified the credentials used for the DC installation are
used.
• DNSOnNetwork; Yes, No; Yes – Specifies whether DNS service is available, only use it when the
network adapter is not configured with a DNS server for name resolution. Specifying 'No' forces the
installation of the DNS Server role.
• DomainLevel; 0|2|3; The domain functional level cannot be lower than the forest functional level.
Default is set to the existing forest functional level or the value set for /ForestLevel – Determines the
domain functional level when creating a new domain as follows:

o 0 = Windows 2000.
o 2 =Windows Server 2003.
o 3 = Windows Server 2008.
• DomainNetBiosName; "domain_NetBIOS_name" – Assigns a network basic input/output system
(NetBIOS) name to the new domain.
• ForestLevel; 0|2|3; The default forest functional level when creating a new forest is Windows 2000 (0)
– Do not use this parameter when adding a DC to an existing forest. It determines the forest functional
level when creating a new forest as follows:
o 0 = Windows 2000.
o 2 =Windows Server 2003.
o 3 = Windows Server 2008.
• InstallDNS; Yes, No; Default is determined based on the environment; – Use to specify whether or
not DNS will be installed (replaces CreateDNSDelegation in previous versions of DCPromo.exe).
• LogPath; "path_to_log_files"; %SYSTEMROOT%NTDS – Specifies a local directory on that contains
the domain log files; e.g. C:WindowsNTDS.
• NewDomain; Tree, Child, Forest; Forest – Specifies whether to create a new forest, a new domain tree
in an existing forest, or a child of an existing domain.
• NewDomainDNSName; "DNS_name_of_domain" – Specifies the FQDN for the new domain.
• ParentDomainDNSName; "DNS_name_of_domain" – Specifies the FQDN of the parent domain
when creating a child domain.
• Password; "password", * – Specifies the password corresponding to the credentials used for the
operation; use * to prompt for credentials.
• PasswordReplicationAllowed; "security_principal", None – Use only when installing a read only DC
(RODC), it determines which accounts will have their passwords replicated to the new RODC. Specify
"None" if you want to keep the value empty.
• PasswordReplicationDenied; "security_principal", None – Use only when installing an RODC, it
determines which accounts will blocked from having their passwords replicated to the new RODC. Specify
"None" if you want to keep the value empty. Members of the following groups are denied by default:
Account Operators, Administrators, Backup Operators, Server Operators, and the Denied RODC Password
Replication Group (which includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise
Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, the krbtgt
account, and Schema Admins).

• RebootOnCompletion; Yes, No; Yes – Use to force the computer to reboot at the end of the
installation process whether or not it was successful.
• RebootOnSuccess; Yes, No, NoAndNoPromptEither; Yes – Use to force the computer to reboot if
installation is successful.
• ReplicaDomainDNSName; "DNS_name_of_domain" – Determines the FQDN of the domain in
which you want to promote the new DC.
• ReplicaOrNewDomain; Replica, ReadOnlyReplica, Domain; Replica – Specifies whether to install an
additional DC, an RODC, or to create a new domain.
• ReplicationSourceDC; "DNS_name_of_DC" – Specifies the FQDN of the DC to use for replication
during the installation.
• ReplicationSourcePath; "replication_source_path" – Specifies the path of the data file to use for the
installation of a new DC.
• SafeModeAdminPassword; "password"; Default is empty password (it is required that you do not
leave this value blank) – Used to provide the password for the administrator account when starting the
computer in safe mode.
• SiteName; "site_name"; The default depends on the type of installation; in a new forest it will be
Default-First-Site-Name; in all other cases it is the site that is assigned to the subnet that includes the IP
address of the DC. – Determines the site for the new DC.
• SkipAutoConfigDns – Use to skip automatic configuration of DNS.
• Syskey; none, system key; none – Indicates the system key for the media which contains the
replication data.
• SysVolPath; "path_to_database_file"; %SYSTEMROOT%sysvol – Determines the local path for to the
sysvol folder, e.g., C:WindowsSYSVOL.
• TransferIMRoleIfNecessary; Yes, No; No – Use to determine whether to transfer the infrastructure
master role to the new DC. Enter “Yes” to transfer the role if needed (you also need to specify
"/ConfirmGC:No"); Enter “No” if you do not want to transfer the role.
• UserDomain; “domain_name" – Determines the domain name for the credentials used for the
operation. If no value is provided the domain of the computer is used.
• UserName; "user_name" – Specifies the credentials used for the operation. If no value is provided the
credentials of the current user are used for the operation.
To perform the installation enter the following at a command prompt with administrative privileges:
Dcpromo /unattend:%path%

