Module 4

Implementing DNS
Module Overview

Implementing DNS servers

Configuring zones in DNS
Configuring name resolution between DNS zones
Configuring DNS integration with AD DS
• Configuring advanced DNS settings
Lesson 1: Implementing DNS servers

How does DNS name resolution work?

DNS components
What are DNS zones and records?
Demonstration: Installing and configuring the
DNS role
Configuring DNS clients
Tools and techniques for troubleshooting name
resolution
Managing DNS services
Demonstration: Troubleshooting name resolution
How does DNS name resolution work?

A hostname is a computer name that is added to a

domain name and top level domain to make a fully
qualified domain name (FQDN)

Hostname Domain Top level

AcctDirPC adatum com

Fully qualified domain name = AcctDirPC.adatum.com

NetBIOS names are rarely used and are being deprecated in

Windows operating systems
DNS components

• DNS namespace is a hierarchical naming

structure that provides multiple identifiers for
each network node that can be identified relative
to the root domain
computer01.unitedstates.microsoft.com
• DNS infrastructure components include:
• DNS server
• DNS zone
• DNS resolvers
• Resource records
What are DNS zones and records?

• A DNS zone is a specific portion of DNS

namespace that contains DNS records
• Zone types:
• Forward lookup zone
• Reverse lookup zone
• Resource records in forward lookup zones
include: A, MX, SRV, NS, SOA, and CNAME
• Resource records in reverse lookup zones
include: PTR
Demonstration: Installing and configuring the
DNS role

In this demonstration, you will learn how to:

• Install the DNS server role
• Configure the DNS Server role to forward requests to
LON-DC1.adatum.com
 Configuring DNS clients

Set-DnsClientServerAddress -InterfaceIndex 12 -ServerAddresses

("172.16.0.10","172.16.0.21")
Tools and techniques for troubleshooting name
resolution
• Windows Server 2012 R2 introduced a new Windows PowerShell
DNS module with numerous cmdlets, including the
Get-DNSServerStatistics cmdlet:
• $statistics = Get-DnsServerStatistics –ZoneName Adatum.com
• $statistics.ZoneQueryStatistics
• $statistics.ZoneTransferStatistics
• $statistics.ZoneUpdateStatistics

• Command-line tools to troubleshoot configuration issues:

• Nslookup
• DNSCmd
• DNSlint
• Ipconfig
• The troubleshooting process:
• Identify client DNS server with nslookup or Resolve-DnsName
• Communicate via ping
• Use nslookup to verify records
Managing DNS services
• You can manage DNS services by:
• Delegating DNS administration through membership in
the DNS Admins group
• Viewing DNS logs in Event Viewer
• Enabling DNS debug logging in the DNS server
properties
• Enabling aging and scavenging to remove stale records

• Backup methods for the DNS database depend on

how the database is deployed:
• Back up Active Directory–integrated zones through
System State backups by using dnscmd or by using
Windows PowerShell
• Copy or back up primary zone files that are not using
AD DS integration
Demonstration: Troubleshooting name resolution

In this demonstration, you will learn how to:

• Use Windows PowerShell cmdlets to
troubleshoot DNS
• Use command-line tools to troubleshoot DNS
Testing DNS servers

• Monitoring tab on DNS

Console:
• Simple query
• Recursive query
• Windows PowerShell
• Get-DnsServerDiagnostics
• Test-DnsServer
• Nslookup –d2 FQDN
Audit and Analytic event
logging:
• Use Event Viewer or
tracelog.exe
Demonstration: Testing the DNS server

In this demonstration, you will learn how to:

• Test the DNS server
• Configure auditing and analytical logging of events
• Use Windows PowerShell to configure global DNS
settings
Lesson 2: Configuring zones in DNS

DNS resource record types

Creating records in DNS
Configuring DNS zones
What are primary and secondary zones?
• Configuring zone replication
DNS resource record types

DNS resource records include:

