Module 4

Implementing DNS
Module Overview

• Implementing DNS servers

• Configuring zones in DNS
• Configuring name resolution between DNS zones
• Configuring DNS integration with AD DS
• Configuring advanced DNS settings
Lesson 1: Implementing DNS servers

• How does DNS name resolution work?

• DNS components
• What are DNS zones and records?
• Demonstration: Installing and configuring the
DNS role
• Configuring DNS clients
• Tools and techniques for troubleshooting name
resolution
• Managing DNS services
• Demonstration: Troubleshooting name resolution
• Testing DNS servers
• Demonstration: Testing the DNS server
How does DNS name resolution work?

A hostname is a computer name that is added to a

domain name and top level domain to make a fully
qualified domain name (FQDN)

Hostname Domain Top level

AcctDirPC adatum com

Fully qualified domain name = AcctDirPC.adatum.com

NetBIOS names are rarely used and are being deprecated in

Windows operating systems
DNS components

• DNS namespace is a hierarchical naming

structure that provides multiple identifiers for
each network node that can be identified relative
to the root domain:
computer01.unitedstates.microsoft.com
• DNS infrastructure components include:
• DNS server
• DNS zone
• DNS resolvers
• Resource records
What are DNS zones and records?

• A DNS zone is a specific portion of DNS

namespace that contains DNS records
• Zone types:
• Forward lookup zone
• Reverse lookup zone
• Resource records in forward lookup zones
include: A, MX, SRV, NS, SOA, and CNAME
• Resource records in reverse lookup zones
include: PTR
Demonstration: Installing and configuring the DNS role

In this demonstration, you will learn how to:

• Install the DNS server role
• Configure the DNS Server role to forward requests to
LON-DC1.adatum.com
 Configuring DNS clients

Set-DnsClientServerAddress -InterfaceIndex 12 -ServerAddresses

("172.16.0.10","172.16.0.21")
Tools and techniques for troubleshooting name
resolution
• Windows Server 2012 R2 introduced a new Windows PowerShell DNS
module with numerous cmdlets, including the Get-
DNSServerStatistics cmdlet:
• $statistics = Get-DnsServerStatistics –ZoneName Adatum.com
• $statistics.ZoneQueryStatistics
• $statistics.ZoneTransferStatistics
• $statistics.ZoneUpdateStatistics

• Command-line tools to troubleshoot configuration issues:

• Nslookup
• DNSCmd
• DNSlint
• Ipconfig

• The troubleshooting process:

• Identify client DNS server with nslookup or Resolve-DnsName
• Communicate via ping
• Use nslookup to verify records
Managing DNS services

• You can manage DNS services by:

• Delegating DNS administration through membership in
the DNS Admins group
• Viewing DNS logs in Event Viewer
• Enabling DNS debug logging in the DNS server
properties
• Enabling aging and scavenging to remove stale records

• Backup methods for the DNS database depend on

how the database is deployed:
• Back up Active Directory-integrated zones through
System State backups by using dnscmd or by using
Windows PowerShell
• Copy or back up primary zone files that are not using AD
DS integration
Demonstration: Troubleshooting name resolution

In this demonstration, you will learn how to:

• Use Windows PowerShell cmdlets to
troubleshoot DNS
• Use command-line tools to troubleshoot DNS
Testing DNS servers

• Monitoring tab on
DNS Console:
• Simple query
• Recursive query
• Windows PowerShell
• Get-
DnsServerDiagnostics
• Test-DnsServer
• Nslookup –d2 FQDN
Audit and Analytic
event logging:
• Use Event Viewer or
tracelog.exe
Demonstration: Testing the DNS server

In this demonstration, you will learn how to:

• Test the DNS server
• Configure auditing and analytical logging of events
Lesson 2: Configuring zones in DNS

• DNS resource record types

• Creating records in DNS
• Configuring DNS zones
• What are primary and secondary zones?
• Configuring zone replication
DNS resource record types