Where %path% is the path for the answer file you created. It is also possible to type out all of the
parameters and values in the command itself in this format:
dcpromo /unattend /unattendOption:value /unattendOption:value ...
The command will be very long and complex though, I recommend that you use answer files instead. You
can also review the options for unattended installations by entering dcpromo /?:Promotion at a command
prompt. The list of options for unattended installations is long, however I do not believe that you need to
memorize it in order to prepare for the exam, instead just be sure that you understand what is possible and
what might go awry with unattended installations.
Note: Read only domain controllers (RODC) are a new capability in Windows Server 2008 intended to
help protect networks when one or more domain controllers has to be placed in a location that cannot be
physically secured such as a branch office. They are discussed in Configuring Additional Active Directory
Server Roles.
Working with previous versions of Active Directory
Upgrading from and interoperating with previous versions of Active Directory require planning and
familiarity with the adprep tool. Upgrading from Windows NT 4.0 Directory Services is a unique process
and will be covered in the next section.
Preparing a Windows 2000 or Windows Server 2003 forest for Windows Server 2008
Windows Server 2008 AD DS includes changes to the AD schema, therefore you must update the forest
schema before installing and Windows Server 2008 domain controllers. Before running the AD DS
installation wizard or performing an unattended installation of AD DS log into the forest’s schema master
with an account that is a member of the Enterprise Admins, Schema Admins, and Domain Admins groups.
Then insert the Windows Server 2008 installation DVD, open a command prompt with administrator
privileges, navigate to the Adprep folder (for example, e:sourcesadprep), and enter the following:
adprep /forestprep
Wait for the process to complete and allow the changes to replicate across the entire forest before preparing
any domains for a Windows Server 2008 domain controller.
Preparing a Windows 2000 or Windows Server 2003 domain for Windows Server 2008
After preparing the forest you need to prepare each domain where you will install Windows Server 2008
domain controllers. First, log into the domain’s infrastructure operations master with an account that is a
member of the Domain Admins group. Then insert the Windows Server 2008 installation DVD, open a
command prompt with administrator privileges, navigate to the Adprep folder, and enter the following:
adprep /domainprep
Wait for the process to complete and allow the changes to replicate across the forest before installing any
Windows Server 2008 domain controllers.

Tip: AD DS includes several special roles that can only be held by single domain controllers in the domain,
these are called flexible single master operations (FSMO) roles. Finding the infrastructure FSMO holder is
easy in Windows Server 2008 domains, open Active Directory Users and Computers, right-click on the
domain, select Operations Masters… and click on the Infrastructure tab. There can only be one schema
FSMO holder for each forest, and identifying it is a little more complex because you use the schema
editing tool to do so and Microsoft discourages modifying the schema directly. First you need to register
the Microsoft Management Console (MMC) snap-in by entering the regsvr32 schmmgmt.dll from a
command prompt. Then you need to open an empty MMC console by clicking Start, then clicking Run,
and then entering mmc. Open the File menu, click Add/Remove Snap-in, select Active Directory
Schema, click Add, and then click OK. Right-click on Active Directory Schema [%domainname%] and
select Operations Masters… from the menu as shown in figure 2, to identify the current schema master
for the forest. The user interface is slightly different for the MMC in Windows 2000 and Windows Server
2003, but adding the snap-in is still straightforward.
Figure 2: Active Directory Schema MMC Snap-In.
Preparing a Forest for Read-Only Domain Controllers
To prepare a Windows 2000 or Windows Server 2003 forest for RDOCs log into any computer in the forest
with an account that is a member of the Domain Admins group. Then insert the Windows Server 2008
installation DVD, open a command prompt with administrator privileges, and enter the following:
adprep /rodcprep
Wait for the process to complete and allow the changes to replicate across the entire forest before preparing
any domains for a Windows Server 2008 domain controller.

