This document provides instructions on configuring DNS for Active Directory. It discusses configuring DNS zones, including primary, secondary, and stub zones. It also covers creating new zones, managing resource records, enabling dynamic updates, and configuring zone aging and scavenging. The key aspects covered are configuring zones, DNS server settings, and zone transfers and replication.
Windows Server 2003 introduced several changes to DNS including:
1) Application directory partitions allow DNS zone data to be stored separately from global catalog reducing replication load.
2) Stub zones and conditional forwarders improve name resolution between domains.
3) DNS client settings can now be centrally managed through group policy for things like suffix search lists.
4) Additional security features were added like DNSSEC and logging enhancements but full support requires future Windows versions.
Windows Server 2003 introduced several changes to DNS including:
1. Application directory partitions allow DNS zone data to be stored in a non-domain naming context partition, removing it from the global catalog.
2. Stub zones and conditional forwarders provide name resolution between different namespaces.
3. Group policies centralize configuration of client DNS settings like the suffix search list.
4. DNS logging and security extensions were enhanced, and round robin updating is now more configurable.
The document provides an overview of configuring Domain Name System (DNS) including:
- Reviewing DNS concepts such as zones, resource records, and name resolution
- Installing and configuring DNS in an Active Directory domain, including creating zones, records, and redundant DNS servers
- The relationship between Active Directory, DNS, and Windows including integrating DNS with the domain namespace, split-brain DNS, delegations, and dynamic updates
DNS (Domain Name System) is a hierarchical naming system that translates domain names to IP addresses and vice versa. A DNS server is a computer that runs DNS services to provide name resolution. DNS works by querying multiple levels of DNS servers, starting from the root servers, then TLD (top-level domain) servers, then authoritative name servers, to ultimately resolve domain names to IP addresses.
Chapter 4 configuring and managing the dns server roleLuis Garay
This document provides an overview of configuring and managing a DNS server. It discusses DNS namespaces, zones, resource records including SOA, NS, A, AAAA, CNAME, MX, and SRV records. It describes different types of DNS servers like primary, secondary, caching-only, and AD-integrated servers. It also covers topics like installing the DNS server role, configuring zones, performing zone transfers, and using root hints for name resolution.
The document provides step-by-step instructions for configuring a master DNS server on Linux. It discusses installing bind packages, configuring the named.conf and zones files to define domains and records, creating zone files for forward and reverse lookups, restarting services, and testing the name resolution. Key aspects covered include defining the master server IP, domains and records in the zones file, generating zone files from templates, configuring firewall rules and resolving configuration.
DNS, which stands for domain name system, controls your domain name's website and email settings. When visitors go to your domain name, its DNS settings control which company's server it reaches out to.
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
This is my final project. The purpose is that I don't get any course about Network, so I try to implement DNS server and learn from practicing.
In this slide, it would cover brief introduction of ddns server, prerequisite for building protocol, aims of my project and all of pitfalls I have met.
Demo resolver.
I would finish this project and provide the part2 of slide.
Windows Server 2003 introduced several changes to DNS including:
1) Application directory partitions allow DNS zone data to be stored separately from global catalog reducing replication load.
2) Stub zones and conditional forwarders improve name resolution between domains.
3) DNS client settings can now be centrally managed through group policy for things like suffix search lists.
4) Additional security features were added like DNSSEC and logging enhancements but full support requires future Windows versions.
Windows Server 2003 introduced several changes to DNS including:
1. Application directory partitions allow DNS zone data to be stored in a non-domain naming context partition, removing it from the global catalog.
2. Stub zones and conditional forwarders provide name resolution between different namespaces.
3. Group policies centralize configuration of client DNS settings like the suffix search list.
4. DNS logging and security extensions were enhanced, and round robin updating is now more configurable.
The document provides an overview of configuring Domain Name System (DNS) including:
- Reviewing DNS concepts such as zones, resource records, and name resolution
- Installing and configuring DNS in an Active Directory domain, including creating zones, records, and redundant DNS servers
- The relationship between Active Directory, DNS, and Windows including integrating DNS with the domain namespace, split-brain DNS, delegations, and dynamic updates
DNS (Domain Name System) is a hierarchical naming system that translates domain names to IP addresses and vice versa. A DNS server is a computer that runs DNS services to provide name resolution. DNS works by querying multiple levels of DNS servers, starting from the root servers, then TLD (top-level domain) servers, then authoritative name servers, to ultimately resolve domain names to IP addresses.
Chapter 4 configuring and managing the dns server roleLuis Garay
This document provides an overview of configuring and managing a DNS server. It discusses DNS namespaces, zones, resource records including SOA, NS, A, AAAA, CNAME, MX, and SRV records. It describes different types of DNS servers like primary, secondary, caching-only, and AD-integrated servers. It also covers topics like installing the DNS server role, configuring zones, performing zone transfers, and using root hints for name resolution.
The document provides step-by-step instructions for configuring a master DNS server on Linux. It discusses installing bind packages, configuring the named.conf and zones files to define domains and records, creating zone files for forward and reverse lookups, restarting services, and testing the name resolution. Key aspects covered include defining the master server IP, domains and records in the zones file, generating zone files from templates, configuring firewall rules and resolving configuration.
DNS, which stands for domain name system, controls your domain name's website and email settings. When visitors go to your domain name, its DNS settings control which company's server it reaches out to.
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
This is my final project. The purpose is that I don't get any course about Network, so I try to implement DNS server and learn from practicing.
In this slide, it would cover brief introduction of ddns server, prerequisite for building protocol, aims of my project and all of pitfalls I have met.
Demo resolver.
I would finish this project and provide the part2 of slide.
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsAsif Shahzad
I teach Web Technologies course at COMSATS University to undergrad students. These are lectures slides prepared for students. I thought to share it with all. Hope you would like it. It contains good enough details about how DNS, Hosting and Domain Registration works.
DNS (Domain Name System) is a hierarchical distributed database that maps hostnames to IP addresses. It allows easy-to-remember hostnames to be used instead of hard-to-remember IP addresses. The document discusses DNS servers, clients, resolvers, zones, and record types including SOA, NS, A, CNAME, PTR, MX, and SRV records. It also introduces tools for working with DNS like Nslookup, Ipconfig, and DNSCmd.
This document provides an overview of the Domain Name System (DNS) in several paragraphs. It begins with an introduction to DNS as a large distributed database that contains domain names and IP addresses. It then discusses the history of DNS and how it evolved from a centralized hosts file to a distributed system. The remainder of the document describes the key components of DNS including the name space, resolvers, name servers, and explains why DNS is needed by covering aspects like scalability, reliability, and dynamic updates.
This document provides an overview of configuring and managing a DNS server, including:
1. Installing the DNS server role and configuring zones, records, and name resolution.
2. Describing DNS namespaces, zones, primary/secondary servers, and record types like SOA, NS, A, MX and SRV.
3. Explaining how DNS servers resolve queries using root hints, recursion, caching, and forwarders.
1) DNS is a hierarchical distributed naming system that maps domain names to IP addresses through authoritative name servers responsible for particular domains and subdomains.
2) DNS servers resolve fully qualified domain names (FQDN) to IP addresses and vice versa.
3) A computer's DNS server IP address is configured in its TCP/IP settings, allowing it to send DNS requests to the correct server.
DNS is a distributed database that translates hostnames to IP addresses. It operates through a hierarchy of root servers, top-level domain servers, and authoritative name servers. DNS provides additional services like load balancing and mail server aliasing. Queries are resolved through recursive or iterative lookups between clients and servers to map names to addresses.
The presentation summarizes DNS, SMTP, and POP3 protocols. It discusses configuring a local host file to map IP addresses to hostnames, setting up a DNS server using Bind on Windows 7, and interacting with an email server using SMTP and POP3 commands via Telnet. The objectives are to resolve hostnames, configure DNS, and send emails between mailboxes on the email server. Requirements include networked PCs and servers running Windows 7 with TCP/IP and an email server configured with user mailboxes.
This document provides an A-Z index of common Windows command line (CMD) commands, listing the name and brief description of each command. It includes both internal CMD commands, marked with a bullet, and external commands that can also be run directly or from other shells like PowerShell. The index contains over 100 different commands for performing tasks like copying files, changing directories, managing disks and partitions, viewing system information, scheduling tasks, and more. It also provides additional resources for command documentation and discussion.
Active Directory is a hierarchical directory service for Windows domain networks that stores information about objects on the network such as user accounts, groups, computers, printers, and other network resources. It provides a centralized system for managing these resources. A domain controller is a server that contains the Active Directory database and controls access to network resources. A domain is a collection of computers, users, and groups that share a common directory database and security policies.
The document discusses Domain Name System (DNS) servers and how they work. It provides information on:
1) DNS servers translate domain names to IP addresses so computers can locate systems on the internet. The DNS database hierarchy includes root servers, TLD servers, and authoritative name servers.
2) DNS uses a distributed database and client-server model. Root servers point to TLD servers, which point to authoritative servers that maintain records for domains.
3) DNS configuration files include named.conf, resolv.conf, zone files, and include files that define DNS settings and mappings.
This document provides an overview of Linux and DNS server administration. It discusses what Linux is, where it is used, advantages of using Linux like low cost and security. It also explains what a DNS server is, components of DNS like domains, hostname, zones and how to configure a DNS server in Linux. Hackers prefer Linux due to its availability, customizability and prevalence on servers. Using public DNS services like Google DNS can help speed up internet access. Linux provides a flexible, secure and low-cost operating system for applications including web servers.
This document provides an introduction to DNS (Domain Name System) in 3 paragraphs:
It explains that DNS was created to address the problems with using a centralized HOSTS.TXT file to map hostnames to IP addresses as the Internet grew. DNS introduced a distributed and hierarchical namespace that maps domain names to IP addresses through a global network of name servers.
It describes the basic structure and functionality of DNS, including that it is organized in a tree structure with top-level domains at the root, each domain can be delegated to different administrators, and name servers contain parts of the distributed database that maps domain names and resource records like A records (IPv4 addresses) and MX records (mail servers).
The
This document provides an A-Z index of common Windows CMD commands and their functions. It lists over 100 commands including basic commands like DIR, COPY, DEL, MD, RD, REN, TYPE, VER along with more advanced commands for managing disks, files, permissions, users, groups, networking, services, tasks and remote administration. The index is intended to help users navigate and learn about the various capabilities available through the Windows command line interface.
DNS provides resolution between host names and IP addresses in a hierarchical namespace separated by periods. The document discusses the configuration of a DNS master server in 7 steps, including installing required packages, editing configuration files, defining forward and reverse lookup zones, and starting the named service. DNS is a crucial distributed database that enables the internet to function through mapping of human-friendly names to machine-readable IP addresses.
The document discusses HDFS architecture and components. It describes how HDFS uses NameNodes and DataNodes to store and retrieve file data in a distributed manner across clusters. The NameNode manages the file system namespace and regulates access to files by clients. DataNodes store file data in blocks and replicate them for fault tolerance. The document outlines the write and read workflows in HDFS and how NameNodes and DataNodes work together to manage data storage and access.
This document provides an A-Z index of Windows CMD commands, listing over 100 commands and their brief descriptions. Some key commands include:
- DIR - Display a list of files and folders
- COPY - Copy one or more files to another location
- DEL - Delete one or more files
- MD - Create new folders
- REN - Rename a file or files
- CD - Change Directory - move to a specific Folder
- VER - Display version information
This document provides instructions for installing and configuring BIND (DNS) on a CentOS 6 server. It describes how to configure the IP address, hostname, and DNS settings. It also explains how to install and configure BIND, including creating forward and reverse DNS zones for the dragongang.com domain. The configuration is tested using nslookup and dig to verify name resolution.
This document provides an overview and instructions for installing CentOS 5, configuring various auxiliary tools (Apache, MySQL, PHP, phpMyAdmin, vsftpd), implementing security measures, setting up DNS, and installing the phpBB3 forum software on the CentOS server. The project is broken into sections on CentOS installation, configuring the auxiliary tools, security, DNS, and phpBB3 installation and customization. Detailed steps are provided for tasks like installing each tool, testing functionality, editing configuration files, and granting necessary permissions.
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsAsif Shahzad
I teach Web Technologies course at COMSATS University to undergrad students. These are lectures slides prepared for students. I thought to share it with all. Hope you would like it. It contains good enough details about how DNS, Hosting and Domain Registration works.
DNS (Domain Name System) is a hierarchical distributed database that maps hostnames to IP addresses. It allows easy-to-remember hostnames to be used instead of hard-to-remember IP addresses. The document discusses DNS servers, clients, resolvers, zones, and record types including SOA, NS, A, CNAME, PTR, MX, and SRV records. It also introduces tools for working with DNS like Nslookup, Ipconfig, and DNSCmd.
This document provides an overview of the Domain Name System (DNS) in several paragraphs. It begins with an introduction to DNS as a large distributed database that contains domain names and IP addresses. It then discusses the history of DNS and how it evolved from a centralized hosts file to a distributed system. The remainder of the document describes the key components of DNS including the name space, resolvers, name servers, and explains why DNS is needed by covering aspects like scalability, reliability, and dynamic updates.
