70-410: Installing and Configuring Windows Server 2012 Chapter 4 Deploying and Configuring Core Network Services

70-410: Installing and Configuring Windows

Server 2012

Chapter 4Deploying and Configuring Core

Network Services

Objective 4.1: Configuring IPv4 and

IPv6 Addressing

© 2013 John Wiley & Sons, Inc. 3

IPv4 Addressing• IP Address

o 32-bit addresso Four 8-bit decimal values between 0 and 255

separated by periods (octets)

• Subnet Masko 32-bit value of 0’s and 1’so 1’s designate network bits, 0’s are host bits

Network Host

Examples: IP Address 192.168.43.100 Subnet Mask 255.255.255.0


IPv4 Classful Addressing

The three IPv4 address classes


IPv4 Address Classes

IP Address Class Class A Class B Class C

First bit values (binary) 0 10 110

First byte value (decimal) 0–127 128–191 192–223

Number of network identifier bits 8 16 24

Number of host identifier bits 24 16 8

Number of possible networks 126 16,384 2,097,152

Number of possible hosts 16,777,214 65,534 254


Classless Inter-Domain Routing

• Classful addressing was gradually phased out by a series of subnetting methods, including variable length subnet masking (VLSM) and, eventually, Classless Inter-Domain Routing (CIDR).

• CIDR is a subnetting method that enables administrators to place the division between the network bits and the host bits anywhere in the address, not just between octets.


CIDRCIDR notation: 192.168.43.0/26• Where the /26 means 26 bits of the

address are used as the network identifier• In binary, the subnet mask translates to:

11111111.11111111.1111111.11000000or 255.255.255.192 in decimal

• This would allow us to divide this address into 4 networks, each with up to 62 hosts


CIDR 192.168.43.0/26 Networks

Network Address

Starting IP Address

Ending IP Address Subnet Mask

192.168.43.0 192.168.43.1 192.168.43.62 255.255.255.192

192.168.43.64 192.168.43.65 192.168.43.126 255.255.255.192

192.168.43.128 192.168.43.129 192.168.43.190 255.255.255.192

192.168.43.192 192.168.43.193 192.168.43.254 255.255.255.192


Public and Private IPv4 Addressing

• Registered IP addresses are not necessary for workstations that merely access resources on the Internet

• The three blocks of addresses allocated for private use are as follows:o 10.0.0.0/8o 172.16.0.0/12o 192.168.0.0/16


Using Network Address Translation

(NAT)• NAT is a network-layer routing technology that enables a

group of workstations to share a single registered address.• A NAT router is a device with two network interfaces, one

connected to a private network and one to the Internet.• When a workstation on the private network wants to

access an Internet resource, it sends a request to the NAT router.

• The NAT router substitutes its own registered IP address for the workstation’s private address, and sends the request on to the Internet server.

• The router then performs the same substitution in reverse and forwards the response back to the original unregistered workstation.


Using a Proxy Server• Like NAT, a proxy server receives requests from

clients on a private network, and forwards to the destination on the Internet, using its own registered address.

• The proxy server interposes additional functions into the forwarding process. These functions can include:o Filteringo Loggingo Cachingo Scanning

• Applications must be configured to use a proxy server.


IPv4 Subnetting• Allows you to split one IP address range into multiple

networks (e.g., you can take the 10.0.0.0/8 private IP address range and use the entire second octet as a subnet ID).

• This creates up to 256 subnets with up to 65,536 hosts.• The subnet masks will be 255.255.0.0 and the network

addresses will proceed as follows:o 10.0.0.0/16o 10.1.0.0/16o 10.2.0.0/16o …o 10.255.0.0/16

• When you are working on an existing network, the subnetting process is more difficult.


Calculate IPv4 Subnets

1. Determine how many subnet identifier bits you need to create the required number of subnets.

2. Subtract the subnet bits you need from the host bits and add them to the network bits.

3. Calculate the subnet mask by adding the network and subnet bits in binary form and converting the binary value to decimal.

4. Take the least significant subnet bit and the host bits, in binary form, and convert them to a decimal value.

5. Increment the network identifier (including the subnet bits) by the decimal value you calculated to determine the network addresses of your new subnets.


Supernetting• Allows contiguous networks to be added to a

routing table with one entry to reduce the size of Internet routing tables.

