Professional Documents
Culture Documents
Implement Windows Server DNS
Implement Windows Server DNS
Learning objectives
After completing this module, you'll be able to:
Prerequisites
- Active Directory Domain Services (AD DS) concepts and technologies.
- Windows Server.
- Core networking technologies.
- Windows client operating systems such as Windows 10. Windows PowerShell basics.
Name resolution is the process of converting computer names to IP addresses. Name resolution is
an essential part of computer networking because it's easier for users to remember names than
abstract numbers, such as an IPv4 or IPv6 address. Windows supports a number of different
methods for resolving computer names, the primary method being DNS.
What is DNS?
DNS is an industry standard name resolution service. Servers running the DNS server role respond
to requests from hosts and other network devices to resolve computer names and hostnames into
IP addresses. DNS servers can also resolve IP addresses into names. DNS servers use DNS resource
records stored in DNS zones. Where a DNS server is unable to resolve a query for a network device,
it might reference other DNS servers by using root hints or forwarding.
Note
The exact format of the zone depends on the type of the zone.
You can create DNS resource records manually, or IP hosts and network devices can register their
DNS records automatically with a DNS server.
The most common use for DNS is resolving full qualified domain names (FQDNs), such as sea-
dc1.contoso.com, to IP addresses. Users require this functionality to access network resources and
websites.
MWCO-Technet
NETWORKING AND COMUNICATIONS II
Administrators use name resolution in DNS when configuring and managing apps, in part because
people can remember names more easily than IP addresses. Domain-joined Windows clients and
servers also use DNS to locate domain controllers in an AD DS domain.
Domain names can be either public (internet-facing) or private. If they are private, you decide how
to define your organization's namespace. If they are public, you must work with the Internet
Corporation for Assigned Names and Numbers (ICANN) or other internet naming registration
authorities that can delegate (sell) unique names to you. From these names, you can create
appropriate subdomain names.
Tip
To help in obtaining trusted certificates for apps and authentication, it's typical to use a public
domain name that's registered on the internet.
DNS servers
A DNS server responds to requests for DNS records that are made by DNS resolvers. For example, a
Windows 10 client can send a DNS request to resolve sea-dc1.contoso.com to a DNS server, and the
DNS server response includes the IP address of sea-dc1.contoso.com.
A DNS server retrieves this information from a local database that contains resource records.
Alternatively, if the DNS server doesn't have the requested information, it can forward DNS requests
to another DNS server. A DNS server also caches previously requested information from other DNS
servers.
While you can configure any Windows Server as a DNS server, it's also common to install the DNS
server role on any Windows Server computer that's promoted to an AD DS domain controller.
Note
Windows Server is configured to be a DNS server when you install the DNS server role.
MWCO-Technet
NETWORKING AND COMUNICATIONS II
DNS resolvers
A DNS resolver is a client—such as a Windows client—that needs to resolve DNS records. In
Windows, the DNS Client service sends DNS requests to the DNS server that's configured in the IP
properties. After receiving a response to a DNS request, Windows caches the response for future
use. This is the DNS resolver cache.
Note
The Windows 10 computer checks its DNS cache before it petitions the DNS server in case it has
recently resolved the required record.
Tip
You can access the contents of the DNS resolver cache either by using the Get-DnsClientCache
cmdlet, or by running the ipconfig /displaydns command. You can clear the contents of the DNS
resolver cache either by using the Clear-DnsClientCache cmdlet, or by using the ipconfig /flushdns
command.
It's worth noting that DNS isn't the only way in which host computers running Windows can resolve
names. A Windows 10 computer can use the following methods, depending on configuration:
MWCO-Technet
NETWORKING AND COMUNICATIONS II
Tip
You can install the WINS server feature on Windows Server if your organization requires NetBIOS
name resolution to support a specific app.
A NetBIOS name is a nonhierarchical name that some older apps use. A 16-character NetBIOS name
identifies a network’s NetBIOS resource. A NetBIOS name represents a single computer or a group
of computers. NetBIOS uses the first 15 characters for a specific computer’s name and the final
sixteenth character to identify a resource or service on that computer. An example of a NetBIOS
name is SEA-SVR2[20h].
Contoso IT infrastructure staff can choose to store the Contoso.com DNS zone content in a file or in
the AD DS database.