This document provides an overview of configuring and managing a DNS server, including:
1. Installing the DNS server role and configuring zones, records, and name resolution.
2. Describing DNS namespaces, zones, primary/secondary servers, and record types like SOA, NS, A, MX and SRV.
3. Explaining how DNS servers resolve queries using root hints, recursion, caching, and forwarders.
1) DNS is a hierarchical distributed naming system that maps domain names to IP addresses through authoritative name servers responsible for particular domains and subdomains.
2) DNS servers resolve fully qualified domain names (FQDN) to IP addresses and vice versa.
3) A computer's DNS server IP address is configured in its TCP/IP settings, allowing it to send DNS requests to the correct server.
DNS is a distributed database that translates hostnames to IP addresses. It operates through a hierarchy of root servers, top-level domain servers, and authoritative name servers. DNS provides additional services like load balancing and mail server aliasing. Queries are resolved through recursive or iterative lookups between clients and servers to map names to addresses.
The presentation summarizes DNS, SMTP, and POP3 protocols. It discusses configuring a local host file to map IP addresses to hostnames, setting up a DNS server using Bind on Windows 7, and interacting with an email server using SMTP and POP3 commands via Telnet. The objectives are to resolve hostnames, configure DNS, and send emails between mailboxes on the email server. Requirements include networked PCs and servers running Windows 7 with TCP/IP and an email server configured with user mailboxes.
This document provides an A-Z index of common Windows command line (CMD) commands, listing the name and brief description of each command. It includes both internal CMD commands, marked with a bullet, and external commands that can also be run directly or from other shells like PowerShell. The index contains over 100 different commands for performing tasks like copying files, changing directories, managing disks and partitions, viewing system information, scheduling tasks, and more. It also provides additional resources for command documentation and discussion.
Active Directory is a hierarchical directory service for Windows domain networks that stores information about objects on the network such as user accounts, groups, computers, printers, and other network resources. It provides a centralized system for managing these resources. A domain controller is a server that contains the Active Directory database and controls access to network resources. A domain is a collection of computers, users, and groups that share a common directory database and security policies.
The document discusses Domain Name System (DNS) servers and how they work. It provides information on:
1) DNS servers translate domain names to IP addresses so computers can locate systems on the internet. The DNS database hierarchy includes root servers, TLD servers, and authoritative name servers.
2) DNS uses a distributed database and client-server model. Root servers point to TLD servers, which point to authoritative servers that maintain records for domains.
3) DNS configuration files include named.conf, resolv.conf, zone files, and include files that define DNS settings and mappings.
This document provides an overview of Linux and DNS server administration. It discusses what Linux is, where it is used, advantages of using Linux like low cost and security. It also explains what a DNS server is, components of DNS like domains, hostname, zones and how to configure a DNS server in Linux. Hackers prefer Linux due to its availability, customizability and prevalence on servers. Using public DNS services like Google DNS can help speed up internet access. Linux provides a flexible, secure and low-cost operating system for applications including web servers.
This document provides an introduction to DNS (Domain Name System) in 3 paragraphs:
It explains that DNS was created to address the problems with using a centralized HOSTS.TXT file to map hostnames to IP addresses as the Internet grew. DNS introduced a distributed and hierarchical namespace that maps domain names to IP addresses through a global network of name servers.
It describes the basic structure and functionality of DNS, including that it is organized in a tree structure with top-level domains at the root, each domain can be delegated to different administrators, and name servers contain parts of the distributed database that maps domain names and resource records like A records (IPv4 addresses) and MX records (mail servers).
The
This document provides an A-Z index of common Windows CMD commands and their functions. It lists over 100 commands including basic commands like DIR, COPY, DEL, MD, RD, REN, TYPE, VER along with more advanced commands for managing disks, files, permissions, users, groups, networking, services, tasks and remote administration. The index is intended to help users navigate and learn about the various capabilities available through the Windows command line interface.
DNS provides resolution between host names and IP addresses in a hierarchical namespace separated by periods. The document discusses the configuration of a DNS master server in 7 steps, including installing required packages, editing configuration files, defining forward and reverse lookup zones, and starting the named service. DNS is a crucial distributed database that enables the internet to function through mapping of human-friendly names to machine-readable IP addresses.
The document discusses HDFS architecture and components. It describes how HDFS uses NameNodes and DataNodes to store and retrieve file data in a distributed manner across clusters. The NameNode manages the file system namespace and regulates access to files by clients. DataNodes store file data in blocks and replicate them for fault tolerance. The document outlines the write and read workflows in HDFS and how NameNodes and DataNodes work together to manage data storage and access.
This document provides an A-Z index of Windows CMD commands, listing over 100 commands and their brief descriptions. Some key commands include:
- DIR - Display a list of files and folders
- COPY - Copy one or more files to another location
- DEL - Delete one or more files
- MD - Create new folders
- REN - Rename a file or files
- CD - Change Directory - move to a specific Folder
- VER - Display version information
This document provides instructions for installing and configuring BIND (DNS) on a CentOS 6 server. It describes how to configure the IP address, hostname, and DNS settings. It also explains how to install and configure BIND, including creating forward and reverse DNS zones for the dragongang.com domain. The configuration is tested using nslookup and dig to verify name resolution.
This document provides an overview and instructions for installing CentOS 5, configuring various auxiliary tools (Apache, MySQL, PHP, phpMyAdmin, vsftpd), implementing security measures, setting up DNS, and installing the phpBB3 forum software on the CentOS server. The project is broken into sections on CentOS installation, configuring the auxiliary tools, security, DNS, and phpBB3 installation and customization. Detailed steps are provided for tasks like installing each tool, testing functionality, editing configuration files, and granting necessary permissions.
The document provides instructions for configuring a DNS server on a Linux system using BIND. It involves installing BIND, editing configuration files such as named.conf and named.rfc1912.zones to define the domain zone and name server, copying and editing the zone file, changing permissions on the zone file, modifying named.caching-namedserver.conf, and restarting the named service. Finally, nslookup is used to test the name resolution.
This document provides instructions for configuring DNS on Linux CentOS using BIND. It involves 6 steps: 1) Installing BIND packages, 2) Creating the named.conf configuration file, 3) Creating zone files in /etc/named.rfc1912.zones, 4) Creating forward and reverse zone files in /var/named, 5) Configuring the zone files, and 6) Testing the DNS configuration. The zone files define the DNS records for the domain warkop.com, including an A record with an IP address and a CNAME record for the www subdomain.
Module 3: Configuring and Troubleshooting DNS
This module introduces you to Domain Name System (DNS), which is the foundation name service in Windows Server 2008 R2. It is vital that you understand how to deploy, configure, manage, and troubleshoot this critical service.
Lessons
Installing the DNS Server Role
Configuring the DNS Server Role
Configuring DNS Zones
Configuring DNS Zone Transfers
Managing and Troubleshooting DNS
Lab : Configuring and Troubleshooting DNS
Selecting a DNS Configuration
Deploying and Configuring DNS
Troubleshooting DNS
After completing this module, students will be able to:
Install the DNS server role.
Configure the DNS server role.
Create and configure DNS zones.
Configure zone transfers.
Manage and troubleshoot DNS.
The document provides an overview of networking concepts for Linux, including TCP/IP models, ports, IP addressing, and configuring both wired and wireless network interfaces. It discusses OSI vs TCP/IP models, connection types, ports, IP, gateways, switches vs hubs, and main network services. It then details how to configure wired NICs using ifconfig, ifup/ifdown, and configuration files for Red Hat, Debian, and Ubuntu. Finally, it covers configuring wireless networks by scanning, setting encryption, and obtaining IP addresses.
This document provides information on configuring the Berkeley Internet Name Domain (BIND) DNS server. It describes DNS and how resource records are organized hierarchically with domains and subdomains separated by periods. The document outlines the files needed to configure BIND, including the name.conf, zone files, and loopback file. It explains the directory structure for non-chrooted and chrooted configurations and provides troubleshooting commands.
Cent os 5.1 - configuring samba 3.0 to use the ads security modeB Sasi Kumar
This document provides instructions for configuring Samba 3.0 on CentOS to use Active Directory authentication by joining an Active Directory domain as a member server. It involves installing Kerberos and configuring the /etc/krb5.conf file to point to the Active Directory domain controller as the KDC. Samba is then configured using the security=ADS mode to authenticate users against Active Directory using LDAP and Kerberos. The goal is to allow Windows users to access Samba shares without separate Linux accounts and keep passwords synchronized between Active Directory and Samba.
This document provides biographical information about Mehdi Poustchi Amin and Hedieh Amirjahanshahi, including their certifications and place of study from 2007 to 2008 at Symbiosis Institute of Computer Studies & Research.
This document summarizes how to configure networking on CentOS including connecting to a network with NetworkManager, setting up local area networks, checking Ethernet connectivity, monitoring network traffic with Wireshark, setting up an Apache web server, monitoring server activities with Apache logs, installing and configuring a MySQL database server, and opening firewall ports for services. Key steps include installing NetworkManager, configuring TCP/IP, using ifconfig to check Ethernet status, starting httpd and MySQL servers, creating MySQL databases and tables, and granting user access to MySQL databases.
The presentation discusses DNS, SMTP, and POP3 protocols. It provides instructions on configuring a DNS server on Windows 7, including downloading and installing BIND, creating configuration files, and testing the DNS server. It also describes using Telnet and SMTP commands to send emails between servers, and creating a batch file to automate email messaging through the command prompt.
The document provides instructions for configuring network devices and operating systems to use Google Public DNS instead of an ISP's DNS servers. It lists the Google Public DNS IP addresses, then gives step-by-step examples of how to change the DNS settings in Windows, MacOS, Linux, routers, and mobile devices. Users are advised to write down their original DNS settings before making changes. The document also provides support contact information.
The document provides instructions on how to configure a DNS server. It begins by explaining what a DNS server is and its purpose of translating domain names to IP addresses. It then discusses IP addresses and the differences between dynamic and static IP addresses. Finally, it provides the steps to install and configure a Microsoft DNS server using DNS Manager. These include adding the DNS component in Windows and using DNS Manager to configure the server.
Logging is important for troubleshooting a DNS service. Conveniently with BIND 9, almost all problems will show up somewhere in the log output, but only if the logging is enabled and configured correctly.
In this webinar, we’ll discuss the BIND 9 logging configuration and best practices in searching through large log-files to find the entries of interest. In addition, we’ll release log-management tools used by Men & Mice Services.
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7VCP Muthukrishna
This document provides instructions on how to install and configure the VSFTPD file transfer protocol (FTP) server on Red Hat Enterprise Linux 7 or CentOS 7. It includes steps to install the VSFTPD package, manage the VSFTPD service, and configure options such as the data folder, anonymous user access, banners, and uploads. The document is intended to help users set up an FTP server using the VSFTPD package on RHEL/CentOS 7 systems.
The document provides an overview of the Domain Name System (DNS) including its history, key components, and configuration. DNS converts domain names to IP addresses and vice versa by using a distributed database with a hierarchical structure. The database is divided into zones stored on nameservers. Resolvers query nameservers to lookup names and return results to requesting programs. The document outlines the DNS namespace, nameservers, zones, resource records, configuration files, and utilities for testing and querying DNS.
This document provides step-by-step instructions for installing CentOS 7 on a virtual machine. It describes pressing a key to begin installation, selecting a language, configuring installation destination and partitioning, setting up networking using DHCP, creating a root user and optional additional user, finishing installation, and rebooting. Upon first login, the document recommends verifying the IP address and disk configuration.
The document discusses the Domain Name System (DNS), which translates domain names to IP addresses and vice versa. It describes the hierarchical structure of DNS with zones, resource records, and name servers. Primary and secondary name servers maintain authoritative data for zones, while caching name servers store previously looked up data to improve performance. The domain name resolution process involves queries to authoritative and caching name servers to map names to addresses.
The document provides instructions on configuring and troubleshooting DNS, including installing the DNS server role, configuring zones and zone transfers, managing DNS records, and testing the DNS configuration. It covers DNS concepts like namespace, resource records, caching, and troubleshooting tools. The lab exercise has students set up a DNS infrastructure with primary, secondary, and stub zones between two servers to test zone resilience.
The document introduces the DNS system by explaining its purpose of mapping names to resources for easier lookup than numbers. It describes DNS features like global distribution, loose coherency, scalability, reliability, and dynamic updates. Key concepts are explained such as hierarchical DNS names, domains and delegation of subdomains, authoritative and recursive name servers, resource records including SOA and NS records, and how TTL and zone refresh timers maintain consistency.
This document summarizes the key components and functions of DNS (Domain Name System) servers. It discusses how DNS servers handle name resolution queries by querying other DNS servers in a hierarchical manner. It also describes different types of DNS zones (primary, secondary, stub) and how they are used. Active directory integrated zones provide benefits like secure dynamic updates and increased resilience through replication. The document concludes by demonstrating how to sign a DNS zone with DNSSEC to verify signatures.
This document discusses planning for DNS infrastructure, including:
1. Creating a DNS server plan by determining capacity, location, roles, and security of DNS servers
2. Creating a DNS namespace plan by selecting an appropriate internal namespace
3. Creating a DNS zone plan by identifying zone requirements, types, and security and planning for additional DNS servers if the main server is overloaded
4. Creating a zone replication and delegation plan by selecting a replication methodology, securing replication, and planning for zone delegation to distribute load across servers
1. The document discusses concepts related to server 2008 including domains, workgroups, DNS, Active Directory, domain controllers, DHCP, and organizational units.
