What is DNS zones?
It is a collection of Records, whether that collection is updatable, and how that collection will replicate to other DNS servers.
What are forwarders?
It is a method of re-directing DNS queries to specific servers. It is used to improve DNS performance or allow connections to specific DNS zones that might (otherwise) not be directly accessible.
Where you can create AD integrated zone?
You can create it only on wriatable domain controller. It is the computer in whcih you have installed AD domain controller.
Where you can configure primary and stub zones as AD intergrated zone?
On AD integrated zone which has DNS server installed on it so it can process updates to those zones.
Where you can configure DNS replication scope?
When you create a new zone on AD integrated zone you will get a option to configure DNS replication:
*To all DNS servers running on all domain controllers in this Forest.
*To all DNS servers running on all domain controllers in this Domain.
*To all DNS servers running on all domain controllers in this Domain (For windows 2000 compatibility).
Why we need to configure dynamic updates while configuring zone?
This is useful in environments in which clients change IP addresses on a regular basis. When a client gets a new IP address, it can update the record associated with its host name in the appropriate DNS zone.
■ Allow only secure dynamic updates : You can use this option only with Active Directory integrated zones. Only authenticated clients can update DNS records.
■■ Allow both nonsecure and secure dynamic updates : With this option, any client can update a record. Although this option is convenient, it is also insecure because any client can update the DNS zone, potentially redirecting clients that trust the quality of the information stored on the DNS server.
■■ Do not allow dynamic updates When you choose this option, all DNS updates must be performed manually. This option is very secure, but it is also labor-intensive.
Can Read only Domain controller (RODC) can replicate updates to other DNS servers?
No because it is a read only domain controller but An RODC will forward any zone update traffic directed at it to a writable domain controller.
How to create a Active Directory integrated zone cpandl.com to replicate to all domain controllers in the forest by using command?
Add-DnsServerPrimaryZone –Name cpandl.com –ReplicationScope Forest
__________________________________________________________________________
Notes: When you first install Active Directory, the installation process ensures that the DNS zone associated with the root domain is automatically configured as an Active Directory integrated zone and is replicated to all domain controllers in the forest.
______________________________________________________________________________
What is primary zone?
When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the %windir%\System32\Dns folder on the server.
If primary zone is not working or deleted, then no zone updates can occur until the primary zone is restored.
Windows Server 2012 supports two types of primary zones: Active Directory integrated zones and standard primary zones.
Active Directory integrated zones can be hosted only on computers that also function as domain controllers. Computers running Windows Server 2012 that are not domain controllers can host standard primary zones. When you create a primary zone on a computer that is not a domain controller, the wizard does not enable you to specify a replication scope for the zone.
What is secondary zone?
A secondary zone is a read-only copy of a primary zone. Secondary zones cannot process updates; they can only retrieve updates from a primary zone. Secondary zones cannot be Active Directory integrated zones, but you can configure a secondary zone of a zone that is an Active Directory integrated primary zone. Prior to configuring a secondary zone, you need to configure the primary zone that it will replicate from to enable transfers to that zone. You can do this on the Zone Transfers tab of the zone properties, as shown in Figure 3-4. Secondary zones work best when the primary zone they replicate from does not update frequently. If the primary zone is frequently updated, it is possible that the secondary zone may have out-of-date records.
What is Reverse Look up Zones?
Reverse lookup zones translate IP addresses into FQDNs. You can create IPv4 or IPv6 reverse lookup zones, and reverse lookup zones can be configured as Active Directory integrated zones. You can configure reverse lookup zones as standard primary, secondary, or stub zones. The domain controller promotion process automatically creates a reverse lookup zone based on the IP address of the first domain controller promoted in the organization.
Reverse lookup zones are dependent on the network ID of the IP address range they represent.
IPv4 reverse lookup zones can represent only /8, /16, or /24 (the old Class A, Class B, and Class C) networks. You can’t create a single reverse lookup zone for IP subnets that don’t fit into these categories, and the smallest reverse lookup zone you can create is for subnet mask /24 (255.255.255.0).
How to create Reverse Lookup Zones?
1. In the DNS Manager Console, right-click Reverse Lookup Zones and click New Zone.
2. On the Zone Type page, select the type of reverse lookup zone that you want to create.
You can create a primary or a stub zone that can be Active Directory integrated if you are managing a DNS server on a domain controller, or create a secondary zone if the reverse lookup zone is being replicated from an existing primary reverse lookup zone.
3. If you have chosen to make the lookup zone Active Directory integrated, you’ll need to choose the zone replication scope.
4. On the Reverse Lookup Zone Name page, choose between IPv4 and IPv6 Reverse Lookup Zone.
5. You can configure the reverse lookup zone either on the basis of choosing either Network
ID or Reverse Lookup Zone Name, as shown in Figure 3-5. The name is automatically
generated when you provide the ID.
6. You can then choose whether to enable secure dynamic updates, enable nonsecure and secure dynamic updates, or not enable dynamic updates.
What are ZONE Delegation?