• For example:172.16.43.0/24172.16.44.0/24172.16.45.0/24172.16.46.0/24172.16.47.0/24

• Can all be expressed in one supernet address: 172.16.40.0/21


Assigning IPv4 Addresses

To assign IPv4 addresses, there are three basic methods:

• Manual configuration• Dynamic Host Configuration Protocol

(DHCP)• Automatic Private IP Addressing (APIPA)


Manual IPv4 Address Configuration

• Manually enter IP address, subnet mask, default gateway and DNS servers.

• Use a GUI or command line.• Not difficult, but it can be time consuming

on a large network.• Difficult to troubleshoot if information is

entered incorrectly.


Dynamic Host Configuration Protocol

(DHCP)• Client computers are configured to Obtain

an IP address automatically.• DHCP Servers on the network contain a

pool of addresses and other IPv4 configuration.

• Clients request configuration at boot up.• DHCP Servers respond to the requests.• IPv4 configurations are leased for a period

of time and renewed as necessary.• No addresses are duplicated.


Automatic Private IP Addressing (APIPA)

• A DHCP failover mechanism used by all current Microsoft Windows operating systems.

• If a system fails to locate a DHCP server on the network, APIPA takes over and automatically assigns an address on the 169.254.0.0/16 network to the computer.

• For a small network that consists of only a single LAN, APIPA is a simple and effective alternative to installing a DHCP server.


IPv6 Addressing• Designed to increase the size of the IP

address space (128 bit), thus providing addresses for many more devices than IPv4

• Reduces the size of the routing tables because the size of the addresses provides for more than the two levels of subnetting currently possible with IPv4


Introducing IPv6• IPv6 addresses use a notation called colon-

hexadecimal format• Eight 16-bit hexadecimal numbers,

separated by colons:XX:XX:XX:XX:XX:XX:XX:XX

• Each X represents eight bits (or 1 byte), which in hexadecimal notation is represented by two characters, as in:21cd:0053:0000:0000:e8bb:04f2:003c:c394


Contracting IPv6 Addresses

• When an IPv6 address has two or more consecutive eight-bit blocks of zeroes, you can replace them with a double colon (but you can only use one double colon in any IPv6 address):21cd:0053::e8bb:04f2:003c:c394

• You can also remove the leading zeros in any block where they appear:21cd:53::e8bb:4f2:3c:c394


Expressing IPv6 Network Addresses

• No subnet masks in IPv6• Network addresses use the same slash

notation as CIDR:21cd:53::/64

• This is the contracted form for the following network address:21cd:0053:0000:0000/64


IPv6 Address TypesIPv6 supports three address types:• Unicast: Provides one-to-one transmission service to

individual interfaces, including server farms sharing a single address. IPv6 supports several types of unicast addresses, including global, link-local, and unique local.

• Multicast: Provides one-to-many transmission service to groups of interfaces identified by a single multicast address.

• Anycast: Provides one-to-one-of-many transmission service to groups of interfaces, only the nearest of which (measured by the number of intermediate routers) receives the transmission.


Original Global Unicast Addresses

The equivalent of a registered IPv4 address, routable worldwide and unique on the Internet. It consists of the following elements:

• Format prefix (FP): An FP value of 001 identifies the address as a global unicast.

• Top Level Aggregator (TLA): A 13-bit globally unique identifier allocated to regional Internet registries by the IANA.

• Reserved: An 8-bit field that is currently unused.• Next Level Aggregator (NLA): A 24-bit field that the TLA

organization uses to create a multilevel hierarchy for allocating blocks of addresses to its customers.

• Site Level Aggregator (SLA): A 16-bit field that organizations can use to create an internal hierarchy of sites or subnets.

• Extended Unique Identifier (EUI-64): A 64-bit field, derived from the network interface adapter’s MAC address, identifying a specific interface on the network.


Global Unicast Addresses

The original IPv6 global unicast address format


Current Global Unicast Addresses

The current official format for global unicast addresses consists of the following elements:

• Global routing prefix: A 48-bit field beginning with the 001 FP value, the hierarchical structure of which is left up to the RIR

• Subnet ID: Formerly known as the SLA, a 16-bit field that organizations can use to create an internal hierarchy of sites or subnets

• Interface ID: A 64-bit field identifying a specific interface on the network


Global Unicast Addresses

The current IPv6 global unicast address format


Subnet IDsOrganizations have a16-bit subnet ID with which to

create an internal subnet hierarchy, if desired. Here are some of the possible subnetting options:o One-level subnet: By setting all subnet ID bits to 0, all

computers in the organization are part of a single subnet. This option is only suitable for smaller organizations.

o Two-level subnet: By creating a series of 16-bit values, you can split the network into as many as 65,536 subnets. This is the functional equivalent of IPv4 subnetting, but with a much larger subnet address space.

o Multi-level subnet: By allocating specific numbers of subnet ID bits, you can create multiple levels of subnets, sub-subnets, and sub-sub-subnets; suitable for an enterprise of almost any size.