DNS resource records include:

• SOA: Start-of-authority resource record
• A: IPv4 host address resource record
• CNAME: Alias resource record
• MX: Mail exchange resource record
• SRV: Service locator resource record
• NS: Name server resource record
• AAAA: IPv6 host address resource record
• PTR: Pointer resource record
Creating records in DNS

Add-DnsServerResourceRecordA -ZoneName Contoso.com -Name ATL-SVR1

-IpAddress 172.16.18.25
 Configuring DNS zones

Namespace: training.contoso.com

DNS Client1 192.168.2.45

DNS Server Authorized Forward
for Training Training DNS Client2 192.168.2.46
zone
DNS Client3 192.168.2.47
192.168.2.45 DNS Client1
Reverse 2.168.192.in-
192.168.2.46 DNS Client2
zone addr.arpa
192.168.2.47 DNS Client3

DNS Client2 = ?

192.168.2.46 = ?

DNS Client1
What are primary and secondary zones?

Zones Description

Primary Read/write copy of a DNS database

Secondary Read-only copy of a DNS database

Copy of a zone that contains only records

Stub
used to locate name servers

Active Directory- Zone data is stored in AD DS rather than in

integrated zone files
 Configuring zone replication

Active Directory–integrated zones Traditional DNS zones

Replication Zone transfer

Active Directory– Primary zone

integrated
zones
Active Directory–
integrated Secondary zone
zones

Zones Description
Active Directory– • Perform incremental replication between DNS servers
integrated
zones • Adjust the Active Directory replication schedule

• Replicate between primary and secondary zones

Traditional DNS zones • Perform an incremental rather than a complete zone
transfer
Lesson 3: Configuring name resolution between
DNS zones

• Resolving DNS names between zones

• What is a stub zone?
• What is DNS caching?
• What is DNS forwarding?
• DNS forwarding and stub zone guidance
• Discussion: When to use DNS forwarding
• Configuring delegation
Resolving DNS names between zones

.root DNS

What is the IP address of

www.microsoft.com? 2

1 3
.com DNS

Local DNS Server

Workstation
4
The IP
address is
207.46.230.
219 Microsoft.com DNS
5
 What is a stub zone?
Without stub zones, the ny.na.contoso.com server must query several
servers to find the server that hosts the na.fabrikam.com zone

DNS
Server
contoso.com
DNS
(Root domain) Server

fabrikam.com
DNS DNS
Server Server
DNS
Server
na.contoso.com sa.contoso.com

DNS
DNS na.fabrikam.com
Server
Server

ny.na.contoso.com rio.sa.contoso.com
What is DNS caching?
DNS server cache
Host name IP address TTL
ServerA.contoso.com 131.107.0.44 28 seconds

Contoso
Internet DNS
Internal DNS
DNS

ServerA
Where isis at
131.107.0.44
ServerA?

Client1
Where
ServerAisis at
ServerA?
131.107.0.44
Client2
ServerA
What is DNS forwarding?

A forwarder is a DNS server that is designated to resolve

external or offsite DNS domain names
Root Hint (.)
Forwarder
Iterative Query

Ask .com

.com

Contoso.com
Local
DNS
Server Client
DNS forwarding and stub zone guidance

• When to use conditional forwarding

• Points to a different domain name
• Name can even be in a different top level
• When you want all name resolution for that name to
take a particular path
• When to use stub zones
• Usually when the domain name is below a higher level
• Delegation below a delegation
 Discussion: When to use DNS forwarding

What DNS resolution method do you use?

Scenario 1: Northwind Traders Inc., has recently acquired the Beyond Blue Airline
Corporation and you are tasked with setting up the DNS infrastructure. You will
have an Active Directory Domain Services (AD DS) forest named Northwind.com,
and a separate tree named Beyondblueair.com. Users will regularly need to resolve
names to IP addresses for servers within each domain name. You want to ensure
that the DNS queries remain within the corporate infrastructure.