Zone delegations function as pointers to the next DNS layer down in the DNS hierarchy. For example, if your organization uses the contoso.com DNS zone and you want to create a separate australia.contoso.com DNS zone, you can perform a zone delegation so that the DNS servers for the contoso.com DNS zone would point to the DNS servers for the australia .contoso.com DNS zone. When you create a new child domain in an Active Directory forest, zone delegation occurs automatically. When you are performing a manual delegation, create the delegated zone on the target DNS server prior to performing the delegation from the parent zone.
How to configure Zone delegation?
You can configure a zone delegation by performing the following steps:
1. Create the primary zone, either standard or Active Directory integrated, on the DNS server that will host the delegated zone.
2. In the DNS Manager Console, right-click the zone that you want to create a delegation for and click New Delegation.
3.On the Delegated Domain Name page of the New Delegation Wizard, shown in Figure 3-6, enter the name of the delegated domain.
4.On the Name Servers page, shown in Figure 3-6, add the address of the DNS server that hosts the zone for which you are creating a delegation. The wizard will check that the DNS server is authoritative for the delegated zone
What is Split DNS?
DNSSplit DNS enables organizations to use the same namespace for internal and external hosts, but enables those organizations to ensure that external hosts can’t resolve internal names.
For example, an organization might want to enable internal users to resolve the addresses www.tailspintoys.com and aus-fs1.tailspintoys.com, but enable external users to resolve only www.tailspintoys.com.
How to implement Split DNS?
To implement split DNS, create two zones on different name servers for the same DNS zone. For example, you can configure split DNS in the following way:
■■ Contoso.com is an Active Directory integrated primary zone replicated to all domain controllers on your organization’s internal network. Internal clients would run queries against these DNS servers for the contoso.com zone.
■■ Contoso.com is a standard primary zone hosted on a computer running Windows Server 2012 that is not a member of a domain and is located on your organization’s perimeter network. External clients would run queries against this DNS server for the contoso.com zone.
You can configure the standard primary zone hosted on the computer on the perimeter network to accept only manual updates. You can then manually populate the zone with those records that external hosts should be able to resolve, such as the address of web servers and mail gateways.
However, Many organizations don’t bother hosting the publicly resolvable zone associated with their organization, but instead have it hosted on their ISP’s DNS servers.
Can you create an AD intergrated primary zone on computer running win server 2012 with DNS server role installed?
You can’t create an Active Directory integrated primary zone if the Windows Server 2012 computer hosting the DNS Server service is not a domain controller.
What are Forwarders and conditional forwarders?
These forwarders are used to forward traffic to specific DNS
Forwarders and conditional forwarders enable your DNS server to forward traffic to specific DNS servers when a lookup request cannot be handled locally. If you don’t configure a forwarder,
or if a configured forwarder can’t be contacted, the DNS Server service will forward the request to a DNS root server, and the request will be resolved normally.
What are forwarders?
You are likely to use a DNS forwarder, rather than have your DNS server just use the root server, when you want to have a specific DNS server on the Internet handle your organization’s DNS resolution traffic. You are most likely to configure your organization’s ISP’s DNS server as a forwarder. When you do this, the ISP’s DNS server performs all the query work, returning the result to your organization’s DNS server that returns the result of the query back to the original requesting client.
You configure forwarders on a per-DNS server level.
You can configure a forwarder using the DNS Manager, by editing the properties of a DNS server and then editing the list of forwarders on the Forwarders tab, as shown in Figure 3-7.
You can create a DNS forwarder using the Add-DnsServerForwarder cmdlet.
For example, to create a DNS forwarder for a DNS server with IP address 10.10.10.111, issue this command:
Add-DnsServerForwarder 10.10.10.111
You can’t create a forwarder on one DNS server and then have it replicate to all other DNS servers in the forest or the domain, although this is possible with conditional forwarders and stub zones.
What are conditional forwarders?
Conditional forwarders forward address requests from only specific domains rather than all requests that can’t be resolved by the DNS server. When configured, a conditional forwarder takes precedence over a forwarder. Conditional forwarders are useful when your organization has a trust relationship or partnership with another organization. You can configure a conditional forwarder that directs all traffic to host names within that organization instead of them having to be resolved by the standard DNS-resolution process.
How to create conditional forwarders?
To create a conditional forwarder, perform the following steps:
1.Open DNS Manager.
2. Expand the DNS server on which you want to create the conditional forwarder. Because
conditional forwarders can be replicated to all DNS servers in a forest or domain, you have to create the forwarder only once.
3.Right-click Conditional Forwards and choose New Conditional Forwarder.
4.Enter the DNS domain name of the zone for the forwarder. For example, if you want all traffic for hosts in the wingtiptoys.com zone to be forwarded to specific DNS servers, enter wingtiptoys.com as the DNS domain name.
5.Enter the IP address or addresses of the DNS server to which you want to forward DNS traffic.
6.Select whether the conditional forwarder will be stored within Active Directory. Choose whether to replicate the forwarder to all servers in the forest or in the domain, as shown in Figure 3-8.