Other Considerations
When you upgrade a domain controller running Windows 2000 or Windows Server 2003 you do not need
to run the AD DS installation wizard or dcpromo because the server will automatically assume the role of
DC after the final restart of the upgrade process. Windows Server 2008 DCs have more restrictive default
security policies, to interoperate with clients running Windows NT 4.0 and certain 3rd
party operating
systems you may need to reduce security by changing the several settings in the Default Domain
Controllers Policy group policy.
1. Open the Group Policy Management console.
2. Navigate to the Group Policy Objects folder for the domain
3. Right-click on the Default Domain Controllers Policy GPO and select Edit.
4. In the Group Policy Editor, navigate to Computer Configuration/Policies/Windows
Settings/Security Settings/Local Policies/Security Options.
5. Modify each of the settings as follows:
a. To no longer force the use of SMB packet signing change the value of Microsoft network
server: Digitally sign communications (always) to Disabled.
b. To no longer force the use of secure channel signing change the value of Domain member:
Digitally encrypt or sign secure channel data (always) to Disabled.
6. To no longer force the use of strong cryptographic algorithms when communicating with Windows
NT 4.0 DCs navigate to Computer Configuration/Policies/Administrative
Templates/System/Net Logon, change the value of Allow cryptography algorithms compatible
with Windows NT 4.0 to Enabled, as shown in figure 3.

Figure 3: Editing the Default Domain Controller Policy.
You can learn more about these settings and why you may need to adjust them by reading “Modify Default
Security Policies on Windows Server 2008-Based Domain Controllers.”
Caution: I do not recommend that you reduce your environment’s security by adjusting the settings as
described above. It would be much better in the long run to upgrade the clients to operating systems that
support the more restrictive values for these settings.
Ensuring Group Policy Modeling Works Correctly
Another change you may wish to make when migrating from Windows 2000 AD is to update the
permissions on all of the group policies in the domain to ensure that the Group Policy Modeling feature
works. Microsoft has prepared a collection of scripts that you can download, see Group Policy
Management Console Sample Scripts. By default the scripts will be installed in %programfiles

%Microsoft Group PolicyGPMC Sample Scripts. Execute the following from a command prompt to
update the permissions:
GrantPermissionOnAllGPOs.wsf “Enterprise Domain Controllers” /permission:read
/domain:DNSDomainName /Replace
Raising forest and domain functional levels
Windows Server 2008 AD DS supports three functional levels: Windows 2000, Windows Server 2003, and
Windows Server 2008. The newer versions support additional features, however, once raising the
functional level for a forest or domain you cannot revert. Ensure that all of the domain controllers are
running a version of Windows that supports the functional level you intend to use. To raise the domain
function level do the following:
Click Start, select Administrative Tools, and then click Active Directory Users and Computers.
Right-click on the domain, then select Raise domain functional level...
Select the desired functional level and click Raise.
Click OK to confirm your choice.
To raise the forest function level and the functional levels of all domains in the forest do the following:
1. Click Start, select Administrative Tools, and then click Active Directory Domains and Trusts.
2. Right-click on Active Directory Domains and Trusts, then select Raise Forest Functional Level.
3. Select the desired functional level and click Raise.
4. Click OK to confirm your choice, click OK again.
Raising the functional level from Windows Server 2003 to Windows Server 2008 enables several new
features including Kerberos support for Advanced Encryption Services (AES 128 and 256), detailed
recording of last interactive logon information, fine-grained password policies, and Distributed File System
(DFS) replication of the contents of SYSVOL.
Migrating from Windows NT 4.0 Domains
You cannot migrate directly from Windows NT 4.0 to Windows Server 2008. Microsoft recommends a two
process to upgrade domains from Windows NT 4.0, upgrade to Windows Server 2003 and then upgrade to
Windows Server 2008. I do not think it is likely that you will encounter questions that require you to know
all of the details of every step in the process but rather that you understand the limitations and how to
overcome them. If you are faced with this challenge in a production environment here are links to useful
resources from Microsoft:
How To Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based Domain Controller.