Scenario 2: Contoso LTD has diversified into several product lines, and the AD DS
domain structure is being extended. Contoso.com has three existing sub domains:
NA.contoso.com, EU.contoso.com and Asia.contoso.com. Plans are under way to
create sub domain in each of the geographical domains, with an automotive domain
under each with a two separate subdomains under each automotive domain. You
need to ensure the faster possible name resolution path for internal clients.
10 minutes
Configuring delegation

DNS
Server
Contoso.com

DNS
Zone
DNS
Subdomain DNS
Zone
Sales

DNS
Server
Marketing
Lab A: Planning and implementing name resolution by
using DNS

• Exercise 1: Planning DNS name resolution

• Exercise 2: Implementing DNS servers and zones

Logon Information
Virtual machines: 20741A-LON-DC1
20741A-EU-RTR
20741A-INET
20741A-LON-SVR1
20741A-SYD-SVR1
User name: Adatum\Administrator
Password: Pa$$w0rd

Estimated Time: 60 minutes

Lab Scenario
Users in the A. Datum Corporation’s Sydney office have been complaining
about slowness and errors when connecting to internal and external websites
and servers. Currently, the Sydney office only hosts client computers. Wide
area network (WAN) communication between Sydney and London, where
infrastructure servers are hosted, has been intermittent and is the primary
cause of the issues. You have been asked to implement DNS infrastructure in
Sydney by using one server that will resolve the majority of these issues.
The current DNS structure for A. Datum Corporation is as follows:
 Your Internet service provider’s DNS server (131.107.0.100) provides DNS
resolution and forwarding for Internet-based domain names.
 The Contoso.com domain namespace hosts web and mail services that are
accessible from the Internet. These servers are also accessible from inside
the A. Datum Corporation network.
 The Treyresearch.net namespace contains resources used by A. Datum
Corporation employees. However, the DNS records for the Treyresearch.net
zone are not located on the DNS server that clients are configured to use.
They are located on LON-SVR1.
 LON-DC1 provides DNS resolution for Adatum.com.
Lab Scenario (Continued)
You must configure a DNS server in the Sydney location to
enable more efficient name resolution for Sydney clients.
The DNS server must resolve queries for local clients, and
provide access to name resolution for the Internet sites, as
provided by LON-SVR1. Sydney clients should be
forwarded to an authoritative server for Adatum.com to
resolve internal queries.
The requirements are as follows:
 Configuring forwarding for all DNS lookups for Internet
access from Sydney to your ISP’s DNS server
 Configuring conditional forwarding on SYD-SVR1 for the
Treyresearch.net zone
 Hosting and resolving queries for the Adatum.com
domain within the Sydney location
Lab Scenario (Continued)

The virtual machines used in this lab provide the

following services:
 INET (131.107.0.100). DNS server providing name
resolution for Internet-based DNS names
 LON-DC1 (172.16.0.10). Domain controller and
DNS server hosting the Adatum.com namespace
 LON-SVR1 (172.16.0.11). DNS server hosting the
Treyresearch.net namespace
 SYD-SVR1 (172.16.19.20). The server that you will
configure with DNS to provide name resolution
for client computers in Sydney
Lab Review

• Can you install the DNS Server role on a server

that is not a domain controller? If yes, are there
any limitations?
• What is the most common way to carry out
Internet name resolution on a local DNS?
• How can you browse the content of the DNS
resolver cache on a DNS server?
Lesson 4: Configuring DNS integration with AD DS

• Overview of AD DS and DNS integration

• What are Service Resource Locator records?
• Benefits of Service Resource Locator records
• What are Active Directory–integrated zones?
• Application partitions in AD DS
• Dynamic updates
• Demonstration: Configuring AD DS–integrated
zones
Overview of AD DS and DNS integration
Normal
Normal Normal
Normal
replication
replication replication
replication
traffic
traffic traffic
traffic

Controllers----------
-------------Domain Controllers----------
-------------Domain
DNS Service

Zone
Transfer

Primary DNS Server Secondary DNS Server

What are Service Resource Locator records?