.
Command:
You can create conditional forwarders using the Add-DnsServerConditionalForwarderZone PowerShell cmdlet. For example, to create a conditional forwarder for the DNS domain tailspintoys.com that forwards DNS queries to the server at IP address 10.10.10.102 and replicates that conditional forwarder to all DNS servers within the Active Directory forest,
issue this command:
Add-DnsServerConditionalForwarderZone –MasterServers 10.10.10.102 –Name tailspintoys.com –ReplicationScope Forest
What are stub zones?
A stub zone is a special zone that stores authoritative name server records for a target zone. Stub zones have an advantage over forwarders when the address of a target zone’s authoritative DNS server changes on a regular basis. Stub zones are often used to host the records for authoritative DNS servers in delegated zones. Using stub zones in this way ensures that delegated zone information is up to date. If you create the stub zone on a writable domain controller, as shown in Figure 3-9, it can be stored with Active Directory and replicated to other DCs in the domain or forest
How to create stub zones?
1. In DNS Manager, right-click Forward Lookup Zones and click New Zone.
2. On the Zone Type page of the New Zone Wizard, select Stub Zone, as shown in
Figure 3-9.
3. If you chose the Store The Zone In Active Directory option, you see the Active Directory Zone Replication Scope page. Choose whether to replicate the stub zone to all domain controllers in the forest, in the domain, or to all domain controllers enrolled in a specific directory partition.
4.Provide the stub zone with the name of the target DNS zone.
5. On the Master DNS Servers page, shown in Figure 3-10, provide the address of an authoritative
DNS name server for the zone. Choose the Use The Above Servers To Create A Local List Of Master Servers option to generate a list of all authoritative name servers in the target DNS zone.
.
Command :
You can add a stub zone using the Add-DnsServerStubZone cmdlet. For example, to add a DNS stub zone for the fabrikam.com zone using the DNS server at 10.10.10.222 that replicates to all DNS servers in the forest, execute this command:
Add-DnsServerStubZone –MasterServers 10.10.10.222 –Name fabrikam.com –ReplicationScope Forest –LoadExisting
LESSON SUMMARY
Lesson summary
■■ Primary and stub zones can be configured as Active Directory integrated zones.
■■ Active Directory integrated zones can be replicated to all domain controllers in a domain, in the forest, or that have a specific DNS application partition.
■■ Reverse lookup zones translate IP addresses into FQDNs.
■■ Reverse lookup zones can be Active Directory integrated zones.
■■ Secondary zones are read-only.
■■ Conditional forwarders forward all traffic for a particular zone to a particular DNS server.
■■ Forwarders forward all traffic not handled by conditional forwarders to a specific DNS server.
1. You want to create a new DNS zone. Only computers that are members of the domain should be able to update the zone. You should not have to perform zone updates manually. Which of the following steps should you take to accomplish this goal? (Choose all that apply.)
A. Configure the contoso.com zone as an Active Directory integrated primary.
B. Configure the contoso.com zone as a standard primary zone.
C. Configure the zone to enable only secure dynamic updates.
D. Configure the zone to not enable dynamic updates.
Correct answers: A and C
A. Correct: Configuring the zone as Active Directory integrated primary enables you to configure the zone to accept only secure dynamic updates.B. Incorrect: You cannot configure a standard primary zone so that it will accept only secure dynamic updates. A standard primary zone can be configured to accept both secure and insecure dynamic updates.
C. Correct: Configuring this setting ensures that only computers that are members of the domain can update the zone.
D. Incorrect: If you do not configure the zone to allow dynamic updates, you have to perform zone updates manually.
2. Which of the following network IDs is associated with the reverse lookup zone 15.168.192.in-addr.arpa?
A. 192.168.15.0 /16
B. 15.168.192.0 /24
C. 192.168.15.0 /24
D. 15.168.192.0 /24
2.Correct answer: C
A. Incorrect: This network ID would be associated with the 168.192.in-ddr.arpa zone.
B.Incorrect: This network ID would be associated with the 192.186.15.in-addr.arpa zone.
C.Correct: Zones names use octets in reverse. The zero is dropped from the zone name.
D.Incorrect: This network ID would be associated with the 15.168.192.0 network ID.
3. You want to create a delegation for the zone australia.fabrikam.com. This zone will be hosted on a DNS server with the IP address 10.100.10.10. The DNS server that is authoritative for the zone fabrikam.com is hosted on a computer with the IP address 10.10.10.10. Which of the following steps must you take first? (Choose all that apply.)
A. Create the zone australia.fabrikam.com on the computer that hosts the DNS server with the IP address 10.10.10.10.
B. Create the zone australia.fabrikam.com on the computer that hosts the DNS server with the IP address 10.100.10.10.
C. Create the delegation using the zone fabrikam.com on the computer that hosts the DNS server with the IP address 10.100.10.10.
D. Create the delegation using the zone fabrikam.com on the computer that hosts the DNS server with the IP address 10.10.10.10.