• SOA: Start-of-authority resource record
• A: IPv4 host address resource record
• CNAME: Alias resource record
• MX: Mail exchange resource record
• SRV: Service locator resource record
• NS: Name server resource record
• AAAA: IPv6 host address resource record
• PTR: Pointer resource record
Creating records in DNS

Add-DnsServerResourceRecordA -ZoneName Contoso.com -Name ATL-SVR1

-IpAddress 172.16.18.25
 Configuring DNS zones

Namespace: training.contoso.com

DNS Client1 192.168.2.45

DNS Server Authorized
for Training Forward
Training
DNS Client2 192.168.2.46
zone
DNS Client3 192.168.2.47

192.168.2.45 DNS Client1

Reverse 2.168.192.in-
192.168.2.46 DNS Client2
zone addr.arpa
192.168.2.47 DNS Client3
DNS Client2 = ?

192.168.2.46 = ?

DNS Client1
What are primary and secondary zones?

Zones Description

Primary Read/write copy of a DNS database

Secondary Read-only copy of a DNS database

Copy of a zone that contains only records

Stub
used to locate name servers

Active Directory– Zone data is stored in AD DS rather than

integrated in zone files
 Configuring zone replication

Active Directory–integrated zones Traditional DNS zones

Replication Zone transfer

Active Directory– Primary zone

integrated
zones
Active Directory–
integrated Secondary zone
zones

Zones Description

Active Directory– • Perform incremental replication between DNS servers

integrated
zones • Adjust the Active Directory replication schedule

• Replicate between primary and secondary zones

Traditional DNS zones • Perform an incremental rather than a complete zone
transfer
Lesson 3: Configuring name resolution between
DNS zones

Resolving DNS names between zones

What is a stub zone?
What is DNS caching?
What is DNS forwarding?
DNS forwarding and stub zone guidance
Discussion: When to use DNS forwarding
• Configuring delegation
Resolving DNS names between zones

.root DNS

What is the IP address of

www.microsoft.com? 2

1 3
.com DNS

Local DNS Server

Workstation
4
The IP address is
207.46.230.219

5 Microsoft.com DNS
 What is a stub zone?
Without stub zones, the ny.na.contoso.com server must query several
servers to find the server that hosts the na.fabrikam.com zone

DNS
Server
contoso.com
DNS
(Root domain) Server

fabrikam.com
DNS DNS
Server Server
DNS
Server
na.contoso.com sa.contoso.com

DNS
DNS na.fabrikam.com
Server
Server

ny.na.contoso.com rio.sa.contoso.com
What is DNS caching?
DNS server cache
Host name IP address TTL
ServerA.contoso.com 131.107.0.44 28 seconds

Contoso
Internet DNS
Internal DNS
DNS

ServerA
Where isis at
131.107.0.44
ServerA?

Client1
Where
ServerAisis at
ServerA?
131.107.0.44
Client2
ServerA
What is DNS forwarding?

A forwarder is a DNS server that is designated to resolve

external or offsite DNS domain names
Root Hint (.)
Forwarder
Iterative Query

Ask .com
Iterati
ve Query
ery

Ask C .com
Qu

o ntoso
.c om
1
ve

.0.1

Iter
rsi

ativ
07
cu

Aut eQ
uer
1.1
Re

hor y
itat
13

131.1 ive
07. 0. Res
11 pon
Recur s e
siv
mail1. e Query fo
conto r Contoso.com
Local so.com
DNS
Server Client
DNS forwarding and stub zone guidance

• When to use conditional forwarding

• Points to a different domain name
• Name can even be in a different top level
• When you want all name resolution for that name to
take a particular path
• When to use stub zones
• Usually when the domain name is below a higher level
• Delegation below a delegation
 Discussion: When to use DNS forwarding

What DNS resolution method do you use?

Scenario 1: Northwind Traders Inc., has recently acquired the Beyond Blue Airline
Corporation and you are tasked with setting up the DNS infrastructure. You will have
an Active Directory Domain Services (AD DS) forest named Northwind.com, and a
separate tree named Beyondblueair.com. Users will regularly need to resolve names
to IP addresses for servers within each domain name. You want to ensure that the
DNS queries remain within the corporate infrastructure.