• Domain controllers register SRV records as follows:

• _tcp.adatum.com — All domain controllers in the domain
• _tcp.sitename._sites.adatum.com — All services in a specific
site
• Clients query DNS to locate services in specific sites
Benefits of Service Resource Locator records

Benefits of SRV Resource Records

• Domain controllers register their SRV resource records
dynamically, by service and site location
• Client systems in sites use SRV resource records
recorded in a site to find domain controllers in their
own site before attempting to connect to domain
controllers across wide area network links
• Keeps network traffic across links down and
manageable
What are Active Directory–integrated zones?

An Active Directory–integrated zone:

• Allows multi-master writes to zone
• Replicates DNS zone information by using AD DS
replication:
• Leverages efficient replication topology
• Uses efficient incremental updates for Active Directory
replication processes
• Enables secure dynamic updates
• Delegates zones, domains, and resource records for
increased security
Application partitions in AD DS

Replicate to all domain controllers

in the AD DS domain
Domain
Replicate to all domain controllers
Config that are DNS servers in the AD DS
Schema
domain

DomainDNSZone
Replicate to all domain controllers
that are DNS servers in the AD DS
ForestDNSZones forest
Custom Partition Replicate to all domain controllers
in the replication scope for the
application partition
Dynamic updates

1. The client sends an SOA query

2. The DNS server returns an SOA
resource record
3. The client sends dynamic update
request(s) to identify the primary Client
DNS server
4. The DNS server responds that it
can perform an update
1 2 3 4 5 6 7
5. The client sends unsecured update
to the DNS server
6. If the zone permits only secure
updates, the update is refused
7. The client sends a secured update
to the DNS server
DNS Resource
Server Records
Demonstration: Configuring AD DS–integrated zones

In this demonstration, you will learn how to:

• Promote a server as a domain controller
• Create an Active Directory–integrated zone
• Create a record
• Verify replication to a second DNS server
Lab B: Integrating DNS with AD DS

• Exercise 1: Integrating DNS with AD DS

Logon Information
Virtual machines: 20741A-LON-DC1
20741A-LON-SVR1
20741A-EU-RTR
20741A-SYD-SVR1
User name: Adatum\Administrator
Password: Pa$$w0rd

Estimated Time: 20 minutes

Lab Scenario

After making additional improvements to the

WAN connection between London and Sydney
locations, you have been asked to enable SYD-
SVR1 to update and replicate records for the
Adatum.com domain.
Lab Review

• Why did you promote SYD-SVR1 to a domain

controller?
Lesson 5: Configuring advanced DNS settings

• Configuring advanced DNS name resolution

• Configuring root hints
• What is the GlobalNames zone?
• Demonstration: Configuring the GlobalNames zone
• Understanding split DNS
• Implementing split DNS
• DNS policies
• Demonstration: Configuring DNS policies
• Implementing DNS security
• Implementing DNSSEC
• Demonstration: Configuring DNSSEC
• DNS on Nano Server
Configuring advanced DNS name resolution

Advanced DNS
name resolution:
• DNS round robin
• Netmask
reordering
• Recursion
Configuring root hints

Root hints contain the IP addresses for

DNS root servers
Root (.) Servers

DNS Servers Root

Hints

com
DNS
Server
microsoft
Client
 What is the GlobalNames zone?
The GlobalNames zone allows single-label names to be resolved in multiple
DNS domain environments
You can configure the GlobalNames zone by using dnscmd or by using
Windows PowerShell:
• Get-DnsServerGlobalNameZone
• Set-DnsServerGlobalNameZone

2
1
3
GlobalNames
Zone
4 6
5
DNS Server DNS Client

Forward Lookup
Zone
Demonstration: Configuring the GlobalNames zone

In this demonstration, you will learn how to create

a GlobalNames zone
Understanding split DNS

Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
integrated DNS

Hosts only records

that are resolved
External DNS from the outside,
server such as mail and web
server
1. Clients and servers on the internal network
send all DNS queries to Active Directory-
integrated DNS servers.