2. Key points covered include the definition of a domain as a logical secure boundary used to centrally administer computers, and differences between domain users and local users.
3. Active Directory Domain Services (ADDS) is discussed as authorizing and authenticating users and computers on a Windows domain network to ensure security.
Active Directory requires DNS to be installed and configured properly. The Active Directory Installation Wizard guides administrators through installing a new forest, domain, or child domain. Post-installation tasks include verifying DNS records and zones are created correctly and aging and scavenging are configured. Trust relationships allow communication between domains and forests and can be established manually as shortcut, external, cross-forest, or realm trusts.
This document provides an overview of the Domain Name System (DNS). It describes DNS as a hierarchical distributed database that maps human-friendly domain names to computer-friendly IP addresses. DNS uses a client-server model where DNS clients submit queries to DNS servers to lookup names and the servers respond with the corresponding IP addresses. The document also discusses key DNS concepts like DNS records, zones, primary and secondary servers, and how DNS is used to support technologies like Active Directory and DHCP.
LESSON 2 - Active Directory and Domain Controller.pptxssuser0f6f05
Active Directory is a centralized database that manages users, groups, computers and other network resources. A domain controller runs Active Directory services and maintains a copy of the Active Directory database, synchronizing changes with other domain controllers. A domain is a logical grouping of computers that share the same Active Directory database, identified by a common domain name suffix. Server roles determine the major functions a server can perform; a domain controller typically only has the Active Directory Domain Services and Domain Name System roles.
Overview of the Domain Name System (DNS).
In the early days of the Internet, hosts had a fixed IP address.
Reaching a host required to know its numeric IP address.
With the growing number of hosts this scheme became quickly awkward and difficult to use.
DNS was introduced to give hosts human readable names that would be translated into a numeric IP addresses on the fly when a requesting host tried to reach another host.
To facilitate a distributed administration of the domain names, a hierarchic scheme was introduced where responsibility to manage domain names is delegated to organizations which can further delegate management of sub-domains.
Due to its importance in the operation of the Internet, domain name servers are usually operated redundantly. The databases of both servers are periodically synchronized.
The document discusses LDAP, Active Directory, and the Active Directory database. It provides the following key points:
1. LDAP is the directory service protocol used to query and update Active Directory. It uses distinguished names and relative distinguished names to access AD objects.
2. Active Directory is the directory service in Windows 2000 that centrally manages network resources using a hierarchical database. It requires Windows server, disk space, NTFS, TCP/IP, and administrative privileges for installation.
3. The Active Directory database includes NTDS.DIT for storing objects, EDB.LOG for transactions, EDB.CHK for tracking changes, and RES logs for additional transaction space. Garbage collection removes tombstones and
The document discusses LDAP, Active Directory, and key Active Directory concepts such as domains, forests, sites, global catalogs, schema, and single master operations. LDAP is the directory service protocol used to query and update Active Directory. Active Directory is the directory service in Windows 2000 that stores information about network resources in a hierarchical database. Key concepts covered include the minimum requirements for installing Active Directory, verifying the AD installation, the ADS database structure and garbage collection process, offline database defragmentation, domain trees and forests, the Active Directory schema, sites and their advantages, the role of the global catalog, and single master operations.
A detailed comparison of two commonly used PowerDNS Authoritative Server Web GUIs, geared mostly towards teams and projects recently introduced to PowerDNS.
Ctive directory interview question and answerssankar palla
Active Directory is a centralized database that stores information about a network. It allows for centralized management of users, computers, printers, and other network resources. A domain controller is a server that authenticates users and authorizes access to resources on the network. Active Directory uses protocols like LDAP and KCC to enable replication and management of directory data across multiple domain controllers. Application partitions allow specific Active Directory data to be replicated only to designated domain controllers, providing redundancy.
This document discusses DNS (Domain Name System) name servers and protocols. It begins with an introduction to DNS and its hierarchical database structure. It then describes different types of DNS servers such as primary, secondary, caching, and root servers. The document outlines standard DNS resource record formats and types. It explains DNS protocols, including queries, responses and zone transfers. Finally, it discusses some common DNS attacks such as cache poisoning and DDoS attacks using DNS.
The document discusses the Domain Name System (DNS) and how it works. It covers DNS zones, forward and reverse lookups, forwarding, and delegation. DNS associates domain names with IP addresses and other information to direct internet traffic. It functions like a phone book to translate human-readable names to computer-readable IP addresses. DNS is hierarchical, with the domain name space divided into zones served by authoritative nameservers.
Top 10 interview question and answers for mcsahopesuresh
Hope Tutors provide Top 15 Windows Server Interview Questions & Answers, which is helpful to system admins who are attending the interview. So kindly follow and prepare for the interviews.
The document discusses Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS). It provides information on how DHCP works to automatically assign IP addresses and other network settings to client computers from a DHCP server. It also describes the DNS distributed database and hierarchical domain name space, how DNS resolvers and name servers work to resolve domain names to IP addresses, and common DNS resource records like A, MX, NS, PTR and SOA records.
This document discusses optimizing and troubleshooting DNS server performance. To optimize DNS, you can disable recursion on non-authoritative servers, delete or modify root hints files, optimize server response settings, use caching-only servers, and adjust SOA record TTL intervals. Troubleshooting DNS involves identifying the problem, checking client/server settings, server records, and DNS traffic. Common problems relate to host registration, dynamic updates, delegation, forwarders, or configuration issues.
BIND DNS IPWorks Introduction To AdvancedMustafa Golam
IPWorks is a software platform that provides DNS, DHCP, AAA and other services for IPv4 networks, including an element management system for configuration and monitoring; it includes protocol servers like DNS, DHCP and AAA servers as well as element management components; the document discusses the architecture and components of IPWorks, including features of the DNS, DHCP and AAA servers, and how IPWorks is used in GPRS/WCDMA networks.
The document discusses the Domain Name System (DNS) which provides human-friendly domain names that map to numeric IP addresses. It notes that addresses are difficult for humans to remember while names are easier. DNS uses a hierarchical, tree-structured domain name space separated from network topology. It is implemented using name servers that maintain mappings between names and addresses across zones. DNS allows for global name resolution, loose data coherency, scalability, reliability, and dynamic updates through replication between master and slave name servers.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Presentation of the OECD Artificial Intelligence Review of Germany
70 640
1. 70 – 640 -Windows Server 2008 Active Directory,
Configuring:
Configuring DNS for Active Directory
-Configuring zones
-Configuring DNS server settings
-Configuring zone transfer and Replication
Chapter 1: Configuring DNS for Active Directory
The Domain Name System (DNS) is a highly scalable system for mapping hostnames with numerical
Internet Protocol (IP) addresses. On Transmission Control Protocol / Internet Protocol (TCP/IP) networks
such as the Internet computers are assigned unique IP addresses. These numerical addresses are not
particularly user friendly, so computers are also given a host name. The domain name system is a
hierarchical naming system for organizing computers into domains and mapping IP addresses to host
names. When a user enters a DNS name such as www.kurtkurtdillard.com into an application DNS services
is used to find the IP address assigned to that host name. DNS is a critical piece of a network that includes
AD DS, member computers use DNS to find domain controllers and other servers for various activities
such as authentication, accessing file shares, and browsing web servers. Understanding how to deploy and
manage the DNS Server role in Windows Server 2008 will help you to more effectively leverage Active
Directory Domain Services (AD DS) in your organization. In this chapter I will cover managing DNS
zones, replication, and other DNS settings. More specifically, you will learn about the following:
• Configure zones.
• Configure DNS server settings.
• Configure zone transfers and replication.
Configuring DNS Zones
DNS records are partitioned into zones, a zone contains resource records for the hosts that belong to the
corresponding portion of the DNS namespace. The namespace for a zone can include one or multiple DNS
domains. Zones are maintained by DNS servers, a zone can be stored as a file or within Active Directory.
In the latter case, the size of the zone impacts how long it takes for DNS to initialize because the zone data
must be retrieved from Active Directory, we’ll explore this further later in this section.
2. You may want to delegate a portion of the DNS namespace for a couple of reasons: in order to assign
management to a department within the organization or to improve performance by spreading the load of a
large DNS database across separate DNS servers. Consider an extended example, you might want to store
all of the records for your publicly accessible hosts in one zone, e.g. the zone might include
kurtkurtdillard.com, which could include hosts named www.kurtkurtdillard.com, ftp.kurtdillard.com; and
mail.kurtdillard.com. Internal hosts could be organized by geographic location within subdomains, each
stored as a separate zone, e.g. americas.kurtdillard.com and europe.kurtdillard.com. This example is
represented in figure 1 below. In the rest of this section we will explore the various kinds of zones available
in Windows Server 2008 and how to manage them.
Figure 1: DNS Zone Delegation
Start of Authority (SOA)
The first record in any DNS zone is the Start of Authority (SOA) Resource Record (RR). The SOA RR
specifies the authoritative DNS server for the zone, i.e., the best source of data for the zone. Depending
upon the installation options the SOA RR may or may not be automatically added for a new zone. Figure 2
shows DNS manager with various elements highlighted. In this case, this is the first domain controller in a
3. new domain within a new forest and the SOA record was automatically created during the installation of
AD DS.
Figure 2: DNS Manager
To manage the SOA record for a zone navigate to the desired zone within DNS Manager and then right-
click on the SOA record and select Properties. Figure 3 shows the SOA RR from my test domain. In most
cases the default values for refresh, expiration, and time to live (TTL) are sufficient however you may wish
to increase these values in order to reduce the amount of DNS traffic on your network. The downside of
increasing the values is that DNS clients will take longer to learn about configuration changes and therefore
are more likely to have problems finding other hosts on your network.
4. Figure 3: Start of Authority Resource Record
Managing Other Resource Records
There are other types of resource records in addition to the SOA RR. Each type has a specific purpose
related to helping clients locate remote hosts and services. The most common kinds are:
• Host (A) resource records: this type of record maps a hostname to a 32-bit IPv4 address.
• AAAA resource records: these map a hostname to a 128-bit IPv6 address.
• Name Service (NS) records: this kind of record maps a domain name to a list of DNS servers
authoritative for the domain.
• Service location (SRV) resource records: this type maps a DNS domain name to a list of
computers that provide a service, for example, an SRV RR is required for computers to locate
Active Directory domain controllers.
• Mail exchange (MX) resource records: this kind of record maps a DNS domain name to the name
of a mail exchange computer for the domain.
• Alias (CNAME) resource records: also called canonical name records, these allow you to
configure multiple DNS names to resolve to a single host.
• Pointer (PTR) resource records: this type of record is used for the reverse lookup process, which
is discussed in more detail later in this chapter.
5. Resource records can be added and updated to the database manually or automatically. The manual
process, also referred to as Non-Dynamic DNS (NDDNS), is useful when adding records that are unlikely
to change for a long time such as public facing web and mail servers. To manually add a static record using
DNS Manager:
1. Right-click on the desired zone and select Other New Records.
2. Select the type of record to create from the Select a resource record type drop-down list.
3. Click Create Record.
4. Enter the information for the new record in the New Resource Record dialog box, click
OK to add the record to the database. The type of information required for the new record
will vary depending upon its type.
To manually add a record using a command prompt open a command prompt with administrative
privileges, type the following command, and press ENTER.
Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] <RRType>
<RRData>
As you can see, the command has many options, Table 1 briefly explains each. You can view more detailed
information about all of these options by entering the following command:
Dnscmd /RecordAdd /help
Parameter Description
<ServerName> This is a required parameter. You specify either the host name or IP address of
the DNS server where the record is to be created.
/RecordAdd This is a required parameter, it specifies what action is to be taken, in this case
to add a new record.
<ZoneName> This is a required parameter. The fully qualified domain name (FQDN) of the
zone.
<NodeName> This is a required parameter. The FQDN of the node.
[/Aging] This optional parameter specifies that the record may be aged and scavenged.
[OpenAcl] This optional parameter specifies that the record may be modified by any user,
without this parameter only administrators are able to do so.
[TTL] This optional parameter specifies the time to live (TTL) for the record.
<RRType> This is a required parameter. It specifies what kind of record to add, e.g.: A,
AAAA, MX, NS, CNAME, SRV, or PTR.
<RRData> These are required parameters that vary depending upon the type of record
being added. Each of these parameters must be separated by a space.
Table 1: Dnscmd options when adding records.
Enterprise networks can be large with hundreds of thousands of hosts, managing static records for so many
hosts isn’t feasible, to address this challenge Windows Server 2008 also supports dynamically updated
records. There are two ways in which records can be dynamically updated. First, the DCHP Client Service
on the client computer can register itself with the DNS server upon boot-up. Second, you can configure
DHCP servers, if they support the feature, to register clients when they assign an address to a host. There
are two methods available for dynamic updates: Dynamic DNS (DDNS) and Secure Dynamic DNS
6. (SDDNS). DDNS is the least secure choice because in this configuration updates can be accepted from
untrusted hosts, however it is supported by a wider range of operating systems. SDDNS is only available
for Active Directory-integrated zones, and it’s the preferred configuration whenever possible. The default
setting for new zones is NDDNS, that is, to disable dynamic updates unless the new zone is integrated with
Active Directory, in which case SDDNS is the default setting.