Subnet ID ExampleTo support a large international enterprise, you could split the

subnet ID as follows:• Country (4 bits): Creates up to 16 subnets representing

countries in which the organization has offices• State (6 bits): Creates up to 64 sub-subnets within each

country, representing states, provinces, or other geographical divisions

• Office (2 bits): Creates up to 4 sub-sub-subnets within each state or province, representing offices located in various cities

• Department (4 bits): Creates up to 16 sub-sub-sub-subnets within each office, representing the various departments or divisions.

To create a subnet ID for a particular office, it is up to the enterprise administrators to assign values for each field.


Interface IDs• The interface ID contains a unique identifier for a

specific interface on the network.• The Institute for Electrical and Electronic Engineers

(IEEE) defines the format for the 48-bit MAC address assigned to each network adapter by the manufacturer, as well as the EUI-64 identifier format derived from it.

• A privacy problem with this method of deriving interface IDs from the computer’s hardware—the location of a mobile computer might be tracked based on its IPv6 address.

• Instead of using MAC addresses, Windows operating systems generate random interface IDs by default.


Link-LocalUnicast Addresses

• In IPv6, systems that assign themselves an address automatically create a link-local unicast address, which is the equivalent of an APIPA address in IPv4.

• All link local addresses have the same network identifier: a 10-bit FP of 11111110 010 followed by 54 zeroes, resulting in:fe80:0000:0000:0000/64

• In its more compact form, the link-local network address is:fe80::/64


Unique Local Unicast Addresses

These are the same as private addresses in IPv4, with the following format:

• Global ID: A 48-bit field beginning with an 8-bit FP of 11111101 in binary, or fd00::/8 in hexadecimal. The remaining 40 bits of the global ID are randomly generated.

• Subnet ID: A 16-bit field that organizations can use to create an internal hierarchy of sites or subnets.

• Interface ID: A 64-bit field identifying a specific interface on the network.


Unique Local Unicast Addresses

The IPv6 unique local unicast address format


Special Addresses• Loopback address: Any messages sent

to it are returned back to the sending system.0:0:0:0:0:0:0:1 or ::1

• Unspecified address: The address the system uses while requesting an address from a DHCP server.0:0:0:0:0:0:0:0


Multicast AddressesMulticast addresses always begin with an FP value of

11111111, in binary, or ff in hexadecimal. The entire multicast address format is as follows:

• FP: An 8-bit field that identifies the message as a multicast.• Flags: A 4-bit field that specifies whether the multicast

address contains the address of a rendezvous point (0111), is based on a network prefix (0010), and is permanent (0000) or transient (0001).

• Scope: A 4-bit field that specifies how widely routers can forward the address. Values include interface-local (0001), link-local (0010), site-local (0101), organization-local (1000), and global (1110).

• Group ID: A 112-bit field uniquely identifying a multicast group.


Anycast Addresses• Used to identify the routers within a given

address scope and send traffic to the nearest router, as determined by the local routing protocols.

• Can be used to identify a particular set of routers in the enterprise, such as those that provide access to the Internet.

• To use anycasts, the routers must be configured to recognize the anycast addresses.


Assigning IPv6 Addresses

As with IPv4, a Windows computer can obtain an IPv6 address by three possible methods:

• Manual allocation: A user or administrator manually supplies an address and other information for each network interface.

• Self-allocation: The computer creates its own address using a process called stateless address autoconfiguration.

• Dynamic allocation: The computer solicits and receives an address from a Dynamic Host Configuration Protocol (DHCPv6) server on the network.


Planning an IP Transition

• Administrators are reluctant to change from IPv4 to IPv6 because there is a lot to learn.

• IPv4 hardware is still functioning.• The Internet is still mostly IPv4, but there is

a gradual transition happening where there will be support for both IP versions.

• Currently, we must have mechanisms in place to transmit IPv6 traffic over IPv4 connections, but the situation will be reversed in the future.