Note
On a DNS server which is also an AD DS domain controller, you can only choose to store the zones
in the AD DS database.
MWCO-Technet
NETWORKING AND COMUNICATIONS II
When using AD DS, the internal DNS servers for your organization have a zone that corresponds to
the AD DS domain. For example, if the domain name for AD DS is Contoso.com, there also will be a
Contoso.com DNS zone. AD DS stores resource records that Windows servers and clients use to
locate network services.
Tip
You don't have to make the DNS records containing your AD DS resource information available on
the internet. In fact, you shouldn't.
If you're providing name resolution for a zone to internet clients, you can host the zone on a
Windows server that's accessible on the internet.
Tip
Another option is to place your internet-facing DNS servers in your perimeter network.
You also have the option to host the zone on a third-party DNS service that specializes in providing
internet name resolution.
MWCO-Technet
NETWORKING AND COMUNICATIONS II
specific IP address in a log file and use a reverse lookup to identify the name of the computer that
corresponds with the IP address.
You create reverse lookup zones only for IP address ranges for which you're responsible.
Tip
As a best practice, you should create reverse lookup zones for all the IP address ranges on your
internal network and host them on your internal DNS servers.
The zone name for reverse lookup zones ends with in-addr.arpa and is based on the IPv4 address
range. For example, the zone name for the 172.16.35.0/24 reverse lookup zone will be 35.16.172.in-
addr.arpa.
Tip
Reverse lookup zones are always based on a full octet of the IP address.
In most cases, a secondary zone periodically copies resource records directly from the primary zone.
But in some complex configurations, a secondary zone can copy resource records from another
secondary zone.
MWCO-Technet
NETWORKING AND COMUNICATIONS II
You can store a standard primary zone in a local file, or you can store zone data in AD DS. When you
store zone data in AD DS, the zone is called Active Directory-integrated and enables additional
features, such as secure dynamic updates.
Note
Active Directory-integrated zones are available only on domain controllers with the DNS Server role
installed. Most Windows-based DNS servers use Active Directory-integrated zones.
- Start of authority (SOA). Contains configuration information for the zone, including the
name of the primary DNS server and how often secondary servers should be synchronized.
There's one SOA record per zone.
- Name server (NS). Identifies a DNS server for the domain. There's one NS record for each
DNS server that has a copy of the zone.
Time to live
All resource records are configured with a time to live (TTL). The TTL for a resource record defines
how long DNS clients and DNS servers can cache a DNS response for the record. For example, if a
MWCO-Technet
NETWORKING AND COMUNICATIONS II
record has a TTL of 60 minutes, when a client makes a DNS query for the record, the response is
cached for 60 minutes. If the client attempts to use the queried and resolved name within that 60
minutes, the cached record is used.
Tip
When you're troubleshooting cached DNS records, you might need to clear the cache on the DNS
client and on the DNS server used by that client.
Create zones
When you create a primary zone, you have the option to create a zone file or store the zone in AD
DS. If you create a zone file, the zone is a standard primary zone. If you store the zone in AD DS, the
zone is Active Directory-integrated. A secondary zone is always stored in a zone file.
If you configure a zone to be Active Directory-integrated, the zone data is stored in AD DS and
replicated to domain controllers. You can choose from the following options:
- To all DNS servers running on domain controllers in this forest. Useful in a multi-domain
forest when you want the zone available to DNS servers in all domains. When you select this
option, the DNS zone is stored in the ForestDnsZones partition.
- To all DNS servers running on domain controllers in this domain. Selected by default and
works well for single-domain environments. When you select this option, the DNS zone is
stored in the DomainDnsZones partition.
- To all domain controllers in this domain (for Windows 2000 compatibility). Seldom selected
because replicating to all domain controllers in the domain is less efficient than replicating
only to DNS servers running on domain controllers in the domain. When you select this
option, the DNS zone is stored in the domain partition.
- To all domain controllers in the scope of this directory partition. Use this option to select an
application partition that you have created to store the zone.
Tip
For custom application partitions, you can specify the domain controllers in the forest to which the
zone replicates.
Zone transfers
MWCO-Technet
NETWORKING AND COMUNICATIONS II
Zone records synchronize from a primary zone to a secondary zone by performing a zone transfer.
For each zone, you can control which servers hosting secondary zones can request a zone transfer.