To enable or disable dynamic updates in DNS Manager right-click on the desired zone and select
Properties, then make the appropriate selection in the Dynamic Updates drop-down list and press OK. To
configure dynamic updates from a command prompt type the following command and press ENTER:
Dnscmd <ServerName> /Config {<ZoneName or ..AllZones>} AllowUpdate 2
Table 2 briefly explains what each of the command line options mean.
Parameter Description
<ServerName> This is a required parameter. You specify either the host name or IP address of
the DNS server where the zone is stored.
/Config This is a required parameter. The second parameter specifies what action is to
be taken, in this case to modify the specified zone.
<ZoneName or
..AllZones>
This is a required parameter. The fully qualified domain name (FQDN) of the
zone. To configure all zones stored on the server type ..AllZones.
AllowUpdate This is a required parameter, it enables dynamic updates.
2 This optional parameter specifies secure updates only, if it is omitted then the
zone will only allow standard dynamic updates.
Table 2: Dnscmd parameters when configuring a zone.
Tip: The graphical tool for DNS administration in Windows Server 2008 is the DNS Manager Microsoft
Management Console console, henceforth referred to as “DNS Manager.” There is also a command prompt
tool available which is useful for managing Server Core installations and scripting of administrative tasks,
it is called dnscmd. While many administrators will be most comfortable using DNS Manager you may
also want to familiarize yourself with the command prompt tool.
Understanding DNS Zones
The DNS Server role supports three different types of zones: primary, secondary, and stub. Only primary
and stub zones can be configured as Active Directory-integrated zones if the server is a domain controller
in an Active Directory domain. The difference between integrated and non-integrated zones is where zone
information is stored. Active Directory-integrated zones are stored within the AD DS. Zones that are not
integrated are stored as text files, by default in %windir%System32dns.
Caution: Although it may be tempting to edit these DNS text files in Notepad or some other text editor
Microsoft strongly recommends that you do not. Instead, you should always use the built-in tools such as
DNS Manager to configure zones and resource records to ensure proper formatting and versioning.
7. Primary
A primary zone is the writable master copy of a zone. A DNS server hosting the primary zone is the
authoritative source for information about that zone.
Secondary
A secondary zone is a read-only copy of a zone. A server hosting a secondary zone must download the
zone data and ongoing updates to the data from another server hosting the same zone. A secondary copy
cannot be stored in AD DS because it is merely a copy of a primary zone stored on another server.
Stub
A stub zone is a copy of the primary zone that only contains resource records for the authoritative DNS
servers for that zone. A server hosting a stub zone must download the zone data and ongoing updates to the
data from another server hosting the same zone. When properly implemented stub zones can improve name
resolution efficiency by allowing DNS servers to complete recursive queries without having to query the
Internet or internal root servers. Stub zones also tend to be less processor intensive than conditional
forwarding.
Expert Discussion: Why Background Zone Loading is Important
Background zone loading is a new feature in Windows Server 2008 that large organizations my find to be
very useful. In previous versions of the DNS Server service all of the DNS data stored in AD DS had to be
downloaded before the server would start responding to DNS queries. Some enterprises had to endure waits
of an hour or more when restarting their DNS Servers. In Windows Server 2008 the DNS Server service
can start responding to client request much more quickly because it is able to do so while continuing to
retrieve zone data from AD DS. When clients request data for a zone that has already been loaded the DNS
server responds normally, when they request data for a zone that hasn’t been loaded yet it retrieves the
information from AD DS and then responds to the client.
Creating New Zones
To create a new zone in DNS Manager right-click on either the DNS Server, Forward Lookup Zones, or
Reverse Lookup Zones. If the first option is used then the wizard will display an additional page asking
whether to create a forward or reverse lookup zone. The wizard will prompt you to specify information
that’s described earlier in this chapter such as zone type, zone name, and dynamic updates; however, the
wizard will also ask you to specify the replication scope as shown in figure 4. Replication scope is
discussed in more detail later in this chapter.
8. Figure 4: Selecting the Active Directory replication scope in the New Zone Wizard
To create a new zone from a command prompt type the following command and press ENTER:
dnscmd <ServerName> /ZoneAdd <ZoneName> {/Primary|/DsPrimary|/Secondary|/Stub|/DsStub} [/file
<FileName>] [/load] [/a <AdminEmail>] [/DP <FQDN>]
Once again, there are many options available, table 3 briefly explains each.
Parameter Description
<ServerName> This is a required parameter. You specify
either the host name or IP address of the DNS
server where the zone is stored.
/ZoneAdd This is a required parameter, it specifies what
action is to be taken, in this case to add a new
zone.
<ZoneName> This is a required parameter. The fully
qualified domain name (FQDN) of the zone.
{/Primary|/DsPrimary|/Secondary|/Stub|/DsStub This is a required parameter for defining the
zone type; /DsPrimary and /DsStub indicate
AD DS-integrated zones.
[/file <FileName>] This is required only when creating a primary
zone that is not integrated with AD DS.
[/load] This optional parameter loads an existing file
otherwise the default zone records are
automatically generated.
9. [/a <AdminEmail>] Use this optional parameter to specify an email
address for the zone’s administrator.
[/DP <FQDN>] Use this optional parameter to specify the
FQDN for an application directory where the
zone is to be added.
Table 3: Dnscmd parameters when creating a zone
Zone Aging and Scavenging
Out-of-date resource records can accrete in a zone database much like barnacles on a freighter. If the
number of stale records becomes substantial it could impact performance by consuming disk space,
slowing down response to queries, and sending outdated information to clients. In some cases, stale records
may prevent the use of a name being used by other hosts in the domain. By observing the time stamps on
resource records the DNS Server service can automatically remove records when they’ve aged beyond the
time limit you have specified. To use these features they must be enabled at both the DNS server and zone
levels.
Caution: There is a reason why the aging and scavenging features are disabled by default: when
implemented incorrectly records may be deleted that are still needed. For this reason only implement these
features once you fully understand all of the options available.
Normally only dynamically updated records are configured to be scavenged because in most cases when
you configure a static record it’s for a server that is going to be sharing resources for a relatively long time.
By default static records are given a time stamp of zero which exempts them from aging and scavenging.
You can change this by modifying the records individually to permit them to use a current time stamp
instead. The aging and scavenging concepts introduce some terms that you may not be familiar with:
• No-refresh interval: The period of time between the last refresh and the moment when the
timestamp can be refreshed again.
• Refresh interval: The period of time from when a record is refreshed to when it can be scavenged.
This must be greater than the maximum refresh period.
• Scavenging period: The period of time between scavenging operations.
• Record refresh: This occurs when a dynamic update is processed and the only change made to the
record is to update its time stamp. This happens when a computer restarts, every 24 hours when the
computer attempts to update its record, and when other network services attempt a fresh.
• Record update: This occurs when a dynamic update is processed and other characteristics are
modified in addition to its time stamp.
• Scavenging servers: Its possible to restrict scavenging to a specific list of DNS servers, identified
by their IP address.
To configure aging and scavenging for a zone in DNS Manager:
1. Right-click on the zone and select Properties.
2. Click Aging on the General tab of the dialog box.
3. Select the Scavenge stale resource records check box.
4. Modify the other properties as appropriate.
10. To configure aging and scavenging for a zone from a command prompt enter the following command:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval
<Value>}
Table 4 briefly explains each option.
Parameter Description
<ServerName> This is a required parameter. You specify
either the host name or IP address of the DNS
server where the zone is stored.
/Config This is a required parameter. The second
parameter specifies what action is to be taken,
in this case to modify the specified zone.
<ZoneName> This is a required parameter. The fully
qualified domain name (FQDN) of the zone.
/Aging <Value> This is required, set the value to 1 to enable
aging, or 0 to disable it.
/RefreshInterval <Value> This is required, it specifies the refresh interval
in hours, 168 by default.
/NoRefreshInterval <Value> This is required, it specifies the no-refresh
interval in seconds, 3600 by default
Table 4: Dnscmd parameters for scavenging at the zone level
To configure aging and scavenging for a DNS server in DNS Manager right-click on the server and click
Set Aging/Scavenging for all zones, then select the Scavenge stale resource records check box and
modify the other properties as appropriate.
To configure aging and scavenging for a DNS server from a command prompt enter the following
command:
dnscmd <ServerName> /Config {/ScavengingInterval <Value>|/DefaultAgingState
<Value>|/DefaultNoRefreshInterval <Value>|/DefaultRefreshInterval <Value>}
Table 5 briefly explains each option.
Parameter Description
<ServerName> This is a required parameter. You specify
either the host name or IP address of the DNS
server where the zone is stored.
/Config This is a required parameter. The second
parameter specifies what action is to be taken,
in this case to modify the specified zone.
/ScavengingInterval <Value> This required parameter specifies the
scavenging frequency for all zones enabled for
scavenging.
/DefaultAgingState <Value> This required parameter sets the default aging
11. configuration for all zones, 1 enables aging
and 0 disables it.
/DefaultRefreshInterval <Value> This is required, it specifies the default refresh
interval in hours.
/DefaultNoRefreshInterval <Value> This is required, it specifies the default no-
refresh interval in seconds.
Table 5: Dnscmd parameters for scavenging at the server level
Understanding Forward Lookups and Reverse Lookups
A forward lookup occurs when a client looks for the IP address assigned to a particular hostname. How the
hostname is resolved to an IP address can happen in several different ways. First, if the hostname is less
than 16 bytes long it will attempt to resolve it using NetBIOS. If that fails, or if the hostname is longer the
client will check its own local cache of recent DNS queries, this includes the local hosts file since it is pre-
cached during boot up. The DNS server will answer the query directly if the information is in its database,
then it checks its own cache of previous queries. Then the DNS server will start the recursion process, it
uses the list of root hints to find a list of DNS servers authoritative for the domain where the host is located.
By default, the list of root hints points to the publicly available list of root servers that host the top-level
domains such as “com,” “info,” “org,” and “us.” So if the host name is www.kurtdillard.com the DNS
server will query one of the root servers to find the IP address of an authoritative DNS server for the
kurtdillard.com domain. Next, it will query the macgrawhill.com DNS server to find the IP address for the
host named www. It then returns the answer back to the original client machine. Figure 5 illustrates the
lookup process from the point where the client queries its primary DNS server.
12. Figure 5: Recursive forward lookup
DNS also supports reverse lookups in which the client knows the IP address but wants to learn the primary
hostname assigned to it. Why would anyone want to do that? There are many situations where it could be
useful, for example, when parsing a web site’s log files knowing the domains your visitors are coming
from helps to better understand their usage patterns. An organization hosting a publicly available Internet
Relay Chat (IRC) service might want to track both hostnames and IP addresses in real-time to facilitate any
complaints of harassment or other unauthorized behavior. Reverse lookups were not part of the original
specification for DNS, the way domain names are organized and indexed is very different from how IP
addresses are assigned. Additionally, while domain names are interpreted from right to left IP addresses are
read in the opposite direction. That’s why the IP address octets are reversed when building the reverse
lookup domain tree. A special domain is reserved to facilitate reverse lookups, the in-addr.arpa domain. A
new reverse lookup zone consists of the reverse address of a subnet prepended to adr.arpa. That is, the
subnet 192.168.2/24 would correspond to a zone named 2.168.192.in-addr.arpa. The DNS service can
create a pointer (PTR) RR for each host record added to the original zone.
13. The reverse lookup process is similar to forward lookups. The client queries the DNS server for a PTR RR
that maps to the IP address. The DNS server then reverses the address and appends the in-addr.arpa domain
to it. It then performs the lookup process normally, first looking locally and then performing a recursive
query if necessary. Figure 6 illustrates a simple reverse lookup where the server named
www.kurtdillard.com wants to know the hostname for the client that has initiated communications.
Figure 6:
Exercise 1: Prepare Your Practice Lab
14. To ensure that you understand how to perform that tasks related to managing Windows Server 2008 its
helpful to get hands-on with the software. The availability of free virtualization software and evaluation
copies of Microsoft’s operating systems means that even students with very tight budgets can build
themselves a flexible environment for becoming familiar with Windows Server 2008. There are numerous
software-based virtualization products available, since its free, easy to use, and reliable I recommend that
you download and install Microsoft’s Virtual PC. As with many of their products, if you simply append the
product name to their public web address you’ll get forwarded to the homepage for Virtual PC where you
can access the free download: http://www.microsoft.com/virtualpc. Install Virtual PC on your test machine,
in most cases the default settings are sufficient. If you have multiple machines available use the one with
the most physical memory installed, a speedy hard drive and CPU also helps but RAM is the most
important component for performance when using software virtualization.
You can download ISO images for both 32- and 64-bit versions of Windows Server 2008 from the Try It
webpage. Click on the download link for trial software, I suggest that you do these exercises with the 64-bit
build if your computer will support it. If this URL has changed you should be able to find links to the
evaluation software on the Windows Server 2008 webpage. These files are very large, however I am able to
download them overnight and I live in Buenos Aires, surely you can find a way too! You could also try the
virtual labs and the virtual hard drives, however I prefer to download and build my servers because the
virtual labs aren’t as flexible and the virtual hard drive images currently available were built with pre-
release versions of the operating system.