Using a Dual IP Stack• The simplest way to transition is to run

both IP versions.• Windows has been doing this since

Windows Server 2008 and Windows Vista.• Use ipconfig /all to see IPv6

configuration.• This allows us to communicate with IPv4

and IPv6 devices at the same time.


Tunneling• Tunneling is the process by which a

system encapsulates an IPv6 datagram within an IPv4 packet.

• Often used for router-to-router communication when communicating between two IPv6 networks over an IPv4 connection.


Tunneling

Two IPv6 networks connected by an IPv4 tunnel


Configuring Tunnels Manually

• It is possible to manually create semi-permanent tunnels that carry IPv6 traffic through an IPv4-only network. When a computer running Windows Server 2012 or Windows 8 is functioning as one end of the tunnel, you can use this command:

netsh interface ipv6 add v6v4tunnel “interface” localaddress remoteaddress

• In this command, interface is a friendly name you want to assign to the tunnel you are creating and localaddress and remoteaddress are the IPv4 addresses forming the two ends of the tunnel. An example of an actual command would be this:

netsh interface ipv6 add v6v4tunnel “tunnel” 206.73.118.19 157.54.206.43

Objective 4.2: Configuring Servers


Understanding DHCPThe Dynamic Host Configuration Protocol (DHCP) service:• Automatically configures the IP address

and other TCP/IP settings on network computers by assigning addresses from a pool (called a scope) and reclaiming them when they are no longer in use.

• Saves time.• Prevents configuration errors.


Understanding DHCPDHCP consists of three components:• DHCP server application: Responds to

client requests for TCP/IP configuration settings.

• DHCP client: Issues requests to servers and applies the TCP/IP configuration settings it receives to the local computer.

• DHCP communications protocol: Defines the formats and sequences of the messages exchanged by DHCP clients and servers.


Understanding DHCPThree different IP address allocation methods: • Dynamic allocation: The DHCP server assigns an IP

address to a client computer from a scope, for a specified length of time. DHCP servers only lease addresses to clients with this method.

• Automatic allocation: The DHCP server permanently assigns an IP address to a client computer from a scope. It is essentially dynamic allocation with an indefinite lease.

• Manual allocation: The DHCP server permanently assigns a specific IP address to a specific computer on the network. It is called a reservation. You use manually allocated addresses for computers that must have the same IP address at all times.


DHCP Packets

The DHCP packet format


DHCP OptionsThere are many other TCP/IP parameters that can be configured by DHCP besides the IP address:• Magic cookie• Option format• DHCP Message Type option• Pad option• Option Overload option• Vendor-Specific Information option• End option


BOOTP Vendor Information Extensions

• Subnet Mask: Specifies which bits of the IP address identify the host system and which bits identify the network where the host system resides.

• Router: Specifies the IP address of the router (or default gateway) on the local network segment the client should use to transmit to systems on other network segments.

• Domain Name Server: Specifies the IP addresses of the servers the client will use for DNS name resolution.

• Host Name: Specifies the DNS host name the client system will use.

• Domain name: Specifies the name of the DNS domain on which the system will reside.


IP Layer ParametersThese options affect the functionality of the IP

protocol on the client system:• IP Forwarding Enable/Disable: Specifies

whether IP forwarding (i.e., routing) should be enabled on the client system.

• Default IP Time-to-Live: Specifies the time-to-live value the client should use in its outgoing IP datagrams.

• Interface MTU: Specifies the maximum transfer unit to be used by the Internet Protocol on this network interface only.


DHCP Extensions (1)These options provide parameters that govern the

DHCP lease negotiation and renewal processes:• Requested IP Address: Used by the client to

request a particular IP address from the server.• IP Address Lease Time: Specifies the duration

of a dynamically allocated IP address lease.• Server Identifier: Specifies the IP address of

the server involved in a DHCP transaction; used by the client to address unicasts to the server.


DHCP Extensions (2)• Parameter Request List: Used by the client

to send a list of requested configuration options (identified by their code numbers) to the server.

• Message: Carries an error message from the server to the client in a DHCPNAK message.

• Renewal (T1) time value: Specifies the time period that must elapse before an IP address lease enters the renewing state.

• Rebinding (T2) time value: Specifies the time period that must elapse before an IP address lease enters the rebinding state.


DHCP Message Types (1)

The DHCP communication protocol defines eight different message types:• DHCPDISCOVER: Used by clients to request

configuration parameters from a DHCP server.• DHCPOFFER: Used by servers to offer IP

addresses to requesting clients.• DHCPREQUEST: Used by clients to accept or

renew an IP address assignment.• DHCPDECLINE: Used by clients to reject an

offered IP address.