If you choose to allow zone transfers, you can control them with the following options:
- To any server
- Only to servers listed on the Name Servers tab
- Only to the following servers
You can also configure notifications for zone transfers. When notifications are enabled, the primary
server notifies the secondary server when changes are available to synchronize.
Note
After initial replication of a secondary zone is complete, incremental zone transfers occur.
Important
When a zone isn't Active Directory-integrated, you can still allow dynamic updates, but you can't
enforce security.
Tip
Only domain-joined Windows computers that are part of the same forest can perform secure
dynamic updates. To allow non-domain joined Windows clients or non-Windows devices to perform
dynamic updates, you must allow nonsecure dynamic updates.
MWCO-Technet
NETWORKING AND COMUNICATIONS II
Manual creation
When you create resource records to support a specific service or app, you can manually create the
resource records. For example, you can create host or CNAME records, such as app.contoso.com,
for a specific app running on a server. The record name might be easier for users to remember, and
users don't need to reference the server name.
You can create resource records by using DNS manager, Windows Admin Center, or Windows
PowerShell. The following table lists some Windows PowerShell cmdlets that you can use to create
DNS resource records.
Dynamic creation
When you allow dynamic updates for a DNS zone, clients that use DNS register with the DNS server.
The dynamic update creates host and pointer records for the client. Dynamic DNS makes it easier
for you to manage DNS, because when dynamic DNS is enabled, the current IP address for a
computer registers automatically after an IP address change.
Note
The DHCP client service performs the registration, regardless of whether the client’s IP address is
obtained from a DHCP server or is static.
- When the client starts, and the DHCP client service starts
- Every 24 hours while the DHCP client service is running
- When an IP address is configured, added, or changed on any network connection
- When an administrator executes the Register-DNSClient cmdlet
- When an administrator runs the ipconfig /registerdns command
MWCO-Technet
NETWORKING AND COMUNICATIONS II
Note
Demonstration
The following video demonstrates how to implement, create, and manage DNS zones and records
using Windows Admin Center. The main steps in the process are:
1.-Open Microsoft Edge and navigate to the Windows Admin Center site.
3.-In Windows Admin Center, select Tools and then select Roles & features.
5.-On the new server, create a new DNS zone. Define the following properties:
- Zone type
- Zone name
- Zone file
- Dynamic update
7.-Open Windows PowerShell, and using the Resolve-DnsName cmdlet, verify name resolution is
successful for the new record in the new zone.
https://www.microsoft.com/en-us/videoplayer/embed/RE4MjvL?postJsllMsg=true
MWCO-Technet
NETWORKING AND COMUNICATIONS II
Forwarders
You can configure each DNS server with one or more forwarders. If a DNS server receives a request
for a zone for which it isn't authoritative, and it isn't already cached by the server, the DNS server
forwards that request to a forwarder. A DNS server uses a forwarder for all unknown zones.
Forwarders commonly are used for internet name resolution. The internal DNS servers forward
requests to resolve internet names to a DNS server that's outside the corporate network. Your
organization might configure the external DNS servers in a perimeter network, or use a DNS server
provided by your internet service provider. This configuration limits external connectivity and
increases security.
Conditional forwarding
You can configure conditional forwarding for individual DNS domains. This is similar to configuring
a forwarder, except that it applies only to a single DNS domain. Trusted AD DS forests and partner
organizations often use this feature.
When you create a conditional forwarder, you can choose whether to store it locally on a single DNS
server or in AD DS. If you store it in AD DS, it can be replicated to all DNS servers running on domain
controllers in the domain or forest, depending on the option you select. It's easier to manage
conditional forwarders across multiple DNS servers when you store them in AD DS.
Stub zones
The purpose of a stub zone is to provide a list of name servers that can be used to resolve
information for a domain without synchronizing all the records locally. To enable this, the following
are synchronized:
MWCO-Technet
NETWORKING AND COMUNICATIONS II
Tip
Typically, you would use stub zones when integrating with autonomous systems such as partner
organizations.
- You configure a conditional forwarder with specific remote DNS servers that are
authoritative for the domain.
- A stub zone replicates and uses all name server records configured in the zone.
If the authoritative DNS servers are likely to change over time, you might want to use a stub zone,
which automatically updates the name server records and uses only valid name servers for the zone.
However, if firewalls control communication, the updated name servers might be not reachable.
MWCO-Technet