Once you have downloaded the ISO image you can burn it to a DVD but its not necessary to do so because
Virtual PC is able to mount ISO images as if they were an actual DVD or CD. If you are unfamiliar with
Virtual PC it includes extensive documentation in its help file. To create a new virtual machine with
Windows Server 2008 installed start Virtual PC and do the following:
1. Click New…
2. The New Virtual Machine Wizard starts, click Next.
3. On the Options page make sure that Create a new virtual machine is selected and click Next.
4. Type a name for your new virtual machine, click the Browse… if you want to specify a location
other than the default for storing the configuration file for the virtual machine.
5. Click Next, click Next again on the Operating System page.
6. Select Adjusting the RAM and type 512 in the text box, then click Next.
7. Select A new virtual hard disk and click Next.
8. Specify a path and file name for the virtual hard disk and click Next
9. Click Finish.
10. Ensure that the new virtual machine is selected and click Start to launch it.
11. Click the CD menu and select Capture ISO Image…
12. Navigate to where you saved the ISO image and select it, then click Open. If the virtual machine
boot process is already too far along you can reboot it from the Action menu by selecting Reset.
13. You should be able to install Windows Server 2008 the same way you would if you were installing
it on a physical machine. Use the default options throughout the installation but be sure to select a
sensible hostname when given the opportunity.
To make it easier to tear down and restart your practice lab I suggest that you make a copy of the virtual
hard disk file once the operating system installation is complete. Some of the other exercises require two
servers so you ought to make yet another copy.
15. Configuring Zone Transfers and Replication
Zone transfers were once the most common way to replicate DNS database updates between servers, in
recent years other replication mechanisms have become increasingly popular. There are two types of zone
transfers: full and incremental. The DNS Server service in Windows Server 2008 supports zone transfers as
well as AD DS replication. This section explorers each of these features.
Configuring Zone Transfers
A full zone transfer is fairly simple, the client, also called the “secondary” or “slave” server requests a copy
of the zone from the server, also called the “primary” or “master.” The transfer initiates with the SOA
resource record. Since the serial number of the SOA RR is incremented each time there is a change to the
zone the client can compare the serial number for the current version of the SOA with its own copy, if they
are identical then the client concludes that there haven’t been any changes to the zone and the transfer is
terminated. If the serial numbers differ the client requests all of the remaining records for the zone. An
incremental zone transfer differs in that the client sends its own copy of the SOA RR to the server, the
server then compares the serial number with that of its own copy and only sends changes that have
occurred since that version of the SOA RR.
Active Directory-integrated zones rely on AD DS for replication between domain controllers; whenever
feasible it’s the preferred method. However, when file-based zone transfers are used incremental zone
transfers consume less network bandwidth than full transfers and therefore they are the next best choice.
For this reason the DNS Server service in Windows Server 2008 requests incremental zone transfers when
retrieving a zone from a primary server. To configure zone transfers using DNS Manager do the following:
1. Right-click on the desired zone, and then select Properties.
2. Click the Zone Transfers tab.
3. Enable or disable the Allow zone transfers check box.
4. If you have enabled transfers select the appropriate radio button: To any server, Only to the
servers listed on the Name Servers tab, or Only to the following servers; as shown in figure 7.
5. If the last button is selected click Edit and enter the IP addresses for each desired DNS server, as
shown in figure 8.
17. Figure 8: Defining the list of IP addresses for servers allowed to request zone transfers.
To configure zone transfers from a command prompt enter the following command:
dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList
[<SecondaryIPAddress...>]}
Table 6 briefly explains each of the command line options.
Parameter Description
<ServerName> This is a required parameter. You specify
either the host name or IP address of the DNS
server where the zone is stored.
/ZoneResetSecondaries This is a required parameter. The second
parameter specifies what action is to be taken,
in this case to configure zone transfers for the
specified zone.
<ZoneName> This is a required parameter. The fully
qualified domain name (FQDN) of the zone.
/NoXfr This option disables transfers.
/NonSecure This option permits transfers to any DNS
server.
/SecureNs This option permits transfers to servers listed
18. in the zone using name server resource
records.
/SecureList This option permits transfers to the list of
servers specified by SecondaryIPAddress
<SecondaryIPAddress> Required if /SecureList is used, a list of one or
more IP address for DNS servers to be allowed
to obtain transfers.
Table 6: Dnscmd parameters for zone transfers.
Configuring DNS Notify
When DNS Notify is enabled for a zone the primary server will send messages to the secondary servers
notifying them when changes have occurred. You enable DNS Notify from the Zone Transfers tab of the
zone’s properties dialog box by clicking on the Notify… button. You can indicate a specific list of servers
or specify all servers on the Name Servers tab. When secondary servers receive the notification they can
initiate the normal zone transfer process. Configuring DNS Notify from the command prompt is a simple
variation on configuring zone transfers, to do so enter the following:
dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoNotify|/Notify|/NotifyList <IPaddress>}
Parameter Description
<ServerName> This is a required parameter. You specify
either the host name or IP address of the DNS
server where the zone is stored.
/ZoneResetSecondaries This is a required parameter. The second
parameter specifies what action is to be taken,
in this case to configure zone transfers for the
specified zone.
<ZoneName> This is a required parameter. The fully
qualified domain name (FQDN) of the zone.
/NoNotify This option disables notification for the zone.
/Notify This option enables notification for all servers
on the name server tab.
/NotifyList <IPaddress list> This option enables notification for all servers
provided in the subsequent list of IP addresses.
Table 7: Dnscmd parameters for DNS Notify.
Note: DNS Notify is not necessary for AD-integrated zones because the DNS servers automatically poll the
directory for changes on a regular basis.
Using Secure Zone Transfers
It is possible for nefarious individuals to learn a great deal about your network from your DNS servers. If
they are able to initiate full zone transfers for your internal and external zones they can learn the host
names and IP addresses for all of the computers listed in those zones. For this reason it’s a good idea to
19. limit zone transfers to a list of authorized DNS servers when using file-based replication. You accomplish
this within DNS Manager by selecting either Only to the servers listed on the Name Servers tab or Only
to the following servers when configuring zone transfers, or by specifying either /SecureNs or /SecureList
when using dnscmd from a command prompt.
Exercise 2: Build Your Active Directory Domain
The next step in preparing your practice lab is to build an Active Directory domain. This is quite easy to do
in a test environment because you do not have to spend much time planning details such as your domain
namespace, your zone configuration, and your replication configuration whereas these and other
considerations are critical to a successful deployment in a production environment. To get started you first
have to install the Active Directory Domain Services role and then launch the installation wizard by
executing dcpromo. You can add the role from Server Manager by doing the following:
1. Navigate to Roles in the navigation pane and then select Add Roles in the Roles Summary pane.
2. Click Next
3. Select Active Directory Domain Services on the Select Server Roles page, click Add Required
Features when prompted.
4. Click Next.
5. Complete the Add Roles wizard using the default settings.
6. On the Installation Results page click Close this wizard and launch the Active Directory
Domain Services Installation Wizard.
7. Use the default settings throughout the installation including installing the DNS Server role. You
will need to specify values for some options such as the AD restore mode password and an FQDN
for your domain; I suggest you pick something that is completely unresolvable from the Internet
like domain.test or testing.domain.
8. You will also need to specify that this is the first domain controller in a new domain, and the first
domain in a new forest.
9. Once the wizard has gathered all of the necessary information from you the installation will proceed
automatically, how long it takes will depend upon the hardware capacity of your test system.
Defining Replication Scope for Active Directory-Integrated Zones
When a DNS zone is integrated with Active Directory you need to specify where it will be stored and its
replication scope. You can specify the replication scope when creating a new zone and you can change it at
any time after creation. The following storage options are available for Active Directory-integrated zones:
• Forest-wide DNS application directory partition – This corresponds to To all DNS servers in
this forest in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones stored
in the forest-wide partition are replicated to all DNS servers running on domain controllers in the
forest. This partition is automatically created when DNS is installed on the first domain controller
in a new forest. This provides the broadest scope of replication but generates the most replication
traffic.
• Domain-wide DNS application directory partition – This corresponds to To all DNS servers in
this domain in the Change Zone Replication Scope dialog box in DNS Manager. DNS zones
20. stored in this partition are replicated to all DNS servers running on domain controllers in the
domain. This partition is automatically created when DNS is installed on the first domain controller
in a new domain.
• Domain partition – This corresponds to To all domain controllers in this domain in the Change
Zone Replication Scope dialog box in DNS Manager. DNS zones stored in this partition are
replicated to all domain controllers in the zone, even those that are not running the DNS Server
service. This is the only option for zones that are replicated to domain controllers running Windows
2000 Server.
• Custom DNS application directory partition – This corresponds to To all domain controllers in
the scope of this directory partition in the Change Zone Replication Scope dialog box in DNS
Manager. DNS zones stored in this partition are replicated to all DNS servers running on domain
controllers that enlist in the partition. To utilize this type of partition you must first create the
application directory partition from a command prompt using dnscmd.
To create a DNS application directory partition enter the following at a command prompt:
Dnscmd <ServerName> /CreateDirectoryPartition <FQDN>
You specify the name of the new DNS application directory partition by entering a FQDN. After creating
the partition you are able to select it from the drop-down list as shown in figure 9.
Figure 9: Selecting a custom directory partition for replication scope.
To enlist a DNS server in an application directory partition enter the following at a command prompt:
Dnscmd <ServerName> /EnlistDirectoryPartition <FQDN>
To remove a DNS server in an application directory partition enter the following at a command prompt:
Dnscmd <ServerName> /UnenlistDirectoryPartition <FQDN>
In each case, you specify the name of the DNS application directory partition by entering its FQDN.
21. Expert Discussion: What is the GlobalNames Zone?
Windows Internet Name System (WINS) is a name resolution system that can be deployed independently
of or integrated with the DNS Server service. WINS will become obsolete though, it relies on NetBIOS
over TCP/IP which is an older protocol that Microsoft (and many Windows sysadmins!) hope to avoid in
the future. One of the things that people like about WINS is that it facilitates using single-label names for
hosts. For example, on a WINS-enabled network you could connect to a shared folder by specifying
servernamesharename but on a network that only uses DNS for name resolution you would have to
specify the entire hostname like this: servername.domainname.suffixsharename.
To help organizations migrate to all-DNS networks Windows Server 2008 introduces support for a new
type of DNS zone called the GlobalNames zone. It provides support for single-label name resolution for a
limited number of hosts. The number should be kept relatively small because the records in this zone must
be managed manually, it is not feasible to maintain records for every end-user PC in this type of zone.
When the GlobalNames zone is properly implemented a client attempting to resolve a single-label name
will first append its primary DNS suffix to the name. If resolution fails it will attempt resolution using its
DNS suffix search list. If that also fails the client attempts resolution using the single-label name, if the
name appears in the GlobalNames zone the DNS server will provide the answer to the client. If that also
doesn’t work the query fails over to WINS.
This feature has to be enabled and configured manually as follows:
1. Create an AD DS-integrated forward lookup zone named GlobalNames.
2. Enable support for the GlobalNames zone by running the following command for every
authoritative DNS server in the forest:
dnscmd <ServerName> /config /enableglobalnamessupport 1
Replace <ServerName> with the name of the authoritative DNS server.
3. Replicate the new zone to all domain controllers in the forest.
4. Add the desired alias (CNAME) resource records to the new zone.
5. Publish the location of the new GlobalNames zone in other forests as appropriate by adding service
location to the forest-wide DNS application partition, using the service name
_globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames
zone.
Configuring Additional DNS Server Options
There are additional significant settings in the DNS Server service that you should understand. This section
briefly discusses each.
Updating Root Hints
As discussed previously, DNS servers use the list of root hint servers to located authoritative name servers
for domains at a higher level or in other subtrees of the DNS namespace. When you add the DNS server
role a file called cache.dns is written to %systemroot%System32dns, this file includes the NS and A
resource records for the Internet’s root servers. If you are using DNS in a network that is not connected to
the Internet you may wish to replace this list of root hints with your own. You can modify the list in DNS
Manager by doing the following:
22. 1. Right-click on the server and select Properties.
2. Click the Root Hints tab.
3. Modify the list as appropriate, as shown in figure 10:
a. Click Add… to create a new record.
b. Select a record and click Edit… to modify an existing record.
c. Select a record and click Remove to delete an existing record.
d. Click Copy from Server and then specify the IP address to retrieve the list of root hints
from another DNS server. This action will not overwrite any existing root hints.
Figure 10: Updating the Root Hints in Server Manager
Configuring Server Forwarding
A forwarder is a DNS queries for external DNS names to DNS servers outside of the network. You use
forwarders to manage DNS traffic sent from your internal network to the Internet. Conditional forwarders
forward queries for specific domain names do certain servers, for example, you may want to configure
conditional forwarding to more quickly resolve hostnames for your organization’s most important business
partners.