Windows NT Server 4.0 Upgrade Guide.
Upgrading Active Directory Domains to Windows Server 2008 AD DS Domains.
Migrating and Restructuring Active Directory Domains Using ADMT v3.1.
Active Directory Migration Tool version 3.1.
Decommissioning Domain Controllers
There are three basic scenarios involving the decommissioning of DCs: removing one from a domain;
removing the last one from a domain; and removing the last one from a forest. You can initiate the process
using the graphical interface by launching dcpromo on the domain controller, you can do it from a
command prompt by entering dcpromo from a command prompt with the appropriate parameters. Enter
dcpromo /?:demotion to see a full list of parameters available for answer files and the command prompt.
When you use the AD DS Installation Wizard you are asked to make a series of decisions about the
demotion such as whether or not to delete any application directory partitions stored on the DC, whether to
remove any DNS delegations pointing to the server. If you are deleting the last DC in a domain be sure to
perform the instructions that appear on the Delete the Domain page of the wizard such as backing up
cryptographic keys, you will need to enable the checkbox on this page. You will be prompted to provide
credentials for an account that is a member of the Enterprise Admins group if you are not logged on with
an account that belongs to it. Removing the last DC in a forest is essentially the same, however you must
start the process while logged in with an account that belongs to the Enterprise Admins group for the forest
or the Domain Admins group in the forest’s root domain.
Configuring Trusts
A trust is a relationship between domains that make it possible for a user in one domain to be authenticated
by a domain controller in the other. Trusts make it easier to grant access to shared resources to users in
other domains. A one-way trust is a single trust relationship, if domain A trusts domain B then users from
domain B can be granted permissions on objects in domain A. A two-way trust means that both domains
trust the other and therefore users from either domain can be granted permissions on objects in the other.
Transitive means that if one domain trusts another, and that second trusts a third one then the first will also
trust the third one. For example, in figure 4, Washington trusts Paris, and Paris trusts Moscow, therefore
Washington also trusts Moscow. Trusts were one-way and not transitive by default in Windows NT 4.0 and
earlier versions, since Windows 2000 they have been two-way and transitive by default.
Figure 4: Transitive Trusts
While most of the time two-way transitive trusts are sufficient, there are situations where a one-way non-
transitive trust would be better. A hypothetical example may help, pretend that Company A has just
acquired Firm B. Company A instructs Firm B to configure their Windows domains to trust the Company
A domains, however Company A does not reciprocate. Until Company A management has determined

which Firm B employees will be laid off and which will be retained this arrangement will minimize the risk
of a disgruntled one at Firm B doing something unpleasant to Company A resources.
Trusts are established between domains as they are added to a forest, there are a number of things you
might want to do to manage these types of trusts. Its also possible that you will need to manually establish
trusts to improve authentication times in large trees or to connect to Kerberos realms running on other
platforms.
The primary tools for managing trust relationships in AD DS are the Active Directory Domains and Trusts
console and the netdom command prompt utility. There are a few other management tasks involving these
tools that are covered at the end of this section.
There are four kinds of trusts available, all of which can be either unidirectional or bidirectional. Forest
trusts are transitive trusts between two AD DS-based forests that facilitate the sharing of network
resources. Shortcut trusts transitive trusts between two AD DS domains within the same forest that are
manually created to improve logon times. External trusts are nontransitive trusts between AD DS domains
and either NT 4.0 domains or AD-based domains located in separate, untrusted forests. Realm trusts are
transitive or nontransitive trusts between AD DS domains and non-Windows Kerberos realms. In a one-
way trust the trusting domain allows users in the other domain to access shared resources. In a two-way
trust both domains trust the other and users in either can be granted access to resources in the other. To
create a trust using Active Directory Domains and Trusts do the following:
1. Right-click on the desired domain and click Properties.
2. Select the Trusts tab and click New Trust, then click Next.
3. Provide the DNS or NetBIOS name of the other domain or realm, then click Next
4. Specify whether the trust will be with a Windows domain or Kerberos realm on the Trust Type
page, then click Next. Figure 5 shows this page of the wizard with Active Directory Domains and Trust
console and the domain properties dialog box.
5. Depending upon the type of trust selected you may be able to specify the type of transitivity for the
trust on the Transitivity of Trust page.
6. Specify the direction of the trust on the Direction of Trust page. Note that an incoming one-way trust
means users in the other domain will not have access to resources in this domain while in an outgoing one-
way trust users in this domain will not have access to resources in the other.
7. If it’s a realm trust you will also be prompted to provide a password for the trust relationship.