3. Correct answer: B
A. Incorrect: You should not create the target zone on the computer on which you are going to perform the delegation, unless that computer will host that zone. In this situation, the target zone will be hosted on the computer with IP address 10.100.10.10.
B. Correct: You must create the target zone on the server that will host that zone prior to performing the delegation.
C. Incorrect: You must create the target zone before you perform a delegation.
D. Incorrect: You must create the target zone before you perform a delegation.
4. A partner organization frequently alters the IP addresses of its authoritative name servers. Clients in the partner DNS zone also change their DNS records frequently. You want to enable clients in your organizational network to be able to quickly resolve addresses in the partner’s DNS zone without worrying that your own DNS server is hosting stale DNS records. Which of the following should you create on your local DNS server to accomplish this goal? (Choose all that apply.)
A. Secondary zone
B. Conditional forwarder
C. Forwarder
D. Stub zone
4. Correct answer: D
A. Incorrect: Although configuring a secondary zone will provide a local copy of the partner organization’s zone, a better approach is to use a stub zone because the zone updates frequently. This way, clients on your organizational network can quickly locate the authoritative name servers in the partner zone and resolve addresses in that zone accurately.
B. Incorrect: Conditional forwarders use static entries for authoritative servers in the target zone. Because the authoritative servers in the target zone often change, a conditional forwarder is quickly out of date.
C. Incorrect: Forwarders are used to forward all queries, rather than queries to a specific zone.
D. Correct: The best approach is to use a stub zone. This way, clients on your organizational
network can quickly locate the authoritative name servers in the partner zone and resolve addresses in that zone accurately.
5. You want to have all DNS requests for nonlocal addresses go to your ISP’s DNS server, except those for hosts located in the margiestravel.com zone. Any requests for hosts located in the margiestravel.com zone should automatically be forwarded to a DNS server with a specific IP address. Which of the following should you configure to accomplish this goal? (Choose all that apply.)
A. Stub zone
B. Forwarder
C. Conditional forwarder
D. Secondary zone
5. Correct answers: B and C
A. Incorrect: A stub zone replicates authoritative name server information from a target zone. In this situation, you simply want to forward traffic for hosts in a specific
zone to a specific DNS server.
B. Correct: You need to configure a forwarder that will forward traffic to your ISP’s DNS server.
C. Correct: A conditional forwarder will forward all traffic to the margiestravel.com DNS zone to a DNS server at a specific address.
D. Incorrect: You want to forward client request traffic either to your ISP’s DNS server or to the margiestravel.com DNS server. Hosting a secondary zone of the margiestravel.com DNS zone does not accomplish this goal.
Lesson 2: WINS and GlobalNames zones
Both WINS and GlobalNames zones provide single-label name resolution solutions. Single-label name resolution solutions are often required because custom code and scripts, some dating back to the days when Windows NT 4.0 was the server operating system of choice, don’t use the DNS FQDNs. In this lesson, you’ll learn how to provide an appropriate single-label name resolution solution for your organizational network.
What are WINS?
WINS is an older name resolution technology that resolves NetBIOS names to IP addresses. WINS was primarily used on networks running Windows NT 4.0 and has been declining in utilization ever since. Other than small changes to make WINS less vulnerable to malicious attack, the functionality of WINS has not changed substantially since the release of Windows Server 2003 almost a decade ago. Windows Server 2012 still includes the WINS role because a large number of organizations have need for single-label name resolution functionality. Single-label name resolution is required when a host is referred to on the network with a single name, such as Windows Server Update Services (WSUS), rather than an FQDN such as wsus.contoso.internal. Depending on how DNS is configured, some clients can use their DNS host suffix to locate hosts on the basis of a single label. You can also integrate DNS with WINS.
How to configure WINS server?
To install and configure WINS role on a computer running Windows Server 2012, perform the following steps:
1. From Server Manager, use the Manage menu to launch the Add Roles And Features Wizard.
2. Select the WINS Server feature, as shown in Figure 3-11.
To install WINS using Windows PowerShell, use the following command:
Install-WindowsFeature WINS
Unless the routers are specially configured, NetBIOS traffic doesn’t cross subnet boundaries.
This means that unless you take specific steps, the WINS database will not be populated with address entries by hosts on remote networks. WINS does support the creation of static address entries, and you can use it to manually populate the WINS database with the addresses of important hosts that must be resolvable using single-label names. Client computers must know the address of a WINS server to utilize it for single-label name resolution. You can configure a client with the address of a WINS server by configuring DHCP option 044. You can also configure the address of a WINS server by editing the TCP/IPv4 properties on a specific network adapter, as shown in Figure 3-12.
.
You can configure WINS servers on different subnets as replication partners. When you do this, these WINS servers exchange address data with one another. WINS uses two types of partners in replication:
■■ Push partner A WINS server that notifies a pull partner that the WINS database has been updated. The pull partner will respond with a replication request, and database changes will be replicated. Push replication occurs only when a certain number of updates to the database have occurred.
■■ Pull partner Waits for notification that the database has been updated and then replicates database changes.