Scenario 2: Contoso LTD has diversified into several product lines, and the AD DS
domain structure is being extended. Contoso.com has three existing sub domains:
NA.contoso.com, EU.contoso.co, and Asia.contoso.com. Plans are under way to
create sub domain in each of the geographical domains, with an automotive domain
under each with a two separate subdomains under each automotive domain. You
need to ensure the faster possible name resolution path for internal clients.
10 minutes
Configuring delegation

DNS
Server
Contoso.com

DNS
Zone
DNS
Subdomain DNS
Zone
Sales

DNS
Server
Marketing
Lab A: Planning and implementing name resolution
by using DNS

Exercise 1: Planning DNS name resolution

• Exercise 2: Implementing DNS servers and zones

Logon Information
Virtual machines: 20741B-LON-DC1
20741B-EU-RTR
20741B-INET1
20741B-LON-SVR1
20741B-SYD-SVR1
User name: Adatum\Administrator
Password: Pa55w.rd

Estimated Time: 60 minutes

Lab Scenario
Users in the A. Datum Corporation’s Sydney office have been complaining
about slowness and errors when connecting to internal and external websites
and servers. Currently, the Sydney office only hosts client computers. Wide
area network (WAN) communication between Sydney and London, where
infrastructure servers are hosted, has been intermittent and is the primary
cause of the issues. You have been asked to implement DNS infrastructure in
Sydney by using one server that will resolve the majority of these issues.
The current DNS structure for A. Datum Corporation is as follows:
• Your Internet service provider’s DNS server (131.107.0.100) provides DNS
resolution and forwarding for Internet-based domain names.
• The Contoso.com domain namespace hosts web and mail services that are
accessible from the Internet. These servers are also accessible from inside the
A. Datum Corporation network.
• The Treyresearch.net namespace contains resources used by A. Datum
Corporation employees. However, the DNS records for the Treyresearch.net
zone are not located on the DNS server that clients are configured to use.
They are located on LON-SVR1.
• LON-DC1 provides DNS resolution for Adatum.com.
Lab Scenario (continued)

You must configure a DNS server in the Sydney location to enable more
efficient name resolution for Sydney clients. The DNS server must
resolve queries for local clients, and provide access to name resolution
for the Internet sites, as provided by LON-SVR1. Sydney clients should
be forwarded to an authoritative server for Adatum.com to resolve
internal queries.
The requirements are as follows:
• Configuring forwarding for all DNS lookups for Internet access from
Sydney to your ISP’s DNS server.
• Configuring conditional forwarding on SYD-SVR1 for the
Treyresearch.net zone.
• Hosting and resolving queries for the Adatum.com domain within the
Sydney location.
Lab Scenario (continued)

The virtual machines used in this lab provide the following services:
• INET1 (131.107.0.100). DNS server providing name resolution for
Internet-based DNS names.
• EU-RTR (131.107.0.10, 172.16.0.1, 172.16.18.1) Router for Internet,
NA_WAN, and PAC_WAN virtual switches.
• LON-DC1 (172.16.0.10). Domain controller and DNS server hosting the
Adatum.com namespace.
• LON-SVR1 (172.16.0.11). DNS server hosting the Treyresearch.net
namespace.
• SYD-SVR1 (172.16.19.20). The server that you will configure with DNS
to provide name resolution for client computers in Sydney.
Lab Review

Can you install the DNS Server role on a server that

is not a domain controller? If yes, are there any
limitations?
What is the most common way to carry out Internet
name resolution on a local DNS?
• How can you browse the content of the DNS
resolver cache on a DNS server?
Lesson 4: Configuring DNS integration with AD DS

Overview of AD DS and DNS integration

What are Service Resource Locator records?
Benefits of Service Resource Locator records
What are Active Directory–integrated zones?
Application partitions in AD DS
Dynamic updates
• Demonstration: Configuring AD DS–integrated
zones
Overview of AD DS and DNS integration
Normal
Normal Normal
Normal
Normal
replication
replication
replication replication
replication
replication
traffic
traffic traffic
traffic
traffic

Controllers----------
-------------Domain Controllers----------
-------------Domain
DNS Service

Zone
Transfer

Primary DNS Server Secondary DNS Server

What are Service Resource Locator records?