Figure 5: The Trust Type Page of the New Trust Wizard.
To create an external or shortcut trust from a command prompt enter the following command, table 1
briefly explains each parameter:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add
trust The second parameter tells netdom what action to take, in this case
managing a trust relationship.
<TrustingDomainName> Specifies the name (DNS or NetBIOS) of the trusting domain in the
trust to create.

/d: Indicates that the other domain will be trusted.
<TrustedDomainName> Specifies the name (DNS or NetBIOS) of the other domain in the
trust to create.
/add Instructs netdom to establish a new trust.
Table 1: Netdom parameters for establishing trusts.
To create a realm trust from a command prompt enter the following command. Establishing a real trust
requires a few more parameters as described in table 2:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add /realm
/PasswordT:<NewRealmTrustPassword>
/realm Specifies that the trust is to be created to a Kerberos realm.
/PasswordT: Parameter that precedes the password for the new trust.
<NewRealmTrustPassword> The actual password for the new trust, it must match the password
used in the Kerberos realm.
Table 2: Additional netdom parameters for realm trusts.
Other Management Tasks
An alternate user principal name (UPN) suffix can simplify the logon process by allowing all users within
the forest to use the same UPN suffix. The suffix does not have to be a valid DNS domain name. To add
one open Active Directory Domains and Trusts, right-click on Active Directory Domains and Trusts,
select Properties, then select the UPN Suffixes tab and click Add.
The default scope for authentication across trusts is broad in order to simply management. Users in the
trusted domain have the same level of access to resources as users in the local domain. Only external and
forest trusts support selective authentication, which allows you to more tightly control access to resources
from those domains. If selective authentication is enabled you have to manually assign permissions to each
resource you want users in the other domain to be able to access. To define the authentication scope across
external and forest trusts open Active Directory Domains and Trusts, right-click on Active Directory
Domains and Trusts, select Properties, then select the Trusts tab. Select the desired trust relationship,
click Properties, then select the Authentication tab and specify the authentication scope.
AD DS accounts have an attribute called the SID history. Administrators can add users’ old security
identifiers (SIDs) to simplify managing access to shared resources during migrations. Unfortunately, this
feature might be abused by an attacker who has compromised a DC as they could add SIDs to new
accounts granting those accounts unauthorized privileges. By default Windows Server 2008 enables SID

filtering on all new external trusts. SID filtering reduces the risk of a malicious user or rogue administrator
in the trusted domain from granting themselves elevated privileges in the trusting domain. You manage
SID filtering using netdom, from a command prompt enter the following, table 3 briefly explains the
parameters:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
trust The second parameter tells netdom what action to take, in this case
managing a trust relationship.
<TrustingDomainName> Specifies the name (DNS or NetBIOS) of the trusting domain.
/domain: Indicates that the other domain will be trusted.
<TrustedDomainName> Specifies the name (DNS or NetBIOS) of the other domain in the
trust.
/quarantine Instructs netdom to manage the state of SID filtering.
<yes | no> Turns SID filtering on or off
Tip: restartable AD DS rather than having to reboot
Configuring Sites and Replication
While forests, trees, and domains represent the logical architecture of AD DS, sites represent the physical
network architecture upon which it is deployed. A sound site design and DC placement is necessary to
ensure performance and reasonable bandwidth consumption. Typically, a site hosts at least one DC and
includes one or more Internet Protocol (IP) subnets that share a high-speed network and are connected to
other sites via slower links. When you install the first DC in a new forest a site called Default-First-Site-
Name is created, all computers are assigned to this site until additional ones are created. When sites have
been defined computers will automatically be assigned to the appropriate one based on their IP address, if
their address does not belong to any of the subnets defined for the sites it will be assigned to the Default-
First-Site-Name site.
You manage sites and their components using the Active Directory Sites and Services console. Although
you can create the objects in any order you wish and easily modify existing ones there is a logical
progression that might save you time and effort. First create the site; then define the AD subnets for the
site; then create site links between the new site and one or more sites that already exist; finally, assign one
or more domain controllers to the site.
Adding Sites