DHCP Message Types (2)

• DHCPACK: Used by servers to acknowledge a client’s acceptance of an offered IP address.

• DHCPNAK: Used by servers to reject a client’s acceptance of an offered IP address.

• DHCPRELEASE: Used by clients to terminate an IP address lease.

• DHCPINFORM: Used by clients to obtain additional TCP/IP configuration parameters from a server.


DHCP Lease Negotiation

The DHCP IP address assignment process


DHCP Lease Renewal

The DHCP IP address renewal process


Designing a DHCP Infrastructure

• The Windows Server 2012 DHCP Server service is theoretically capable of supporting many thousands of clients.

• Virtually all enterprise networks require more than one DHCP server.

• DHCP relies on broadcast messages, which have limitations.


Using a Distributed DHCP Infrastructure

A distributed DHCP infrastructure


Using a Centralized DHCP Infrastructure

A centralized DHCP infrastructure


Using a Hybrid DHCP Infrastructure

• The distributed and centralized DHCP infrastructure represents the extremes at opposite ends of the design spectrum.

• The ideal solution resides somewhere between them.

• A hybrid DHCP infrastructure uses multiple DHCP servers on different subnets, but it does not necessarily require a DHCP server on every subnet.


Regulating DHCP Network Traffic

Several factors can effect network traffic and you can make configuration choices that will change the amount of traffic generated by DHCP:

• Place DHCP servers close to the clients.• Adjust the lease duration so there are

fewer renewals.• Make the lease duration unlimited.


Deploying a DHCP Server

• The DHCP Server service is packaged as a role in Windows Server 2012.

• Install the role, through the Add Roles and Features Wizard in Server Manager.

• DHCP servers operate independently, so you must install the service and configure scopes on every computer that will function as a DHCP server.


Creating a Scope• A scope is a range of IP addresses on a

particular subnet that are selected for allocation by a DHCP server.

• Create a scope using the DHCP snap-in for Microsoft Management Console (MMC).


Configuring DHCP Options

The Windows DHCP server supports two kinds of options: • Scope options: Supplied only to DHCP

clients receiving addresses from a particular scope.

• Server options: Supplied to all DHCP clients receiving addresses from the server.


Creating a Reservation• A reservation is a manually allocated

address. • Used for computers whose IP addresses

must remain the same (static), like domain controllers, DNS servers, and Internet web servers.

• Allows you to manage all of your IP addresses through DHCP.


Using PXE• The Pre-boot Execution Environment

(PXE) is a feature built into many network interface adapters that enables them to connect to a DHCP server over the network and obtain TCP/IP client settings, even when the computer has no operating system.

• DHCP can also supply the workstation with an option specifying the location of a boot file that the system can download and use to start the computer and initiate a Windows operating system installation.


Using PXE with WDS• Windows Deployment Services (WDS)

enables administrators to manage image files that remote workstations can use to start up and install Windows.

• For a PXE adapter to access WDS images, the DHCP server on the network must have a custom PXEClient option (option 60) configured with the location of the WDS server on the network.


Deploying a DHCP Relay Agent

• If you create a centralized or hybrid DHCP infrastructure, you will need a DHCP relay agent on every subnet that does not have a DHCP server on it.

• Many routers are capable of functioning as DHCP relay agents, but when they cannot, you can configure a Windows Server 2012 computer to function as a relay agent.

Objective 4.3: Deploying and Configuring the

DNS Service


Understanding the DNS Architecture

• Host names are easier for us to remember than IP addresses.

• Computers need to resolve the host names we use to IP addresses in order to communicate with other computers.

• This conversion process is referred to as name resolution.

• Host tables were used when networks were small, but are impractical today.

• Today, Domain Name System (DNS) servers convert host names into IP addresses.


Creating a DNS Standard

At its core, the DNS is still a list of names and their equivalent IP addresses, but the methods for creating, storing, and retrieving those names is very different from those in a host table. The DNS consists of three elements:

• The DNS name space• Name servers• Resolvers


The DNS Name Space• The DNS standards define a tree-

structured name space in which each branch of the tree identifies a domain.

• Each domain contains a collection of resource records that contain host names, IP addresses, and other information.

• Query operations are attempts to retrieve specific resource records from a particular domain.