• Domain controllers register SRV records as follows:

• _tcp.adatum.com — All domain controllers in the domain
• _tcp.sitename._sites.adatum.com — All services in a specific
site
• Clients query DNS to locate services in specific sites
Benefits of Service Resource Locator records

Benefits of SRV resource records

• Domain controllers register their SRV resource records
dynamically, by service and site location
• Client systems in sites use SRV resource records recorded
in a site to find domain controllers in their own site
before attempting to connect to domain controllers
across wide area network links
• Keeps network traffic across links down and managable
What are Active Directory–integrated zones?

An Active Directory–integrated zone:

• Allows multi-master writes to zone
• Replicates DNS zone information by using AD DS
replication:
• Leverages efficient replication topology
• Uses efficient incremental updates for Active Directory replication
processes
• Enables secure dynamic updates
• Delegates zones, domains, and resource records for
increased security
Application partitions in AD DS

Replicate to all domain controllers

in the AD DS domain
Domain
Replicate to all domain controllers
Config that are DNS servers in the AD DS
Schema domain

DomainDNSZone
Replicate to all domain controllers
that are DNS servers in the AD DS
ForestDNSZones forest
Custom Partition Replicate to all domain controllers
in the replication scope for the
application partition
Dynamic updates

1. The client sends an SOA query

2. The DNS server returns an SOA
resource record
3. The client sends dynamic update
request(s) to identify the primary Client
DNS server
4. The DNS server responds that it
can perform an update
1 2 3 4 5 6 7
5. The client sends unsecured update
to the DNS server
6. If the zone permits only secure
updates, the update is refused
7. The client sends a secured update
to the DNS server
DNS Resource
Server Records
Demonstration: Configuring AD DS–integrated zones

In this demonstration, you will learn how to:

• Promote a server as a domain controller
• Create an Active Directory–integrated zone
• Create a record
• Verify replication to a second DNS server
Lab B: Integrating DNS with AD DS

• Exercise 1: Integrating DNS with AD DS

Logon Information
Virtual machines: 20741B-LON-DC1
20741B-LON-SVR1
20741B-INET1
20741B-EU-RTR
20741B-SYD-SVR1
User name: Adatum\Administrator
Password: Pa55w.rd

Estimated Time: 20 minutes

Lab Scenario

After making additional improvements to the

WAN connection between London and Sydney
locations, you have been asked to enable
SYD-SVR1 to update and replicate records
for the Adatum.com domain
Lab Review

• Why did you promote SYD-SVR1 to a domain

controller?
Lesson 5: Configuring advanced DNS settings

Configuring advanced DNS name resolution

Configuring root hints
What is the GlobalNames zone?
Demonstration: Configuring the GlobalNames zone
Understanding split DNS
Implementing split DNS
DNS policies
Demonstration: Configuring DNS policies
Implementing DNS security
Implementing DNSSEC
Demonstration: Configuring DNSSEC
Configuring advanced DNS name resolution

Advanced DNS
name resolution:
• DNS round robin
• Netmask
reordering
• Recursion
Configuring root hints

Root hints contain the IP addresses for

DNS root servers
Root (.) Servers

DNS Servers Root

Hints

com
DNS
Server
microsoft
Client
 What is the GlobalNames zone?
The GlobalNames zone allows single-label names to be resolved in multiple
DNS domain environments
You can configure the GlobalNames zone by using dnscmd or by using
Windows PowerShell:
• Get-DnsServerGlobalNameZone
• Set-DnsServerGlobalNameZone

2
1
3
GlobalNames
Zone
4 6
5
DNS Server DNS Client

Forward Lookup
Zone
Demonstration: Configuring the GlobalNames zone

In this demonstration, you will learn how to create

a GlobalNames zone
Understanding split DNS

Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
integrated DNS

Hosts only records

that are resolved
External DNS from the outside,
server such as mail and web
server
1. Clients and servers on the internal network
send all DNS queries to Active Directory-
integrated DNS servers.

