- Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
- Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
- Powerline: Customize your PowerShell console - Tue, Aug 31 2021
In this blog post we continue our study overview of the Microsoft 70-640 Active Directory Configuration certification exam. More to the point, we have been approaching each exam objective one at a time; today’s subject is Windows Server 2008 DNS zone transfers and replication.
The sample question ^
You are the administrator of an Active Directory domain named 4sysopslab.com. All servers in the organization run Windows Server 2008 R2, and all client computers run Windows 7.
The 4sysopslab.com domain includes 14 domain controllers, all of which also have the DNS Server role installed. To lighten administrative burden, you decide to create a delegated subdomain named exec.4sysopslab.com and pass the zone management to a subset of the administrative staff. However, you need to ensure that only 3 domain controllers receive the DNS zone data during replication/zone transfer.
Which of the following actions should you perform in order to accomplish your goals?
A. Create the new delegation in a new application directory partition.
B. Create the new delegation in the DomainDnsZones application directory partition.
C. Create the new delegation in the ForestDnsZones application directory partition.
D. Create the new delegation in the SYSVOL share.
The correct answer, explanation, and analysis ^
The correct answer here is A. Application directory partitions are used to control the scope of replication for Active Directory, DNS zones, or custom application information.
We use the dnscmd command-line tool to create, manage, and delete application directory partitions. For instance, we can open an elevated command prompt and run the following command to create a custom application directory partition called EXECZONE on a Windows Server 2008 domain controller named server01:
C:\>dnscmd server01 /CreateDirectoryPartition execzone.4sysopslab.com
We can then enlist our target DNS servers in the newly created application directory partition:
C:\>dnscmd server02 /EnlistDirectoryPartition execzone.4sysopslab.com
Finally, we can change the replication scope for the new zone on all affected DNS servers:
C:\>dnscmd server02 /ZoneChangeDirectoryPartition exec.4sysopslab.com execzone.4sysopslab.com
Okay—now that we know why the correct answer is what it is, how could we have applied logic and test-taker’s strategy to answering this question correctly?
Well, the first thing you should notice is that in this question all four answer choices have the same stem: “Create the new delegation.” So far, so good. We now can put that aside and focus on the second half of each choice.
This item requires that you understand the difference between application directory partitions and the SYSVOL share. Some test candidates, lacking sufficient background knowledge, might jump on choice D, thinking, “Well, SYSVOL is the seat of Active Directory replication. Thus, this must be where we can customize replication scope for DNS zones.
Not so fast. We aren’t discussing Active Directory replication as such. Instead, we are concerned with replicating DNS zone data to specified servers. I hope that logic would tell you that using the DomainDnsZones or ForestDnsZones partitions can be ruled out immediately because the scope on those partitions does not fit into the requirements of the scenario.
Because we have effectively ruled out choices B, C, and D, this leaves us with A as the only viable choice for this item.
Alrighty then! If you have studied all of our domain 1 blog posts, then you should feel pretty confident with DNS implementation in Windows Server 2008. As you know, most aspects of Active Directory design and function are rooted (pun intended) in DNS; you must be highly proficient with DNS theory and practice to be successful on the Microsoft IT pro certification exams.
In then next several posts we turn our attention to domain 2 in the 70-640 blueprint. Domain 2 involves configuring the Active Directory infrastructure; here is a sneak peek at the section content:
- Configuring AD DS forests and domains
- Configuring trust relationships
- Configuring sites
- Configuring AD replication
- Configuring the global catalog
- Configuring operations masters
Relevant links ^
- Use DNS Application Directory Partitions
- Create a DNS Application Directory Partition
- Enlist a DNS Server in a DNS Application Directory Partition
- Move DNS Data into DNS Application Directory Partitions
In the next pair of posts in this series we will cover the first section of domain 2 in the 70-640 blueprint: configuring Active Directory Domain Services (AD DS) forests and domains.