Internal network
Understanding split DNS

Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
Integrated DNS

Hosts only records

that are resolved
External DNS from the outside,
server such as mail and web
server
2. The Active Directory-Integrated DNS
servers return IP addresses back to those
querying clients and servers on the internal
network.

Internal network
Understanding split DNS

Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
integrated DNS

Hosts only records

that are resolved
External DNS from the outside,
server such as mail and web
server
3. The external DNS server provides name
resolution for Internet clients.

Internal network
Implementing split DNS

• Same namespace:
• Internal records should not be available externally
• Records might need to be synchronized between
internal and external DNS

• Unique namespace:
• Record synchronization is not required
• Existing DNS infrastructure is unaffected
• Clearly delineates between internal and external DNS

• Subdomain:
• Record synchronization is not required
• Contiguous namespace is easy to understand
DNS policies

• DNS policy scenarios:

• Application high availability
• Traffic management
• Split brain DNS
• Filtering
• Forensics

• DNS policy objects:

• Client subnet
• Recursion scope
• Zone scope

• Use Windows PowerShell to create and manage

DNS policies
Demonstration: Configuring DNS policies

In this demonstration, you will learn how to create

a DNS policy that returns a different server
address that depends upon the client location
Implementing DNS security

DNS security feature Description

DNS cache locking Prevents entries in the cache from being

overwritten until a percentage of the TTL
has expired
DNS socket pool Randomizes the source port for issuing
DNS queries. Enabled by default in
Windows Server 2012.
DANE Uses TLSA records that state the CA from
which they should expect a certificate

DNSSEC Enables cryptographically signing DNS

records so that client computers can
validate responses
Implementing DNSSEC

DNSSEC functions as follows:

• If a zone has been digitally signed, a query response will
contain digital signatures
• DNSSEC uses trust anchors, which are special zones that
store public keys associated with digital signatures
• Resolvers use trust anchors to retrieve public keys and
build trust chains
• DNSSEC requires trust anchors to be configured on all
DNS servers participating in DNSSEC
• DNSSEC uses the NRPT, which contains rules that control
the requesting client computer behavior for sending
queries and handling responses
Demonstration: Configuring DNSSEC

In this demonstration, you will learn how to use

the Zone Signing Wizard in the DNS Manager
console to configure DNSSEC
DNS on Nano Server

To use Nano Server as a DNS Server:

• Install the NanoServer Package
• Create a VHD with the Microsoft-NanoServer-DNS-
Package
• Import the VHD into Hyper-V as a virtual machine
• Configure networking settings and enable the remote
management firewall ports
• Connect remotely to the server running Nano Server by
using Windows PowerShell 5.0 on a Windows client or a
server
• Run the command Enable-WindowsOptionalFeature
-Online -FeatureName DNS-Server-Full-Role
• Manage DNS remotely by using the Windows PowerShell
5.0 DNS commands
Lab C: Configuring advanced DNS settings

• Exercise 1: Configuring DNS policies

• Exercise 2: Validating the DNS implementation
• Exercise 3: Troubleshooting DNS
Logon Information
Virtual machines: 20741A-LON-DC1
20741A-LON-SVR1
20741A-INET
20741A-EU-RTR
20741A-SYD-SVR1
20741A-TOR-SVR1
20741A-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
Estimated Time: 40 minutes
Lab Scenario

You want to make DNS zone management easier.

You want to configure DNS policies in Windows
Server 2016, so that users in different
geographical areas can connect to a different web
server. You must then test and troubleshoot the
DNS configuration you have created.
Module Review and Takeaways

• Best Practices
• Common Issues and Troubleshooting Tips
• Review Questions
• Tools