Name Servers• A DNS server is an application running on a

server computer that maintains information about the domain tree structure and (usually) contains authoritative information about one or more specific domains in that structure.

• The application responds to queries for information about the domains for which it is the authority and forwards queries about other domains to other name servers.

• This enables any DNS server to access information about any domain in the tree.


Resolvers• A resolver is a client program that

generates DNS queries and sends them to a DNS server for fulfillment.

• A resolver has direct access to at least one DNS server and can also process referrals to direct its queries to other servers when necessary.


Creating a DNS Standard

DNS servers relay requests and replies to other DNS servers


DNS Naming• A two-tiered system, consisting of domain

names and host names• Obtain Doman names from a centralized

authority, to ensure uniqueness• Assign the host names within that domain• Internet websites use this naming method• We access web servers using a Uniform

Resource Locater (URL), such as:http://www.contoso.com


DNS Naming

The DNS domain hierarchy


The DNS Domain Hierarchy

• The authoritative source for a domain is the DNS server responsible for maintaining that domain’s resource records.

• DNS servers can locate the authoritative source for any domain name, by communicating with other DNS servers.

• Domains at each level of the hierarchy are responsible for maintaining information about the domains in the next lower level.

• The root name servers are the highest-level DNS servers in the entire namespace.

• All DNS server implementations are preconfigured with the IP addresses of the root name servers.


Top-Level DomainsThe original DNS name space called for six

generic top-level domains (gTLDs), dedicated to specific purposes:• com: Commercial organizations• edu: Four-year, degree-granting educational

institutions in North America• gov: United States government institutions• mil: United States military applications• net: Networking organizations• org: Noncommercial organizations


ICANN’s New Top-Level Domains

• ICANN is also responsible for the ratification of new top-level domains:• aero• biz• coop• info• museum• name• pro

• asia• cat• jobs• mobi• tel• travel


Top-Level Domains• The root name servers do nothing but

respond to millions of requests by sending out the addresses of the authoritative servers for the top-level domains.

• The top-level domain servers do the same for the second-level domains.

• There are no hosts in the root or top-level domains.


Country Code Domains

There are hundreds of two-letter country-code top-level domains (ccTLDs):

• fr for France• de for Deutschland (Germany)• us for the United States• ca for Canada

Each domain is permitted to establish its own prices and requirements for registration of subdomains.


Second-Level Domains• Each top-level domain has its own collection of

second-level domains.• Individuals and organizations can purchase

these domains for their own use.• To use the domain name, you must supply the

registrar with the IP addresses of two DNS servers that you want to be the authoritative sources for information about the domain.

• The administrators of the top-level domain servers then create resource records pointing to these authoritative servers.


Subdomains• Once you purchase the rights to a second-

level domain, you can create as many hosts as you want in that domain by creating new resource records on the authoritative servers.

• You can also create as many additional domain levels as you want with only a few limitations:o Each individual domain name can be no more

than 63 characters long.o The total FQDN (including the trailing period) can

be no more than 255 characters long.


DNS MessagingThe Domain Name System uses a single message format for

all communications that consists of the following five sections:

• Header: Contains information about the nature of the message.

• Question: Contains the information being requested from the destination server.

• Answer: Contains resource records supplying the information requested in the Question section.

• Authority: Contains resource records pointing to an authority for the information requested in the Question section.

• Additional: Contains resource records with additional information in response to the Question section.


DNS Communications• Type a URL containing a DNS name

(www.microsoft.com) into the browser's Address box and press Enter.

• You will see a message that says something like “Finding Site: www.microsoft.com.”

• Then, a few seconds later, you will see a message that says “Connecting to,” followed by an IP address.

• It is during this interval that the DNS name resolution process occurs.


DNS Communications

A DNS client sends a name resolution request to its designated DNS server


DNS Communications

The client’s DNS server forwards an iterative query to a root name server


DNS Communications

The client’s DNS server forwards an iterative query to a top-level domain server


DNS Communications

The client’s DNS server forwards an iterative query to a second-level domain server


DNS Communications

The client’s DNS server returns the IP address supplied by the authoritative server to the client


DNS Server Caching• DNS servers are capable of retaining the

information they learn about the DNS name space in the course of their name resolution procedures and storing it in a cache on the local drive.

• The next time that a client requests the resolution of a previously resolved name, the server can respond immediately with the cached information.


DNS Server Caching

Name caching enables the second name resolution request for the same name to bypass the referral process


Negative Caching• Negative caching occurs when a DNS

server retains information about names that do not exist in a domain.

