- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
- Understanding Azure service accounts - Fri, Mar 31 2023
In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.
Microsoft Exam 70-640 - Configuring DNS Zones / Domain 1, Subobjective 1
For each exam domain, I will give you two blog posts. One blog post represents a nutshell summary of the content underlying the first domain in the 70-640 certification exam blueprint: Domain Name System, or DNS. The second blog post presents a representative practice exam question that covers one topic from each content domain.
The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring DNS zones.
What we will do here is cover each of the aforementioned bullet points by providing (a) very brief definitions of each technology; and (b) links to relevant Microsoft resources to foster your certification study.
The first domain in the 70-640 exam is all about Domain Name System, or DNS. Suffice it to say, you should have a pretty comprehensive understanding of how Windows Server 2008 DNS works (from the server and client sides) before you tackle the 70-640 test.
In your exam study, please be sure to focus on every single item listed in each bullet point. In other words, make sure you are comfortable with all of the following aspects of configuring DNS zones:
- Dynamic DNS (DDNS) and traditional DNS
- Secure DNS
- TTL configuration
- GlobalNames, Primary, Secondary, stub, and AD-integrated zones
- SOA record configuration
- Forward and reverse lookups
Dynamic DNS (DDNS)
DDNS is a feature of the Windows Server 2008 DNS Server that enables DNS clients to automatically register and unregister their host names and IP addresses. The convenience is that an administrator doesn’t have to manually tend to the DNS database, which was the case many years ago.
Relevant Links:
Non-Dynamic DNS (NDDNS)
NDDNS is (potentially) useful in very small and/or high security networks in which the DNS administrator wants to be able to control DNS client registrations by hand.
Relevant Links:
- Eliminate Manual Updates of DNS Records by Configuring Dynamic Update and Secure Dynamic Update
- Step-by-Step Guide for DNS in Small Networks
Secure Dynamic DNS (SDDNS)
SDDNS enables Windows Server 2008 DNS administrators to apply access control lists (ACLs) to their DNS zones, thereby preventing non-domain member computers and other unauthorized devices from registering with DNS. SDDNS should not be confused with DNSSEC, which is a completely different technology that was added in Windows Server 2008 R2. In a nutshell, DNSSEC is a collection of industry-standard protocols that add data integrity and enhanced authentication to DNS.
Relevant Links:
Time to Live (TTL)
The TTL is a value that is attached to every resource record that specifies how long client devices should cache the data contained in the record. In other words, if my client computer receives a resolution request for yahoo.com from the Yahoo DNS server with a 1-hour TTL, then my computer will store that resolved IP address in memory for 1 hour before requesting refreshed data. We configure the DNS zone’s default TTL by modifying the properties of the Start of Authority (SOA) resource record.
Relevant Links:
GlobalNames
GlobalNames is a new DNS zone type that helps businesses decommission their WINS servers. GlobalNames allows for what Microsoft calls “single label name resolution.” Thus, “legacy” domain computers can communicate using DNS names that mock their deprecated NetBIOS name counterparts.
Relevant Links:
Primary and Secondary Zones
In traditional DNS, primary and secondary zones are considered to be authoritative for a given DNS domain. The difference here is that updates occur on the primary DNS server and are propagated to secondary DNS servers during the zone transfer process. In other words, primary DNS zones are read/write, and secondary DNS zones are read-only.
Relevant Links:
Active Directory-Integrated Zones
AD-integrated zones were a big deal when Microsoft added them to Windows Server. Here we can dynamically replicate DNS zone data to all domain controllers within a domain or even across multiple domains within a forest because the zone data is embedded into the Active Directory database instead of being stored in flat files. Another advantage here is that every DNS server (that is to say, domain controller) can make changes to the DNS zone data. Hence, there is no concept of a read/only secondary zone.
Active Directory-Integrated Zones
Relevant Links:
Stub Zone
A stub zone is a read-only DNS zone that contains only enough resource records to identify the authoritative DNS servers of another zone. We use stub zones in Windows Server 2008 DNS to speed up name resolution in split-domain networks. For instance, the 4sysops.com domain DNS server might have a stub zone for the 4sysopsbackup.com domain. The first domain having a shortcut method of resolving the remote domain’s DNS servers dramatically cuts down on DNS resolution lookups.
Relevant Links:
Start of Authority (SOA)
The SOA record is the most important record in a DNS zone. SOA records contain the global parameters of the zone, including the aforementioned TTL, zone serial number (used in zone transfers), and other critical DNS metadata.
Relevant Links:
Zone Scavenging
Zone scavenging refers to the Windows Server 2008 feature whereby the server periodically scours its authoritative DNS zones and purges outdated resource records. This process can also be initiated manually by an administrator.
Relevant Links:
Forward and Reverse Lookup
In DNS, forward lookup pertains to the resolution of a target system’s IP address from its host name. Reverse lookup involves name resolution of a host name from a given IP address.
Relevant Links:
Conclusion
I hope that you find this approach to 70-640 exam certification study fruitful. Please feel free to leave your questions and comments;
In the next post I will provide a sample practice question for the Configuring DNS Zones topic.
With larger organizations where multiple DNS/AD servers are present this may not be a problem, but for the single forest/single domain with one DC where DNS is integrated with AD, I’m sorry to say, but AD integration spells a disaster when you get into a circular AD needs DNS, but DNS can’t start because AD isn’t ready type situation…
I suggest that ANYONE who even thinks about working with AD at least spend some time learning DNS and it’s relationships with AD. NOT the morning of a disaster…
Hi David! Two thoughts spring to my mind: (1) Always having >1 domain controller/DNS server in the environment; and (2) have one member server pulling from the AD-integrated zone as a secondary backup. In other words, fault tolerance! 😉 -Tim