To configure forwarders you configure the network’s firewalls to block outbound DNS traffic from all
DNS servers except the forwarders. Then you specify the IP addresses of the forwarders on the other DNS
servers in your network. You define the list of forwarders in DNS Manager from the Forwarders tab in the
23. Properties dialog box for the DNS server by clicking Edit and entering the list of IP address in the Edit
Forwarders dialog box. To define a conditional forwarder select a DNS domain name before entering the
IP address of the DNS server.
Configuring Round Robin DNS
Round robin DNS is a rudimentary form of load balancing in which the multiple IP addresses are assigned
to the same hostname. The DNS server responds to queries for that hostname by sending the entire list, the
order of the addresses is rotated each time the server responds. Clients use the first entry and discard the
rest, which should result in queries being evenly distributed across all of the hosts assigned that hostname.
This form of load balancing is much less robust than others because the DNS server will continue to
respond with the address of a server even if it is no longer available. Additionally, round robin DNS does
not make provisions for the differing capacities of the servers, all of them will receive the same amount of
traffic. This feature is turned on and off in DNS Manager from the Advanced tab in the Properties dialog
box for the DNS server. In the list of server options enable or disable the checkbox for Enable round
robin.
Disabling Recursion
As described previously, the DNS Server service automatically performs recursive queries on behalf of its
clients by querying other DNS servers for information about hosts when it is unable to resolve the name
locally. Recursion should be disabled on externally facing DNS servers because attackers may be able to
flood the DNS server with unresolvable queries leading to a denial-of-service condition. This feature is
controlled in DNS Manager from the Advanced tab in the Properties dialog box for the DNS server. In
the list of server options enable or disable the checkbox for Disable recursion (also disables forwarders).
Securing the Cache from Names Pollution
By default the DNS Server service is configured to protect itself from cache pollution by rejecting resource
records that it did not request. In some cases its possible for a remote DNS server to provide information
about records for which it is not authoritative. While this may speed up a recursive query its possible for an
attacker to include corrupt information in such a response that could cause clients to be redirected to
servers under the attacker’s control. With names pollution enabled the DNS Server service will ignore
these types of records and instead perform the lookup itself by contacting each authoritative server as
needed. This feature is controlled in DNS Manager from the Advanced tab in the Properties dialog box
for the DNS server. In the list of server options enable or disable the checkbox for Secure cache against
pollution.
Implementing Zone Delegation
You can delegate management of portions of your DNS namespace by delegating management of the
corresponding zone. Zone delegation can also be used to distribute workload across several servers by
dividing one large zone into several smaller ones. To create a zone delegation using DNS Manager right-
click on the desired sub-domain, and then click New Delegation. Use the New Delegation Wizard to
complete the process. To create a zone delegation from a command prompt enter the following:
24. Dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [OpenAcl] [TTL] NS {<Hostname>|
<FQDN>}
Table 8 briefly explains each option.
Parameter Description
<ServerName> This is a required parameter. You specify either the host name or IP address of
the DNS server where the record is to be created.
/RecordAdd This is a required parameter, it specifies what action is to be taken, in this case
to add a new record.
<ZoneName> This is a required parameter. The fully qualified domain name (FQDN) of the
zone.
<NodeName> This is a required parameter. The FQDN of the node.
[/Aging] This optional parameter specifies that the record may be aged and scavenged.
[OpenAcl] This optional parameter specifies that the record may be modified by any user,
without this parameter only administrators are able to do so.
[TTL] This optional parameter specifies the time to live (TTL) for the record.
NS This required parameter specifies that you are adding a new NS record to the
zone.
<Hostname>|<FQDN> These required parameters specify the hostname or FQDN of the new
authoritative server.
Table 8: Dnscmd parameters for zone delegation.
Summary
This chapter showed you how to install and manage the DNS Service role in Windows Server 2008. It
explained the common administrative tasks and introduced you to the key features that are new in this
version of Windows Server such as the GlobalNames zone and background zone loading. To effectively
prepare for the examination it is important that you understand the concepts discussed here. It is also
important that you are familiar with each of the procedures described in the chapter. It would be ideal if
you also spent some time exploring DNS manager to familiarize yourself with the less commonly used
configuration options. Although they are less likely to appear on the exam doing so will increase your
chances of success.
Chapter Review
This section presents a list of review questions designed to help reinforce the knowledge presented earlier
in the chapter. To persuade you to explore the management tools more deeply a few questions may require
you to examine DNS Manager or dnscmd rather than rereading the chapter.
Questions
1. You want to add an Active Directory-integrated secondary zone to your DNS server however you
receive a error message stating “Command failed: ERROR_INVALID_PARAMETER 87” after
entering the following at a command prompt: dnscmd dc1 /zoneadd NewZone /secondary /dp
/domain. What should you do to correct this problem?
25. a. The command needs to include the /filename option with the path to the file, so it should
read something like this: dnscmd dc1 /zoneadd NewZone /secondary /dp /domain /file
c:dataZoneFile.dns
b. The zone type needs to be corrected do /dssecondary, so it should read like this: dnscmd dc1
/zoneadd NewZone /dssecondary /dp /domain
c. Secondary zones cannot be AD-integrated, therefore the zone type should be changed to
/dsprimary or /dsstub, or you should remove the /dp /domain options and specify the master
IP address for the zone.
d. The DNS Server service doesn’t support creating AD-integrated zones from the command
prompt.
2. You manage an enterprise network that consists primarily of Windows clients and servers, other
platforms are deployed in small numbers. Active Directory is deployed on domain controllers
running Windows Server 2003 and Windows Server 2008, the domain controllers are the only
servers hosting the DNS Server service. There are three domains in a single forest. You want to
configure replication of the DNS in such a way that network utilization is kept relatively low while
ensuring that all of the domain controllers have up-to-date resource records in their DNS databases.
Which approach to replication should you consider first?
a. Configuring incremental zone transfers and enabling DNS Notify.
b. Active Directory replication with zones stored in the domain-wide DNS application
directory partition.
c. Configuring full zone transfers and enabling DNS Notify.
d. Active Directory replication with zones stored in the forest-wide DNS application directory
partition.
3. Match the list of use cases with the kind of resource record that will most likely contain the required
data.
Use case Resource record
a. An SMTP server attempting to forward mail to your organization. 1. AAAA
b. A user browsing to a website hosted on several servers that use round
robin DNS for load balancing.
2. MX
c. A web server log file analysis tool generating reports on web site
usage.
3. SRV
d. A client trying to connect to another host on a network that uses IPv6. 4. PTR
e. A domain-joined laptop computer that has just been turned on by its
user.
5. CNAME
4. Users have started reporting problems connecting to servers within your organization’s network,
you are able to connect to some servers such as the domain controllers for the Active Directory
domain for your user account but others do not respond. Which of the following is the best tool to
quickly determine whether or not the problem is related to name resolution?
a. Ping
b. DNS Manager
c. Arp
d. Dnscmd
e. nslookup
5. You have deployed AD DS for a domain named kurtdillard.com, but have only installed the DNS
Server service on a subset of the domain controllers. You want to create a DNS zone named finance
26. for a set of servers that will only be replicated to a DNS servers in your enterprise. You are
currently logged into the local console of the domain controller named NS1, which is the correct
command to create the desired DNS application directory partition?
a. nslookup ns1 /CreateDirectoryPartition finance.kurtdillard.com
b. dnscmd ns1 /EnlistDirectoryPartition finance.kurtdillard.com
c. dnscmd /CreateDirectoryPartition finance.kurtdillard.com ns1
d. dnscmd ns1 /CreateDirectoryPartition finance.kurtdillard.com
6. Examine figure 11. You want to add a Host Information (HINFO) resource record to the selected
zone but that kind of record doesn’t appear on the menu. What steps should you take to add a record
of this type?
Figure 11: DNS Zone context menu.
a. Click Other new records…from the menu, then select the HINFO RR in the dialog box
that appears and click Create Record…
b. Click Properties, then click the Advanced Tab and turn on the option to enable advanced
resource record types.
c. Click on All Tasks, then select Add/Remove record types and enable the HINFO record
type.
d. Click on View, then select Customize, and enable the checkbox to display advanced record
types.
7. When would background zone loading have a significant positive impact?
27. a. For any domain controllers running DNS with AD-integrated zones regardless of the
database size.
b. For domain controllers running DNS with AD-integrated zones that include tens of
thousands of resource records.
c. For DNS servers that host zones stored as files and include tens of thousands of resource
records.
d. Both B and C are correct.
8. What type of query is a DNS server performing when it contacts one of the Internet’s root servers to
learn the IP address of the authoritative name server of a DNS domain?
a. Forwarding query.
b. Authoritative query.
c. Root lookup.
d. Recursive query.
e. External query.
9. Your organization uses WINS for name resolution between end-user computers so that staff
members are able to use a collaboration tool that requires direct connections between those
computers. You know that WINS and old protocol and it is approaching its end of life. Would
enabling a GlobalNames zone be a good way to completely replace WINS?
a. Yes.
b. No.
10. You are about to enable record aging and scavenging for a new AD-integrated zone. You expect to
add manual records for many servers that will not need to be updated very often. How can you
ensure that these static records are not deleted when scavenging occurs?
a. Be sure to mark each record as exempt when creating them with the New Resource Record
wizard
b. After creating a static record manually edit the time stamp and set it to zero.
c. Do nothing, by default static records are given a time stamp of zero and any record with
such a time stamp is exempt from aging and scavenging.
d. Set the TTL for the record to zero.
11. Which of the following is not a way for a Windows Server 2008 server running the DNS Server
service to learn about updates to resource records?
a. Initiating push-pull replication with a root server.
b. Receiving a DNS Notify message.
c. Initiating a zone transfer.
d. AD DS-integrated replication.
e. Accepting dynamic updates from a DHCP server or client.
f. The DNS administrator editing a static resource record.
12. You manage a new public-facing server that is designed to share information with a select group of
your organization’s business partners. Ideally both organizations would deploy a robust federated
identity solution to ensure that only authorized users connected to the server however its going to
28. take a lot of time to negotiate arrangements with each partner. In the interrum, you recommend
leveraging _____________________ in order to provide some rudimentary security by limiting
incoming traffic to certain domains.
13. You want to customize what domain controllers will participate in replication of an AD DS-
integrated zone, to do this you need to create a _____________________.
14. Look at figure 12, which tab would you click on to enable or disable recursive queries?
Figure 12: DNS Server properties dialog box
a. Forwarders
b. Advanced
c. Root Hints
d. Debug Logging
e. Event Logging
f. Monitoring
g. Security
15. What’s the recommended method for maintaining resource records for client computers that are
members of an AD DS domain?
a. Manually create and maintain a static record for each computer.
b. Using incremental zone transfers.
c. Using an AD DS-integrated zone with dynamic updates enabled.
29. d. Using an AD DS-integrated zone configured to only allow secure dynamic updates.
Answers
1. C is the correct answer, secondary zones cannot be AD-integrated under any circumstances.
Questions involving negative cases such as this appear regularly in Microsoft’s exams, that is,
scenarios where you are told to do something that cannot or should not be done.
2. B is the correct answer, while you do not have enough information to make a complete design for
replication you certainly have enough to know what method will most likely meet the stated
requirements. Using the forest-wide application directory partition will generate more replication
traffic than the domain-wide one. You cannot force the use of full zone transfers because the DNS
Server service automatically attempts to use incremental zone transfers for zones that are not AD-
integrated, however since all of the DNS servers are also domain controllers AD-integration ensures
that updates are quickly replicated and that replicated traffic is compressed.
3. The use cases and record types should be matched as follows:
a. 2 because MX records contain information about mail hosts for a DNS domain.
b. 5 because multiple CNAME records can be used to map the same hostname to multiple IP
addresses.
c. 4 because PTR records are used for reverse lookups, and a web server log tool is likely to
use reverse lookups in order to determine what domains host the various clients that have
visited the site.
d. 1 because AAAA records are used for IPv6 addresses.
e. 3 because SRV records are used to identify domain controllers for an Active Directory
domain, and computers that belong to such a domain attempt to authenticate themselves and
download configuration information during the operating system boot process.
4. D is the best answer. With the limited information available nslookup is a good tool to begin
troubleshooting. Nslookup is a command prompt diagnostic tool for DNS, you can use it to extract
information about DNS zones and their contents from DNS servers that allow your host to connect.
While the exam probably will not include extensive questions about nslookup it is likely that you
will encounter some therefore you should familiarize yourself with its basic functionality. Ping is
useful for determining whether there are network issues at the IP layer, but DNS name resolution
occurs above that and therefore its not a good tool for this scenario. Arp isa tool for examining and
configuring the address resolution protocol (ARP) cache, ARP is the protocol used to map IP
addresses to physical network addresses that are assigned to network interface cards.DNS Manager
and dnscmd are tools for configuring the DNS Server service, while they might be needed to correct
problems they may not be ideal for initial diagnostics.
5. D is the correct answer. Nslookup is not used to configure the DNS Server service,
/EnlistDirectoryPartition is the wrong option for making a new partition, and the name of the DNS
server should be the first option in the command. This may appear to be a capricious question
requiring you to memorize all of the arcane options of dnscmd, similar questions do appear on the
exams. Rather than trying to memorize every single option available make sure you remember the
basic syntax used on nearly every action such as the DNS server name is always the first option; the
second always specifies the action to take; and parameters to apply to the action come next. Also
memorize the most common actions such as creating zones and records, delegating zones, and
configuring zone transfers. Finally, memorize the procedures that can only be performed from the
command prompt such as enabling the GlobalNames zone.