• Top-level domain server will return a reply containing an error message which will then be retained in the requesting DNS server’s cache.


Cache Data Persistence

• Caching is a vital element of the DNS architecture, because it reduces the number of requests sent to the root name and top-level domain servers.

• The amount of time that DNS data remains cached on a server is called its Time To Live (TTL).

• The administrators of each authoritative DNS server specify how long the data for the resource records in their domains or zones should be retained in the servers where it is cached.


DNS Referrals and Queries

The process by which one DNS server sends a name resolution request to another DNS server is called a referral.

DNS servers recognize two types of name resolution requests:• Recursive query: The DNS server receiving the name

resolution request takes full responsibility for resolving the name. If the server possesses information about the requested name, it replies immediately to the requestor.

• Iterative query: The server that receives the name resolution request immediately responds with the best information it possesses at the time. This information could be cached or authoritative, and it could be a resource record containing a fully resolved name or a reference to another DNS server. DNS servers use iterative queries when communicating with each other.


DNS Forwarders• DNS servers send recursive queries to

other servers when you configure a server to function as a forwarder.

• On a network running several DNS servers, you may not want all the servers sending queries to other DNS servers on the Internet.


Reverse Name Resolution

• Reverse name resolution is when a computer needs to convert an IP address into a DNS name.

• A special domain called in-addr.arpa is specifically designed for reverse name resolution.

• For example, to resolve the IP address 192.168.89.34 into a name, a DNS server would locate a domain called 89.168.192.in-addr.arpa in the usual manner and read the contents of a resource record named 34 in that domain.


Reverse Name Resolution

The DNS reverse lookup domain


Designing a DNS Deployment

• Every computer on a TCP/IP network needs access to a DNS server.

• Internet service providers (ISPs) nearly always include the use of their DNS servers into their rates, and in some cases, it might be better to use other DNS servers, rather than run your own.

• The first factor in designing a DNS deployment is what DNS services your network requires.


Resolving Internet Names

• A caching-only server is not the authoritative source for any domain and hosts no resource records of its own.

• It is used for Internet name resolution purposes, and it processes incoming queries from resolvers and sends its own queries to other DNS servers on the Internet.

• As a general rule, if your network requires no DNS services other than name resolution, you should consider using off-site DNS servers.



Using an ISP’s caching-only DNS server



Using your own caching-only DNS server


Hosting Internet Domains

• One advantage to hosting your domain on your own DNS servers is the ability to modify your resource records at will.

• Using a commercial domain hosting service provides greater reliability, in the form of redundant servers and Internet connections, so your DNS records are always available.


Hosting Active Directory Domains

• You must have at least one DNS server on the network that supports the Service Location (SRV) resource record, in order to run Active Directory Domain Services (AD DS).

• The DNS server does not have to have a registered IP address or an Internet domain name.


Integrating DHCP and DNS

• To resolve a DNS name into an IP address, the DNS server must have a resource record containing a name and IP address.

• DHCP creates an environment where IP addresses can change.

• Dynamic Updates in the Domain Name System (DNS UPDATE) enables a DNS server to modify resource records at the request of DHCP servers and clients.

• When a DHCP server assigns an address to a client, it also sends the commands to the DNS server to create or update the records.


Separating DNS Services

• You do not have to choose to have your DNS servers entirely external, or entirely internal.

• It is possible to use a single DNS server to host both Internet and Active Directory domains, as well as to provide clients with name resolution services and DHCP support.

• Services are independent from each other; therefore, you might want to split these functions by using several DNS servers.

• You can use a commercial service provider to host your Internet domain while keeping your Active Directory domain hosting and dynamic update services internal.


Creating Internet Domains

• Most organizations register a single second-level domain and use it to host all their Internet servers.

• The name will depend on what is available.• If your name is already taken:

o Choose a different domain name.o Register the name in a different top-level

domain.o Attempt to purchase the domain name from its

current owner.


Creating Internet Domains

Some organizations maintain multiple sites on the Internet.

There are two basic ways to implement multiple sites on the Internet:

• Register a single second-level domain name and then create multiple subdomains beneath.

• Register multiple second-level domains: If your organization consists of multiple, completely unrelated brands or operations, this is often the best solution.


Creating Internal Domains

When you are designing a DNS namespace for a network that uses Active Directory Domain Services, the DNS domain name hierarchy is directly related to the directory service hierarchy.