To add a site using Active Directory Sites and Services do the following:
1. Right-click on Sites in the console tree and select New Site
2. Type a name for the site in the Name text box.
3. Select a site link object from the list below Link Name and click OK.
To add a server to a site using Active Directory Sites and Services do the following:
1. Navigate to the desired site in the console tree and expand the view by clicking on the plus sign.
2. Right-click on Servers, select New, and then click Server.
3. Specify the name of the server and click OK.
Creating Active Directory Subnets
To add a subnet using Active Directory Sites and Services do the following:
1. Right-click on Subnets in the console tree and select New Subnet…
2. Enter the prefix for the subnet address using network prefix notation, e.g. if the 192.168.2.0 subnet had
a subnet mask of 255.255.255.0 its prefix would be 192.168.2.0/24 while a subnet of 10.2.0.0 with a subnet
mask of 255.255.0.0 would have a prefix of 10.2.0.0/16.
3. Assign the subnet to a site by selecting the site from the Site Name list, then click OK.
Managing Site Links
To manage a site link using Active Directory Sites and Services do the following:
1. Expand the Inter-Site Transports folder.
2. Right-click the desired transport protocol, either IP or SMTP, the former refers to the protocol native
to AD DS, RPC over IP, while SMTP is the Simple Mail Transport Protocol.
3. Select New Site Link.
4. Type a name for the site in the Name text box.
5. Select a site to add to the link from the Sites not in this site link: list and click Add. Repeat this
procedure to place more sites in the link, as shown in figure 6.

Figure 6: Adding Sites to a Link.
Creating a site link as described above creates a transitive link between sites, for most situations this is
ideal, however if you want to create a link that is not transitive select New Site Link Bridge instead of
New Site Link in step 3 above.
You can manage other settings for these objects by right-clicking on them in the console tree and selecting
properties, as shown in figure 7. By default replication occurs every 3 hours across a link and each link is
available 24 hours per day, 7 days per week. You may want to adjust the cost of your links the replication
frequency, and the schedule in order to more closely control bandwidth usage. While RPC over IP is a
robust replication protocol for most situations, SMTP is ideal for replication across unreliable network
connections. SMTP only supports replication of the schema, configuration, and global catalog and it
requires and enterprise certification authority (CA). Note that the AD Knowledge Consistency Checker
(KCC) builds the intersite replication topology automatically based on the sites, subnets, and links that you
define. Replication will automatically follow the lowest cost routes between sites. The KCC updates the
topology every 15 minutes, you can force it to update at any time by navigating to a server object under the
site container in Active Directory Sites and Services, right-clicking NTDS Settings for the server,
selecting All Tasks, and then clicking Check Replication Topology.

Figure 7: Site Properties Dialog Box.
Understanding Bridgehead Servers
The KCC automatically assigns the role of bridgehead server to one DC in each site. Replication between
sites occurs between these bridgehead servers. Normally there is no need to alter them, if you do and the
manually assigned server goes offline replication will be disrupted. To want to manually assign a preferred
bridgehead server to a site in Active Directory Sites and Services, navigate to the desired domain
controller in the console tree, right-click on it and click Properties. You can select one or more transports
and click Add on the General tab to make that DC the preferred bridgehead server, as shown in figure 8.
Figure 8: Manually Configuring a Preferred Bridgehead Server.
Exercise 1: Adding the Distributed File System Role Service
This is a quick exercise that will help you practice the tasks discussed in the next part of this section.
Previously you added AD DS server role to your practice computer, which resulted in the installation of the
first domain controller in your lab. By default, choosing this server role adds two more: the DNS Server
and File Services roles. DFS is an optional role service for the File Services role.

70 640

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to 70 640

Similar to 70 640 (20)

Recently uploaded

Recently uploaded (20)

70 640