6. A is the correct answer.
30. 7. B is correct. While background zone loading will reduce the time needed to start the DNS Server
service the impact will probably only be noticeable for very large zones.
8. D is correct. DNS servers contact the root servers that are listed in their root hints in order to learn
the IP addresses for authoritative name servers for other domains. Typically, they do this while
performing a recursive query on the part of a client computer.
9. No is correct. Although the new GlobalNames zone feature is designed to help enterprises migrate
away from WINS for name resolution it is not sufficiently scalable for completely replacing WINS.
There are other alternatives though, perhaps the collaboration tool will work with DNS name
resolution, or you could enable WINS integration for the zones that correspond to your AD DS
domains.
10. C is correct. It is not possible to mark a record as exempt, rather, there is a check box you can
enable or disable entitled Delete this record when it becomes stale; however its not necessary to
configure it because its automatically disabled when a static record is created. Its also not necessary
to change the time stamp because it is automatically set to zero for static records. The TTL has no
impact on aging and scavenging.
11. A is correct, there are many ways in which a DNS server can learn about changes to resource
records but answer A is entirely fictional.
12. The correct term is reverse lookups.
13. The correct term is DNS application directory partition.
14. B is the correct answer. The first checkbox visible in the Server options text box is used to enable
and disable recursive queries on the server.
15. D is the correct answer. Answer A is not scalable; answer B doesn’t address the stated
requirements; and Answer B is less desirable because malicious users could add records to the zone
and potentially redirect clients to hostile servers under their control.
-Configuring the AD infrastructure
-Configuring a forest or a domain
-Configuring trusts
-Configuring sites
-Configuring AD replication
Configuring the Active Directory Infrastructure
Active Directory Domain Services (AD DS) is the foundation for many network services in Windows-
based networks including authentication, authorization, and configuration management. While subsequent
chapters discuss implementing and managing these and other features available in Active Directory this
chapter focuses on managing the service itself. For example, its important to understand the basic
components used to build a hierarchy of domains, how to configure replication, and how to manage the
31. various operations masters roles used by AD DS domains and forests. In this chapter you will learn about
the following:
• Configure a forest or domain.
• Configure trusts.
• Configure sites.
• Configure Active Directory replication.
• Configure the global catalog.
• Configure operations masters.
Managing Forests and Domains
Domains are the basic building blocks of AD DS. At the risk of confusing you, AD DS domains are
discrete from and yet related to Domain Name Services (DNS) domains. They are distinct in that they
perform many functions that are entirely separate from DNS domains such as user authentication and group
policy. AD DS evolved from LAN Manager and Windows NT domains where the term was used with no
correlation to DNS domains. They are related to DNS in that AD DS integrates with DNS for name
resolution. Although it is possible to create an AD DS design that does not resemble the DNS namespace I
recommend against doing so to avoid confusing users.
In AD DS a domain is a logical group of computers that share a directory database. A tree is one or more
AD DS domains that have trust relationships with one another. Forests are one or more trees grouped
together. Organizations can use domains, trees, and forests to organize their directory services according to
the design of their business units, or their geographic distribution, or whatever combination works best for
their situation. Figure 1 presents a notional architecture, the rectangles represent the two forests, and ovals
represent the domains. In this example kurtdillard.com is the root domain for the entire organization, within
the same tree are two additional layers of domains, americas.kurtdillard.com is the second layer, the other
three form the third. All of the domains in the kurtdillard.com forest are located in the same tree. The other
tree, europe.kurtdillard.com, consists of only two layers. This logical architecture also reflects the DNS
namespace for the organization.
32. Figure 1: Hierarchy of Active Directory Forests and Domains
Production architecture could be as complex as the example, or even more complex, or it could be a simple
as a single domain within a single forest. What is suitable will vary from one organization to another,
however designing an optimum domain and forest structure is beyond the scope of this book, review the
references section at the end of the chapter. for resources on exploring this topic. Each domain has at least
one domain controller (DC) that hosts the AD DS database, best practices dictate that each domain have at
least two DCs to provide redundancy in case one of them fails. There are several additional roles assigned
to DCs, these are discussed later in this chapter. The objects and containers within an AD DS database are
discussed in Creating and Maintaining Active Directory Objects.
Implementing Domain Controllers
33. Installing new AD DS forests is straight-forward, as you saw in the first exercise in Configuring DNS for
Active Directory. Installing new domains and trees within an existing forest, and installing new DCs within
existing domains is even easier, to prepare for the exam you should familiarize yourself with each of the
options available in the Active Directory Domain Services Installation Wizard as it is likely you will
encounter at least a couple of questions relating to it. It is also important to understand the options available
for automating the installation using an answer file and manually installing from a command prompt,
especially with the advent of Server Core in Windows Server 2008.
You automate AD DS installations using an answer file. If you are familiar with the graphical installation
wizard answer files are easy to understand because you all you are doing is providing the same information
in a text file. You can create and modify answer files in any text editor including Notepad, you specify
parameter names and values on separate lines with an equal sign between, for example, including
InstallDNS=Yes will force the installation of the DNS Server role. The following list shows the parameters
available, which parameters are required depends upon what task you are accomplishing. For example
certain parameters needed when creating a new forest but others are needed when installing a new DC in an
existing domain. The parameter name appears first in bold; followed by the possible values; then the
default value, if any, in italics, and then a brief description
• AllowDomainControllerReinstall; Yes, No, NoAndNoPromptEither; No – Installation will
normally halt if another DC account with the same name is found, using this option allows you to
force the installation continue if you are certain that the account is no longer being used.
• AllowDomainReinstall; Yes, No, NoAndNoPromptEither; No – Specifies whether or not to
recreate an existing domain.
• ApplicationPartitionsToReplicate; "" – A space delimited list of application partitions to be
replicated in the format; entering * means that all partitions will be replicated.
• ChildName; "child_domain_name" – Use to specify the single-label DNS name of the child
domain.
• ConfirmGc; Yes, No – Use to specify that the DC will be a global catalog server.
• CreateDNSDelegation; Yes, No; Default is determined based on the environment – Determines
whether or not to create a DNS delegation in the parent zone.
• CriticalReplicationOnly; Yes, No; No – Using this parameter can decrease the installation time by
forcing the replication of only critical data until installation is complete.
• DatabasePath; "path_to_database_files"; %SYSTEMROOT%NTDS – Specifies the local directory
containing the domain database, e.g., C:WindowsNTDS.
• DelegatedAdmin; "name of user or group" – Used for read-only DCs, it specifies the name of user
or group that will administer it.
• DNSDelegationPassword; "password", * – Specifies the password for the credentials to use when
creating or removing DNS delegation. Use * to prompt the user to enter credentials.
• DNSDelegationUserName; “user_name" – Specifies the credentials to use when creating or
removing DNS delegation. If nothing is specified the credentials used for the DC installation are
used.
• DNSOnNetwork; Yes, No; Yes – Specifies whether DNS service is available, only use it when the
network adapter is not configured with a DNS server for name resolution. Specifying 'No' forces the
installation of the DNS Server role.
• DomainLevel; 0|2|3; The domain functional level cannot be lower than the forest functional level.
Default is set to the existing forest functional level or the value set for /ForestLevel – Determines the
domain functional level when creating a new domain as follows:
34. o 0 = Windows 2000.
o 2 =Windows Server 2003.
o 3 = Windows Server 2008.
• DomainNetBiosName; "domain_NetBIOS_name" – Assigns a network basic input/output system
(NetBIOS) name to the new domain.
• ForestLevel; 0|2|3; The default forest functional level when creating a new forest is Windows 2000 (0)
– Do not use this parameter when adding a DC to an existing forest. It determines the forest functional
level when creating a new forest as follows:
o 0 = Windows 2000.
o 2 =Windows Server 2003.
o 3 = Windows Server 2008.
• InstallDNS; Yes, No; Default is determined based on the environment; – Use to specify whether or
not DNS will be installed (replaces CreateDNSDelegation in previous versions of DCPromo.exe).
• LogPath; "path_to_log_files"; %SYSTEMROOT%NTDS – Specifies a local directory on that contains
the domain log files; e.g. C:WindowsNTDS.
• NewDomain; Tree, Child, Forest; Forest – Specifies whether to create a new forest, a new domain tree
in an existing forest, or a child of an existing domain.
• NewDomainDNSName; "DNS_name_of_domain" – Specifies the FQDN for the new domain.
• ParentDomainDNSName; "DNS_name_of_domain" – Specifies the FQDN of the parent domain
when creating a child domain.
• Password; "password", * – Specifies the password corresponding to the credentials used for the
operation; use * to prompt for credentials.
• PasswordReplicationAllowed; "security_principal", None – Use only when installing a read only DC
(RODC), it determines which accounts will have their passwords replicated to the new RODC. Specify
"None" if you want to keep the value empty.
• PasswordReplicationDenied; "security_principal", None – Use only when installing an RODC, it
determines which accounts will blocked from having their passwords replicated to the new RODC. Specify
"None" if you want to keep the value empty. Members of the following groups are denied by default:
Account Operators, Administrators, Backup Operators, Server Operators, and the Denied RODC Password
Replication Group (which includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise
Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, the krbtgt
account, and Schema Admins).
35. • RebootOnCompletion; Yes, No; Yes – Use to force the computer to reboot at the end of the
installation process whether or not it was successful.
• RebootOnSuccess; Yes, No, NoAndNoPromptEither; Yes – Use to force the computer to reboot if
installation is successful.
• ReplicaDomainDNSName; "DNS_name_of_domain" – Determines the FQDN of the domain in
which you want to promote the new DC.
• ReplicaOrNewDomain; Replica, ReadOnlyReplica, Domain; Replica – Specifies whether to install an
additional DC, an RODC, or to create a new domain.
• ReplicationSourceDC; "DNS_name_of_DC" – Specifies the FQDN of the DC to use for replication
during the installation.
• ReplicationSourcePath; "replication_source_path" – Specifies the path of the data file to use for the
installation of a new DC.
• SafeModeAdminPassword; "password"; Default is empty password (it is required that you do not
leave this value blank) – Used to provide the password for the administrator account when starting the
computer in safe mode.
• SiteName; "site_name"; The default depends on the type of installation; in a new forest it will be
Default-First-Site-Name; in all other cases it is the site that is assigned to the subnet that includes the IP
address of the DC. – Determines the site for the new DC.
• SkipAutoConfigDns – Use to skip automatic configuration of DNS.
• Syskey; none, system key; none – Indicates the system key for the media which contains the
replication data.
• SysVolPath; "path_to_database_file"; %SYSTEMROOT%sysvol – Determines the local path for to the
sysvol folder, e.g., C:WindowsSYSVOL.
• TransferIMRoleIfNecessary; Yes, No; No – Use to determine whether to transfer the infrastructure
master role to the new DC. Enter “Yes” to transfer the role if needed (you also need to specify
"/ConfirmGC:No"); Enter “No” if you do not want to transfer the role.
• UserDomain; “domain_name" – Determines the domain name for the credentials used for the
operation. If no value is provided the domain of the computer is used.
• UserName; "user_name" – Specifies the credentials used for the operation. If no value is provided the
credentials of the current user are used for the operation.
To perform the installation enter the following at a command prompt with administrative privileges:
Dcpromo /unattend:%path%
36. Where %path% is the path for the answer file you created. It is also possible to type out all of the
parameters and values in the command itself in this format:
dcpromo /unattend /unattendOption:value /unattendOption:value ...
The command will be very long and complex though, I recommend that you use answer files instead. You
can also review the options for unattended installations by entering dcpromo /?:Promotion at a command
prompt. The list of options for unattended installations is long, however I do not believe that you need to
memorize it in order to prepare for the exam, instead just be sure that you understand what is possible and
what might go awry with unattended installations.
Note: Read only domain controllers (RODC) are a new capability in Windows Server 2008 intended to
help protect networks when one or more domain controllers has to be placed in a location that cannot be
physically secured such as a branch office. They are discussed in Configuring Additional Active Directory
Server Roles.
Working with previous versions of Active Directory
Upgrading from and interoperating with previous versions of Active Directory require planning and
familiarity with the adprep tool. Upgrading from Windows NT 4.0 Directory Services is a unique process
and will be covered in the next section.
Preparing a Windows 2000 or Windows Server 2003 forest for Windows Server 2008
Windows Server 2008 AD DS includes changes to the AD schema, therefore you must update the forest
schema before installing and Windows Server 2008 domain controllers. Before running the AD DS
installation wizard or performing an unattended installation of AD DS log into the forest’s schema master
with an account that is a member of the Enterprise Admins, Schema Admins, and Domain Admins groups.
Then insert the Windows Server 2008 installation DVD, open a command prompt with administrator
privileges, navigate to the Adprep folder (for example, e:sourcesadprep), and enter the following:
adprep /forestprep
Wait for the process to complete and allow the changes to replicate across the entire forest before preparing
any domains for a Windows Server 2008 domain controller.