It is a collection of Records, whether that collection is updatable, and how that collection will replicate to other DNS servers.
What are forwarders?
It is a method of re-directing DNS queries to specific servers. It is used to improve DNS performance or allow connections to specific DNS zones that might (otherwise) not be directly accessible.
Where you can create AD integrated zone?
You can create it only on wriatable domain controller. It is the computer in whcih you have installed AD domain controller.
Where you can configure primary and stub zones as AD intergrated zone?
On AD integrated zone which has DNS server installed on it so it can process updates to those zones.
Where you can configure DNS replication scope?
When you create a new zone on AD integrated zone you will get a option to configure DNS replication:
*To all DNS servers running on all domain controllers in this Forest.
*To all DNS servers running on all domain controllers in this Domain.
*To all DNS servers running on all domain controllers in this Domain (For windows 2000 compatibility).
Why we need to configure dynamic updates while configuring zone?
This is useful in environments in which clients change IP addresses on a regular basis. When a client gets a new IP address, it can update the record associated with its host name in the appropriate DNS zone.
■ Allow only secure dynamic updates : You can use this option only with Active Directory integrated zones. Only authenticated clients can update DNS records.
■■ Allow both nonsecure and secure dynamic updates : With this option, any client can update a record. Although this option is convenient, it is also insecure because any client can update the DNS zone, potentially redirecting clients that trust the quality of the information stored on the DNS server.
■■ Do not allow dynamic updates When you choose this option, all DNS updates must be performed manually. This option is very secure, but it is also labor-intensive.
Can Read only Domain controller (RODC) can replicate updates to other DNS servers?
No because it is a read only domain controller but An RODC will forward any zone update traffic directed at it to a writable domain controller.
How to create a Active Directory integrated zone cpandl.com to replicate to all domain controllers in the forest by using command?
Add-DnsServerPrimaryZone –Name cpandl.com –ReplicationScope Forest
__________________________________________________________________________
Notes: When you first install Active Directory, the installation process ensures that the DNS zone associated with the root domain is automatically configured as an Active Directory integrated zone and is replicated to all domain controllers in the forest.
______________________________________________________________________________
What is primary zone?
When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the %windir%\System32\Dns folder on the server.
If primary zone is not working or deleted, then no zone updates can occur until the primary zone is restored.
Windows Server 2012 supports two types of primary zones: Active Directory integrated zones and standard primary zones.
Active Directory integrated zones can be hosted only on computers that also function as domain controllers. Computers running Windows Server 2012 that are not domain controllers can host standard primary zones. When you create a primary zone on a computer that is not a domain controller, the wizard does not enable you to specify a replication scope for the zone.
What is secondary zone?
A secondary zone is a read-only copy of a primary zone. Secondary zones cannot process updates; they can only retrieve updates from a primary zone. Secondary zones cannot be Active Directory integrated zones, but you can configure a secondary zone of a zone that is an Active Directory integrated primary zone. Prior to configuring a secondary zone, you need to configure the primary zone that it will replicate from to enable transfers to that zone. You can do this on the Zone Transfers tab of the zone properties, as shown in Figure 3-4. Secondary zones work best when the primary zone they replicate from does not update frequently. If the primary zone is frequently updated, it is possible that the secondary zone may have out-of-date records.
What is Reverse Look up Zones?
Reverse lookup zones translate IP addresses into FQDNs. You can create IPv4 or IPv6 reverse lookup zones, and reverse lookup zones can be configured as Active Directory integrated zones. You can configure reverse lookup zones as standard primary, secondary, or stub zones. The domain controller promotion process automatically creates a reverse lookup zone based on the IP address of the first domain controller promoted in the organization.
Reverse lookup zones are dependent on the network ID of the IP address range they represent.
IPv4 reverse lookup zones can represent only /8, /16, or /24 (the old Class A, Class B, and Class C) networks. You can’t create a single reverse lookup zone for IP subnets that don’t fit into these categories, and the smallest reverse lookup zone you can create is for subnet mask /24 (255.255.255.0).
How to create Reverse Lookup Zones?
1. In the DNS Manager Console, right-click Reverse Lookup Zones and click New Zone.
2. On the Zone Type page, select the type of reverse lookup zone that you want to create.
You can create a primary or a stub zone that can be Active Directory integrated if you are managing a DNS server on a domain controller, or create a secondary zone if the reverse lookup zone is being replicated from an existing primary reverse lookup zone.
3. If you have chosen to make the lookup zone Active Directory integrated, you’ll need to choose the zone replication scope.
4. On the Reverse Lookup Zone Name page, choose between IPv4 and IPv6 Reverse Lookup Zone.
5. You can configure the reverse lookup zone either on the basis of choosing either Network
ID or Reverse Lookup Zone Name, as shown in Figure 3-5. The name is automatically
generated when you provide the ID.
6. You can then choose whether to enable secure dynamic updates, enable nonsecure and secure dynamic updates, or not enable dynamic updates.
What are ZONE Delegation?