Names for Your Internal Domains

• Keep domain names short• Avoid an excessive number of domain

levels• Create a naming convention and stick to it• Avoid obscure abbreviations• Avoid names that are difficult to spell


Naming for a Network Connected to the

Internet• Use registered domain names• Do not use top-level domain names or

names of commonly known products or companies

• Use only characters that are compliant with the Internet standard


Creating Subdomains• The primary reason for creating

subdomains is to delegate administrative authority for parts of the namespace

• You can create subdomains based on geographical locations or logical divisions within your company, or any way you want


Combining Internal and External Domains

Use the same domain name internally and externally: A computer in the internal network could have the same DNS name as a computer on the external network. This duplication wreaks havoc with the name resolution process. Strongly discouraged.

Create separate and unrelated internal and external domains: By using different domain names for your internal and external networks, you eliminate the potential name resolution conflicts that come with using the same domain name for both networks.

Make the internal domain a subdomain of the external domain: Microsoft recommends combining internal and external networks by registering a single Internet domain name and using it for external resources, and then creating a subdomain beneath that domain name and using it for your internal network.


Combining Internal and External Domains

Internal and external domain names


Creating Host Names• Create hosts the same way you create

domains—devise a naming rule and then stick to it.

• In many cases, host-naming rules are based on users, geographical locations, or the function of the computer.


Creating Host Names—Best Practices

• Create easily remembered names• Use unique names throughout the

organization• Do not use case to distinguish names• Use only characters supported by all your

DNS servers


Deploying a DNS Server

• Install the DNS Server role, using the Add Roles and Features Wizard in Server Manager.

• The server is ready to perform caching-only name resolution services for any clients that have access to it.

• Use the DNS Manager console to configure the DNS server’s other capabilities.


Creating Zones• A zone is an administrative entity you create

on a DNS server to represent a discrete portion of the DNS namespace.

• Zones always consist of entire domains or subdomains.

• Usually, administrators create multiple zones on a server and then delegate most of them to other servers for hosting.

• Every zone consists of a zone database, which contains the resource records for the domains in that zone.


Creating Zones

Valid zones must consist of contiguous domains


Zone Types• Primary zone: Contains the master copy of the

zone database, where administrators make all changes to the zone’s resource records.

• Secondary zone: A duplicate of a primary zone on another server that contains a backup copy of the primary master zone database file, stored as an identical text file on the server’s local drive.

• Stub zone: A copy of a primary zone that contains the key resource records that identify the authoritative servers for the zone. The stub zone forwards or refers requests.


Using Active Directory-Integrated

Zones• Storing the DNS database in Active

Directory provides a number of advantages:o Ease of administrationo Conservation of network bandwidtho Increased security

• The zone database is replicated automatically to other domain controllers, along with all other Active Directory data.


Creating Resource Records

When you run your own DNS server, you create a resource record for each host name that you want to be accessible by the rest of the network.


Types of Resource Records (1)

The most important types of resource record used by DNS servers:• SOA (Start of Authority): Indicates that the server is the best

authoritative source for data concerning the zone. Each zone must have an SOA record, and only one SOA record can be in a zone.

• NS (Name Server): Identifies a DNS server functioning as an authority for the zone. Each DNS server in the zone (whether primary master or secondary) must be represented by an NS record.

• A (Address): Provides a name-to-address mapping that supplies an IPv4 address for a specific DNS name. This record type performs the primary function of the DNS, converting names to addresses.

• AAAA (Address): Provides a name-to-address mapping that supplies an IPv6 address for a specific DNS name. This record type performs the primary function of the DNS, converting names to addresses.


Types of Resource Records (2)

• PTR (Pointer): Provides an address-to-name mapping that supplies a DNS name for a specific address in the in-addr.arpa domain. This is the functional opposite of an A record, used for reverse lookups only.

• CNAME (Canonical Name): Creates an alias that points to the canonical name (i.e., the “real” name) of a host identified by an A record. Used to provide alternative names by which systems can be identified.

• MX (Mail Exchanger): Identifies a system that will direct e-mail traffic sent to an address in the domain to the individual recipient, a mail gateway, or another mail server.


Configuring DNS Server Settings

Once you have installed a DNS server and created zones and resource records on it, there are many settings you can alter to modify its behavior.

Documents

70-410: Installing and Configuring Windows Server 2012 Chapter 4 Deploying and Configuring Core Network Services