Internal network
Understanding split DNS

Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
integrated DNS

Hosts only records

that are resolved
External DNS from the outside,
server such as mail and web
server
2. The Active Directory-integrated DNS
servers return IP addresses back to those
querying clients and servers on the internal
network.

Internal network
Understanding split DNS

Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
integrated DNS

Hosts only records

that are resolved
External DNS from the outside,
server such as mail and web
server
3. The external DNS server provides name
resolution for Internet clients.

Internal network
Implementing split DNS

• Same namespace:
• Internal records should not be available externally
• Records might need to be synchronized between
internal and external DNS
• Unique namespace:
• Record synchronization is not required
• Existing DNS infrastructure is unaffected
• Clearly delineates between internal and external DNS

• Subdomain:
• Record synchronization is not required
• Contiguous namespace is easy to understand
DNS policies

• DNS policy scenarios:

• Application high availability
• Traffic management
• Split brain DNS
• Filtering
• Forensics

• DNS policy objects:

• Client subnet
• Recursion scope
• Zone scope

• Use Windows PowerShell to create and manage

DNS policies
Demonstration: Configuring DNS policies

In this demonstration, you will learn how to create

a DNS policy that returns a different server
address that depends upon the client location
 Implementing DNS security

DNS Security Feature Description

DNS cache locking Prevents entries in cache being overwritten until a
certain percentage of TTL has expired
DNS socket pool Randomizes the source port for issuing DNS
queries. Enabled by default in Windows Server
2012
DANE Uses TLSA records that state the CA from which
they should expect a certificate
DNSSEC Enables cryptographically signing DNS records so
that client computers can validate responses
RRL Ignores DDOS queries or replies to them in
truncation requiring a three-way handshake in
TCP
Unknown Record Will not do any record-specific processing for the
Support unknown records, but will send them back in
Implementing DNSSEC

DNSSEC functions as follows:

• If a zone has been digitally signed, a query response will
contain digital signatures
• DNSSEC uses trust anchors, which are special zones that
store public keys associated with digital signatures
• Resolvers use trust anchors to retrieve public keys and
build trust chains
• DNSSEC requires trust anchors to be configured on all
DNS servers participating in DNSSEC
• DNSSEC uses the NRPT, which contains rules that control
the requesting client computer behavior for sending
queries and handling responses
Demonstration: Configuring DNSSEC

In this demonstration, you will learn how to use

the Zone Signing Wizard in the DNS Manager
console to configure DNSSEC
DNS on Nano Server

To use Nano Server as a DNS Server:

• Install the NanoServer Package
• Create a VHD with the Microsoft-NanoServer-DNS
-Package
• Import the VHD into Hyper-V as a virtual machine
• Configure networking settings and enable the remote
management firewall ports
• Connect remotely to the server running Nano Server by
using Windows PowerShell 5.0 on a Windows client or a
server
• Run the command Enable-WindowsOptionalFeature
-Online -FeatureName DNS-Server-Full-Role
• Manage DNS remotely by using the Windows PowerShell
5.0 DNS commands
Lab C: Configuring advanced DNS settings

Exercise 1: Configuring DNS policies

Exercise 2: Validating the DNS implementation
• Exercise 3: Troubleshooting DNS
Logon Information
Virtual machines: 20741B-LON-DC1
20741B-LON-SVR1
20741B-INET1
20741B-EU-RTR
20741B-SYD-SVR1
20741B-TOR-SVR1
20741B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd
Estimated Time: 40 minutes
Lab Scenario

You want to make DNS zone management easier.

You want to configure DNS policies in Windows
Server 2016, so that users in different
geographical areas can connect to a different
web server. You must then test and troubleshoot
the DNS configuration that you have created.
Lab Review

• The Windows PowerShell cmdlet

Add-DnsServerZoneScope requires
what two parameters?
Module Review and Takeaways

Review Questions
Tools
Best Practices
• Common Issues and Troubleshooting Tips