Zone delegations function as pointers to the next DNS layer down in the DNS hierarchy. For example, if your organization uses the contoso.com DNS zone and you want to create a separate australia.contoso.com DNS zone, you can perform a zone delegation so that the DNS servers for the contoso.com DNS zone would point to the DNS servers for the australia .contoso.com DNS zone. When you create a new child domain in an Active Directory forest, zone delegation occurs automatically. When you are performing a manual delegation, create the delegated zone on the target DNS server prior to performing the delegation from the parent zone.
How to configure Zone delegation?
You can configure a zone delegation by performing the following steps:
1. Create the primary zone, either standard or Active Directory integrated, on the DNS server that will host the delegated zone.
2. In the DNS Manager Console, right-click the zone that you want to create a delegation for and click New Delegation.
3.On the Delegated Domain Name page of the New Delegation Wizard, shown in Figure 3-6, enter the name of the delegated domain.
4.On the Name Servers page, shown in Figure 3-6, add the address of the DNS server that hosts the zone for which you are creating a delegation. The wizard will check that the DNS server is authoritative for the delegated zone
What is Split DNS?
DNSSplit DNS enables organizations to use the same namespace for internal and external hosts, but enables those organizations to ensure that external hosts can’t resolve internal names.
For example, an organization might want to enable internal users to resolve the addresses www.tailspintoys.com and aus-fs1.tailspintoys.com, but enable external users to resolve only www.tailspintoys.com.
How to implement Split DNS?
To implement split DNS, create two zones on different name servers for the same DNS zone. For example, you can configure split DNS in the following way:
■■ Contoso.com is an Active Directory integrated primary zone replicated to all domain controllers on your organization’s internal network. Internal clients would run queries against these DNS servers for the contoso.com zone.
■■ Contoso.com is a standard primary zone hosted on a computer running Windows Server 2012 that is not a member of a domain and is located on your organization’s perimeter network. External clients would run queries against this DNS server for the contoso.com zone.
You can configure the standard primary zone hosted on the computer on the perimeter network to accept only manual updates. You can then manually populate the zone with those records that external hosts should be able to resolve, such as the address of web servers and mail gateways.
However, Many organizations don’t bother hosting the publicly resolvable zone associated with their organization, but instead have it hosted on their ISP’s DNS servers.
Can you create an AD intergrated primary zone on computer running win server 2012 with DNS server role installed?
You can’t create an Active Directory integrated primary zone if the Windows Server 2012 computer hosting the DNS Server service is not a domain controller.
What are Forwarders and conditional forwarders?
These forwarders are used to forward traffic to specific DNS
Forwarders and conditional forwarders enable your DNS server to forward traffic to specific DNS servers when a lookup request cannot be handled locally. If you don’t configure a forwarder,
or if a configured forwarder can’t be contacted, the DNS Server service will forward the request to a DNS root server, and the request will be resolved normally.
What are forwarders?
You are likely to use a DNS forwarder, rather than have your DNS server just use the root server, when you want to have a specific DNS server on the Internet handle your organization’s DNS resolution traffic. You are most likely to configure your organization’s ISP’s DNS server as a forwarder. When you do this, the ISP’s DNS server performs all the query work, returning the result to your organization’s DNS server that returns the result of the query back to the original requesting client.
You configure forwarders on a per-DNS server level.
You can configure a forwarder using the DNS Manager, by editing the properties of a DNS server and then editing the list of forwarders on the Forwarders tab, as shown in Figure 3-7.
You can create a DNS forwarder using the Add-DnsServerForwarder cmdlet.
For example, to create a DNS forwarder for a DNS server with IP address 10.10.10.111, issue this command:
Add-DnsServerForwarder 10.10.10.111
You can’t create a forwarder on one DNS server and then have it replicate to all other DNS servers in the forest or the domain, although this is possible with conditional forwarders and stub zones.
What are conditional forwarders?
Conditional forwarders forward address requests from only specific domains rather than all requests that can’t be resolved by the DNS server. When configured, a conditional forwarder takes precedence over a forwarder. Conditional forwarders are useful when your organization has a trust relationship or partnership with another organization. You can configure a conditional forwarder that directs all traffic to host names within that organization instead of them having to be resolved by the standard DNS-resolution process.
How to create conditional forwarders?
To create a conditional forwarder, perform the following steps:
1.Open DNS Manager.
2. Expand the DNS server on which you want to create the conditional forwarder. Because
conditional forwarders can be replicated to all DNS servers in a forest or domain, you have to create the forwarder only once.
3.Right-click Conditional Forwards and choose New Conditional Forwarder.
4.Enter the DNS domain name of the zone for the forwarder. For example, if you want all traffic for hosts in the wingtiptoys.com zone to be forwarded to specific DNS servers, enter wingtiptoys.com as the DNS domain name.
5.Enter the IP address or addresses of the DNS server to which you want to forward DNS traffic.
6.Select whether the conditional forwarder will be stored within Active Directory. Choose whether to replicate the forwarder to all servers in the forest or in the domain, as shown in Figure 3-8.
