20741B - 04-Implementing DNS
20741B - 04-Implementing DNS
20741B - 04-Implementing DNS
Implementing DNS
Module Overview
. . .
Windows operating systems
.root DNS
1
.com DNS
5 .root DNS
Demonstration: Installing and configuring the
DNS role
Namespace: training.contoso.com
DNS Client2 = ?
192.168.2.46 = ?
DNS Client1
What are primary and secondary zones?
Zones Description
Zones Description
Active Directory– • Perform incremental replication between DNS servers
integrated
zones • Adjust the Active Directory replication schedule
.root DNS
1 3
.com DNS
5 Microsoft.com DNS
Who Are Root Hints?
DNS
Server
contoso.com
DNS
(Root domain) Server
fabrikam.com
DNS DNS
Server Server
DNS
Server
na.contoso.com sa.contoso.com
DNS
DNS na.fabrikam.com
Server
Server
ny.na.contoso.com rio.sa.contoso.com
What is DNS caching?
DNS server cache
Host name IP address TTL
ServerA.contoso.com 131.107.0.44 28 seconds
Contoso
Internet DNS
Internal DNS
DNS
ServerA
Where isis at
131.107.0.44
ServerA?
Client1
Where
ServerAisis at
ServerA?
131.107.0.44
Client2
ServerA
What is DNS forwarding?
Ask .com
.com
Contoso.com
Local
DNS
Server Client
DNS forwarding and stub zone guidance
Scenario 1: Northwind Traders Inc., has recently acquired the Beyond Blue Airline
Corporation and you are tasked with setting up the DNS infrastructure. You will have
an Active Directory Domain Services (AD DS) forest named Northwind.com, and a
separate tree named Beyondblueair.com. Users will regularly need to resolve names
to IP addresses for servers within each domain name. You want to ensure that the
DNS queries remain within the corporate infrastructure.
Scenario 2: Contoso LTD has diversified into several product lines, and the AD DS
domain structure is being extended. Contoso.com has three existing sub domains:
NA.contoso.com, EU.contoso.co, and Asia.contoso.com. Plans are under way to
create sub domain in each of the geographical domains, with an automotive domain
under each with a two separate subdomains under each automotive domain. You
need to ensure the faster possible name resolution path for internal clients.
10 minutes
Configuring delegation
DNS
Server
Contoso.com
DNS
Zone
DNS
Subdomain DNS
Zone
Sales
DNS
Server
Marketing
Lesson 4: Configuring DNS integration with AD DS
Controllers----------
-------------Domain Controllers----------
-------------Domain
DNS Service
Zone
Transfer
DomainDNSZone
Replicate to all domain controllers
that are DNS servers in the AD DS
ForestDNSZones forest
Custom Partition Replicate to all domain controllers
in the replication scope for the
application partition
Dynamic updates
Advanced DNS
name resolution:
• DNS round robin
• Netmask
reordering
• Recursion
Configuring root hints
com
DNS
Server
microsoft
Client
What is the GlobalNames zone?
The GlobalNames zone allows single-label names to be resolved in multiple
DNS domain environments
You can configure the GlobalNames zone by using dnscmd or by using
Windows PowerShell:
• Get-DnsServerGlobalNameZone
• Set-DnsServerGlobalNameZone
2
1
3
GlobalNames
Zone
4 6
5
DNS Server DNS Client
Forward Lookup
Zone
Demonstration: Configuring the GlobalNames zone
Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
integrated DNS
Internal network
Understanding split DNS
Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
integrated DNS
Internal network
Understanding split DNS
Perimeter Network
Domain controllers Inside
Web Mail
Outside
running Active Directory- firewall firewall
server server
integrated DNS
Internal network
Implementing split DNS
• Same namespace:
• Internal records should not be available externally
• Records might need to be synchronized between
internal and external DNS
• Unique namespace:
• Record synchronization is not required
• Existing DNS infrastructure is unaffected
• Clearly delineates between internal and external DNS
• Subdomain:
• Record synchronization is not required
• Contiguous namespace is easy to understand
DNS policies
DNS socket pool Randomizes the source port for issuing DNS
queries. Enabled by default in Windows Server
2012
DANE Uses TLSA records that state the CA from which
they should expect a certificate
DNSSEC Enables cryptographically signing DNS records so
that client computers can validate responses
Logon Information
Virtual machines: 20741B-LON-DC1
20741B-EU-RTR
20741B-INET1
20741B-LON-SVR1
20741B-SYD-SVR1
User name: Adatum\Administrator
Password: Pa55w.rd
You must configure a DNS server in the Sydney location to enable more
efficient name resolution for Sydney clients. The DNS server must
resolve queries for local clients, and provide access to name resolution
for the Internet sites, as provided by LON-SVR1. Sydney clients should
be forwarded to an authoritative server for Adatum.com to resolve
internal queries.
The requirements are as follows:
• Configuring forwarding for all DNS lookups for Internet access from
Sydney to your ISP’s DNS server.
• Configuring conditional forwarding on SYD-SVR1 for the
Treyresearch.net zone.
• Hosting and resolving queries for the Adatum.com domain within the
Sydney location.
Lab Scenario (continued)
The virtual machines used in this lab provide the following services:
• INET1 (131.107.0.100). DNS server providing name resolution for
Internet-based DNS names.
• EU-RTR (131.107.0.10, 172.16.0.1, 172.16.18.1) Router for Internet,
NA_WAN, and PAC_WAN virtual switches.
• LON-DC1 (172.16.0.10). Domain controller and DNS server hosting the
Adatum.com namespace.
• LON-SVR1 (172.16.0.11). DNS server hosting the Treyresearch.net
namespace.
• SYD-SVR1 (172.16.19.20). The server that you will configure with DNS
to provide name resolution for client computers in Sydney.
Lab Review
Logon Information
Virtual machines: 20741B-LON-DC1
20741B-LON-SVR1
20741B-INET1
20741B-EU-RTR
20741B-SYD-SVR1
User name: Adatum\Administrator
Password: Pa55w.rd
• Review Questions
• Tools
• Best Practices
• Common Issues and Troubleshooting Tips