.Command:
You can create conditional forwarders using the Add-DnsServerConditionalForwarderZone PowerShell cmdlet. For example, to create a conditional forwarder for the DNS domain tailspintoys.com that forwards DNS queries to the server at IP address 10.10.10.102 and replicates that conditional forwarder to all DNS servers within the Active Directory forest,
issue this command:
Add-DnsServerConditionalForwarderZone –MasterServers 10.10.10.102 –Name tailspintoys.com –ReplicationScope Forest
What are stub zones?
A stub zone is a special zone that stores authoritative name server records for a target zone. Stub zones have an advantage over forwarders when the address of a target zone’s authoritative DNS server changes on a regular basis. Stub zones are often used to host the records for authoritative DNS servers in delegated zones. Using stub zones in this way ensures that delegated zone information is up to date. If you create the stub zone on a writable domain controller, as shown in Figure 3-9, it can be stored with Active Directory and replicated to other DCs in the domain or forest
How to create stub zones?
1. In DNS Manager, right-click Forward Lookup Zones and click New Zone.
2. On the Zone Type page of the New Zone Wizard, select Stub Zone, as shown in
Figure 3-9.
3. If you chose the Store The Zone In Active Directory option, you see the Active Directory Zone Replication Scope page. Choose whether to replicate the stub zone to all domain controllers in the forest, in the domain, or to all domain controllers enrolled in a specific directory partition.
4.Provide the stub zone with the name of the target DNS zone.
5. On the Master DNS Servers page, shown in Figure 3-10, provide the address of an authoritative
DNS name server for the zone. Choose the Use The Above Servers To Create A Local List Of Master Servers option to generate a list of all authoritative name servers in the target DNS zone.
.Command :
You can add a stub zone using the Add-DnsServerStubZone cmdlet. For example, to add a DNS stub zone for the fabrikam.com zone using the DNS server at 10.10.10.222 that replicates to all DNS servers in the forest, execute this command:
Add-DnsServerStubZone –MasterServers 10.10.10.222 –Name fabrikam.com –ReplicationScope Forest –LoadExisting
LESSON SUMMARY
Lesson summary
■■ Primary and stub zones can be configured as Active Directory integrated zones.
■■ Active Directory integrated zones can be replicated to all domain controllers in a domain, in the forest, or that have a specific DNS application partition.
■■ Reverse lookup zones translate IP addresses into FQDNs.
■■ Reverse lookup zones can be Active Directory integrated zones.
■■ Secondary zones are read-only.
■■ Conditional forwarders forward all traffic for a particular zone to a particular DNS server.
■■ Forwarders forward all traffic not handled by conditional forwarders to a specific DNS server.
1. You want to create a new DNS zone. Only computers that are members of the domain should be able to update the zone. You should not have to perform zone updates manually. Which of the following steps should you take to accomplish this goal? (Choose all that apply.)
A. Configure the contoso.com zone as an Active Directory integrated primary.
B. Configure the contoso.com zone as a standard primary zone.
C. Configure the zone to enable only secure dynamic updates.
D. Configure the zone to not enable dynamic updates.
Correct answers: A and C
A. Correct: Configuring the zone as Active Directory integrated primary enables you to configure the zone to accept only secure dynamic updates.B. Incorrect: You cannot configure a standard primary zone so that it will accept only secure dynamic updates. A standard primary zone can be configured to accept both secure and insecure dynamic updates.
C. Correct: Configuring this setting ensures that only computers that are members of the domain can update the zone.
D. Incorrect: If you do not configure the zone to allow dynamic updates, you have to perform zone updates manually.
2. Which of the following network IDs is associated with the reverse lookup zone 15.168.192.in-addr.arpa?
A. 192.168.15.0 /16
B. 15.168.192.0 /24
C. 192.168.15.0 /24
D. 15.168.192.0 /24
2.Correct answer: C
A. Incorrect: This network ID would be associated with the 168.192.in-ddr.arpa zone.
B.Incorrect: This network ID would be associated with the 192.186.15.in-addr.arpa zone.
C.Correct: Zones names use octets in reverse. The zero is dropped from the zone name.
D.Incorrect: This network ID would be associated with the 15.168.192.0 network ID.
3. You want to create a delegation for the zone australia.fabrikam.com. This zone will be hosted on a DNS server with the IP address 10.100.10.10. The DNS server that is authoritative for the zone fabrikam.com is hosted on a computer with the IP address 10.10.10.10. Which of the following steps must you take first? (Choose all that apply.)
A. Create the zone australia.fabrikam.com on the computer that hosts the DNS server with the IP address 10.10.10.10.
B. Create the zone australia.fabrikam.com on the computer that hosts the DNS server with the IP address 10.100.10.10.
C. Create the delegation using the zone fabrikam.com on the computer that hosts the DNS server with the IP address 10.100.10.10.
D. Create the delegation using the zone fabrikam.com on the computer that hosts the DNS server with the IP address 10.10.10.10.
3. Correct answer: B
A. Incorrect: You should not create the target zone on the computer on which you are going to perform the delegation, unless that computer will host that zone. In this situation, the target zone will be hosted on the computer with IP address 10.100.10.10.
B. Correct: You must create the target zone on the server that will host that zone prior to performing the delegation.
C. Incorrect: You must create the target zone before you perform a delegation.
D. Incorrect: You must create the target zone before you perform a delegation.
4. A partner organization frequently alters the IP addresses of its authoritative name servers. Clients in the partner DNS zone also change their DNS records frequently. You want to enable clients in your organizational network to be able to quickly resolve addresses in the partner’s DNS zone without worrying that your own DNS server is hosting stale DNS records. Which of the following should you create on your local DNS server to accomplish this goal? (Choose all that apply.)
A. Secondary zone
B. Conditional forwarder
C. Forwarder
D. Stub zone
4. Correct answer: D
A. Incorrect: Although configuring a secondary zone will provide a local copy of the partner organization’s zone, a better approach is to use a stub zone because the zone updates frequently. This way, clients on your organizational network can quickly locate the authoritative name servers in the partner zone and resolve addresses in that zone accurately.
B. Incorrect: Conditional forwarders use static entries for authoritative servers in the target zone. Because the authoritative servers in the target zone often change, a conditional forwarder is quickly out of date.
C. Incorrect: Forwarders are used to forward all queries, rather than queries to a specific zone.
D. Correct: The best approach is to use a stub zone. This way, clients on your organizational
network can quickly locate the authoritative name servers in the partner zone and resolve addresses in that zone accurately.
5. You want to have all DNS requests for nonlocal addresses go to your ISP’s DNS server, except those for hosts located in the margiestravel.com zone. Any requests for hosts located in the margiestravel.com zone should automatically be forwarded to a DNS server with a specific IP address. Which of the following should you configure to accomplish this goal? (Choose all that apply.)
A. Stub zone
B. Forwarder
C. Conditional forwarder
D. Secondary zone
5. Correct answers: B and C
A. Incorrect: A stub zone replicates authoritative name server information from a target zone. In this situation, you simply want to forward traffic for hosts in a specific
zone to a specific DNS server.
B. Correct: You need to configure a forwarder that will forward traffic to your ISP’s DNS server.
C. Correct: A conditional forwarder will forward all traffic to the margiestravel.com DNS zone to a DNS server at a specific address.
D. Incorrect: You want to forward client request traffic either to your ISP’s DNS server or to the margiestravel.com DNS server. Hosting a secondary zone of the margiestravel.com DNS zone does not accomplish this goal.
Lesson 2: WINS and GlobalNames zones
Both WINS and GlobalNames zones provide single-label name resolution solutions. Single-label name resolution solutions are often required because custom code and scripts, some dating back to the days when Windows NT 4.0 was the server operating system of choice, don’t use the DNS FQDNs. In this lesson, you’ll learn how to provide an appropriate single-label name resolution solution for your organizational network.
What are WINS?
WINS is an older name resolution technology that resolves NetBIOS names to IP addresses. WINS was primarily used on networks running Windows NT 4.0 and has been declining in utilization ever since. Other than small changes to make WINS less vulnerable to malicious attack, the functionality of WINS has not changed substantially since the release of Windows Server 2003 almost a decade ago. Windows Server 2012 still includes the WINS role because a large number of organizations have need for single-label name resolution functionality. Single-label name resolution is required when a host is referred to on the network with a single name, such as Windows Server Update Services (WSUS), rather than an FQDN such as wsus.contoso.internal. Depending on how DNS is configured, some clients can use their DNS host suffix to locate hosts on the basis of a single label. You can also integrate DNS with WINS.
How to configure WINS server?
To install and configure WINS role on a computer running Windows Server 2012, perform the following steps:
1. From Server Manager, use the Manage menu to launch the Add Roles And Features Wizard.
2. Select the WINS Server feature, as shown in Figure 3-11.
To install WINS using Windows PowerShell, use the following command:
Install-WindowsFeature WINS
Unless the routers are specially configured, NetBIOS traffic doesn’t cross subnet boundaries.
This means that unless you take specific steps, the WINS database will not be populated with address entries by hosts on remote networks. WINS does support the creation of static address entries, and you can use it to manually populate the WINS database with the addresses of important hosts that must be resolvable using single-label names. Client computers must know the address of a WINS server to utilize it for single-label name resolution. You can configure a client with the address of a WINS server by configuring DHCP option 044. You can also configure the address of a WINS server by editing the TCP/IPv4 properties on a specific network adapter, as shown in Figure 3-12.
.You can configure WINS servers on different subnets as replication partners. When you do this, these WINS servers exchange address data with one another. WINS uses two types of partners in replication:
■■ Push partner A WINS server that notifies a pull partner that the WINS database has been updated. The pull partner will respond with a replication request, and database changes will be replicated. Push replication occurs only when a certain number of updates to the database have occurred.
■■ Pull partner Waits for notification that the database has been updated and then replicates database changes.
No comments:
Post a Comment