Preparing a Windows 2000 or Windows Server 2003 domain for Windows Server 2008
After preparing the forest you need to prepare each domain where you will install Windows Server 2008
domain controllers. First, log into the domain’s infrastructure operations master with an account that is a
member of the Domain Admins group. Then insert the Windows Server 2008 installation DVD, open a
command prompt with administrator privileges, navigate to the Adprep folder, and enter the following:
adprep /domainprep
Wait for the process to complete and allow the changes to replicate across the forest before installing any
Windows Server 2008 domain controllers.
37. Tip: AD DS includes several special roles that can only be held by single domain controllers in the domain,
these are called flexible single master operations (FSMO) roles. Finding the infrastructure FSMO holder is
easy in Windows Server 2008 domains, open Active Directory Users and Computers, right-click on the
domain, select Operations Masters… and click on the Infrastructure tab. There can only be one schema
FSMO holder for each forest, and identifying it is a little more complex because you use the schema
editing tool to do so and Microsoft discourages modifying the schema directly. First you need to register
the Microsoft Management Console (MMC) snap-in by entering the regsvr32 schmmgmt.dll from a
command prompt. Then you need to open an empty MMC console by clicking Start, then clicking Run,
and then entering mmc. Open the File menu, click Add/Remove Snap-in, select Active Directory
Schema, click Add, and then click OK. Right-click on Active Directory Schema [%domainname%] and
select Operations Masters… from the menu as shown in figure 2, to identify the current schema master
for the forest. The user interface is slightly different for the MMC in Windows 2000 and Windows Server
2003, but adding the snap-in is still straightforward.
Figure 2: Active Directory Schema MMC Snap-In.
Preparing a Forest for Read-Only Domain Controllers
To prepare a Windows 2000 or Windows Server 2003 forest for RDOCs log into any computer in the forest
with an account that is a member of the Domain Admins group. Then insert the Windows Server 2008
installation DVD, open a command prompt with administrator privileges, and enter the following:
adprep /rodcprep
Wait for the process to complete and allow the changes to replicate across the entire forest before preparing
any domains for a Windows Server 2008 domain controller.
38. Other Considerations
When you upgrade a domain controller running Windows 2000 or Windows Server 2003 you do not need
to run the AD DS installation wizard or dcpromo because the server will automatically assume the role of
DC after the final restart of the upgrade process. Windows Server 2008 DCs have more restrictive default
security policies, to interoperate with clients running Windows NT 4.0 and certain 3rd
party operating
systems you may need to reduce security by changing the several settings in the Default Domain
Controllers Policy group policy.
1. Open the Group Policy Management console.
2. Navigate to the Group Policy Objects folder for the domain
3. Right-click on the Default Domain Controllers Policy GPO and select Edit.
4. In the Group Policy Editor, navigate to Computer Configuration/Policies/Windows
Settings/Security Settings/Local Policies/Security Options.
5. Modify each of the settings as follows:
a. To no longer force the use of SMB packet signing change the value of Microsoft network
server: Digitally sign communications (always) to Disabled.
b. To no longer force the use of secure channel signing change the value of Domain member:
Digitally encrypt or sign secure channel data (always) to Disabled.
6. To no longer force the use of strong cryptographic algorithms when communicating with Windows
NT 4.0 DCs navigate to Computer Configuration/Policies/Administrative
Templates/System/Net Logon, change the value of Allow cryptography algorithms compatible
with Windows NT 4.0 to Enabled, as shown in figure 3.
39. Figure 3: Editing the Default Domain Controller Policy.
You can learn more about these settings and why you may need to adjust them by reading “Modify Default
Security Policies on Windows Server 2008-Based Domain Controllers.”
Caution: I do not recommend that you reduce your environment’s security by adjusting the settings as
described above. It would be much better in the long run to upgrade the clients to operating systems that
support the more restrictive values for these settings.
Ensuring Group Policy Modeling Works Correctly
Another change you may wish to make when migrating from Windows 2000 AD is to update the
permissions on all of the group policies in the domain to ensure that the Group Policy Modeling feature
works. Microsoft has prepared a collection of scripts that you can download, see Group Policy
Management Console Sample Scripts. By default the scripts will be installed in %programfiles
40. %Microsoft Group PolicyGPMC Sample Scripts. Execute the following from a command prompt to
update the permissions:
GrantPermissionOnAllGPOs.wsf “Enterprise Domain Controllers” /permission:read
/domain:DNSDomainName /Replace
Raising forest and domain functional levels
Windows Server 2008 AD DS supports three functional levels: Windows 2000, Windows Server 2003, and
Windows Server 2008. The newer versions support additional features, however, once raising the
functional level for a forest or domain you cannot revert. Ensure that all of the domain controllers are
running a version of Windows that supports the functional level you intend to use. To raise the domain
function level do the following:
Click Start, select Administrative Tools, and then click Active Directory Users and Computers.
Right-click on the domain, then select Raise domain functional level...
Select the desired functional level and click Raise.
Click OK to confirm your choice.
To raise the forest function level and the functional levels of all domains in the forest do the following:
1. Click Start, select Administrative Tools, and then click Active Directory Domains and Trusts.
2. Right-click on Active Directory Domains and Trusts, then select Raise Forest Functional Level.
3. Select the desired functional level and click Raise.
4. Click OK to confirm your choice, click OK again.
Raising the functional level from Windows Server 2003 to Windows Server 2008 enables several new
features including Kerberos support for Advanced Encryption Services (AES 128 and 256), detailed
recording of last interactive logon information, fine-grained password policies, and Distributed File System
(DFS) replication of the contents of SYSVOL.
Migrating from Windows NT 4.0 Domains
You cannot migrate directly from Windows NT 4.0 to Windows Server 2008. Microsoft recommends a two
process to upgrade domains from Windows NT 4.0, upgrade to Windows Server 2003 and then upgrade to
Windows Server 2008. I do not think it is likely that you will encounter questions that require you to know
all of the details of every step in the process but rather that you understand the limitations and how to
overcome them. If you are faced with this challenge in a production environment here are links to useful
resources from Microsoft:
How To Upgrade a Windows NT 4.0-Based PDC to a Windows Server 2003-Based Domain Controller.
41. Windows NT Server 4.0 Upgrade Guide.
Upgrading Active Directory Domains to Windows Server 2008 AD DS Domains.
Migrating and Restructuring Active Directory Domains Using ADMT v3.1.
Active Directory Migration Tool version 3.1.
Decommissioning Domain Controllers
There are three basic scenarios involving the decommissioning of DCs: removing one from a domain;
removing the last one from a domain; and removing the last one from a forest. You can initiate the process
using the graphical interface by launching dcpromo on the domain controller, you can do it from a
command prompt by entering dcpromo from a command prompt with the appropriate parameters. Enter
dcpromo /?:demotion to see a full list of parameters available for answer files and the command prompt.
When you use the AD DS Installation Wizard you are asked to make a series of decisions about the
demotion such as whether or not to delete any application directory partitions stored on the DC, whether to
remove any DNS delegations pointing to the server. If you are deleting the last DC in a domain be sure to
perform the instructions that appear on the Delete the Domain page of the wizard such as backing up
cryptographic keys, you will need to enable the checkbox on this page. You will be prompted to provide
credentials for an account that is a member of the Enterprise Admins group if you are not logged on with
an account that belongs to it. Removing the last DC in a forest is essentially the same, however you must
start the process while logged in with an account that belongs to the Enterprise Admins group for the forest
or the Domain Admins group in the forest’s root domain.
Configuring Trusts
A trust is a relationship between domains that make it possible for a user in one domain to be authenticated
by a domain controller in the other. Trusts make it easier to grant access to shared resources to users in
other domains. A one-way trust is a single trust relationship, if domain A trusts domain B then users from
domain B can be granted permissions on objects in domain A. A two-way trust means that both domains
trust the other and therefore users from either domain can be granted permissions on objects in the other.
Transitive means that if one domain trusts another, and that second trusts a third one then the first will also
trust the third one. For example, in figure 4, Washington trusts Paris, and Paris trusts Moscow, therefore
Washington also trusts Moscow. Trusts were one-way and not transitive by default in Windows NT 4.0 and
earlier versions, since Windows 2000 they have been two-way and transitive by default.
Figure 4: Transitive Trusts
While most of the time two-way transitive trusts are sufficient, there are situations where a one-way non-
transitive trust would be better. A hypothetical example may help, pretend that Company A has just
acquired Firm B. Company A instructs Firm B to configure their Windows domains to trust the Company
A domains, however Company A does not reciprocate. Until Company A management has determined
42. which Firm B employees will be laid off and which will be retained this arrangement will minimize the risk
of a disgruntled one at Firm B doing something unpleasant to Company A resources.
Trusts are established between domains as they are added to a forest, there are a number of things you
might want to do to manage these types of trusts. Its also possible that you will need to manually establish
trusts to improve authentication times in large trees or to connect to Kerberos realms running on other
platforms.
The primary tools for managing trust relationships in AD DS are the Active Directory Domains and Trusts
console and the netdom command prompt utility. There are a few other management tasks involving these
tools that are covered at the end of this section.
There are four kinds of trusts available, all of which can be either unidirectional or bidirectional. Forest
trusts are transitive trusts between two AD DS-based forests that facilitate the sharing of network
resources. Shortcut trusts transitive trusts between two AD DS domains within the same forest that are
manually created to improve logon times. External trusts are nontransitive trusts between AD DS domains
and either NT 4.0 domains or AD-based domains located in separate, untrusted forests. Realm trusts are
transitive or nontransitive trusts between AD DS domains and non-Windows Kerberos realms. In a one-
way trust the trusting domain allows users in the other domain to access shared resources. In a two-way
trust both domains trust the other and users in either can be granted access to resources in the other. To
create a trust using Active Directory Domains and Trusts do the following:
1. Right-click on the desired domain and click Properties.
2. Select the Trusts tab and click New Trust, then click Next.
3. Provide the DNS or NetBIOS name of the other domain or realm, then click Next
4. Specify whether the trust will be with a Windows domain or Kerberos realm on the Trust Type
page, then click Next. Figure 5 shows this page of the wizard with Active Directory Domains and Trust
console and the domain properties dialog box.
5. Depending upon the type of trust selected you may be able to specify the type of transitivity for the
trust on the Transitivity of Trust page.
6. Specify the direction of the trust on the Direction of Trust page. Note that an incoming one-way trust
means users in the other domain will not have access to resources in this domain while in an outgoing one-
way trust users in this domain will not have access to resources in the other.
7. If it’s a realm trust you will also be prompted to provide a password for the trust relationship.
43. Figure 5: The Trust Type Page of the New Trust Wizard.
To create an external or shortcut trust from a command prompt enter the following command, table 1
briefly explains each parameter:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add
Parameter Description
trust The second parameter tells netdom what action to take, in this case
managing a trust relationship.
<TrustingDomainName> Specifies the name (DNS or NetBIOS) of the trusting domain in the
trust to create.
44. /d: Indicates that the other domain will be trusted.
<TrustedDomainName> Specifies the name (DNS or NetBIOS) of the other domain in the
trust to create.
/add Instructs netdom to establish a new trust.
Table 1: Netdom parameters for establishing trusts.
To create a realm trust from a command prompt enter the following command. Establishing a real trust
requires a few more parameters as described in table 2:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /add /realm
/PasswordT:<NewRealmTrustPassword>
Parameter Description
/realm Specifies that the trust is to be created to a Kerberos realm.
/PasswordT: Parameter that precedes the password for the new trust.
<NewRealmTrustPassword> The actual password for the new trust, it must match the password
used in the Kerberos realm.
Table 2: Additional netdom parameters for realm trusts.
Other Management Tasks
An alternate user principal name (UPN) suffix can simplify the logon process by allowing all users within
the forest to use the same UPN suffix. The suffix does not have to be a valid DNS domain name. To add
one open Active Directory Domains and Trusts, right-click on Active Directory Domains and Trusts,
select Properties, then select the UPN Suffixes tab and click Add.
The default scope for authentication across trusts is broad in order to simply management. Users in the
trusted domain have the same level of access to resources as users in the local domain. Only external and
forest trusts support selective authentication, which allows you to more tightly control access to resources
from those domains. If selective authentication is enabled you have to manually assign permissions to each
resource you want users in the other domain to be able to access. To define the authentication scope across
external and forest trusts open Active Directory Domains and Trusts, right-click on Active Directory
Domains and Trusts, select Properties, then select the Trusts tab. Select the desired trust relationship,
click Properties, then select the Authentication tab and specify the authentication scope.
AD DS accounts have an attribute called the SID history. Administrators can add users’ old security
identifiers (SIDs) to simplify managing access to shared resources during migrations. Unfortunately, this
feature might be abused by an attacker who has compromised a DC as they could add SIDs to new
accounts granting those accounts unauthorized privileges. By default Windows Server 2008 enables SID
45. filtering on all new external trusts. SID filtering reduces the risk of a malicious user or rogue administrator
in the trusted domain from granting themselves elevated privileges in the trusting domain. You manage
SID filtering using netdom, from a command prompt enter the following, table 3 briefly explains the
parameters:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
Parameter Description
trust The second parameter tells netdom what action to take, in this case
managing a trust relationship.
<TrustingDomainName> Specifies the name (DNS or NetBIOS) of the trusting domain.
/domain: Indicates that the other domain will be trusted.
<TrustedDomainName> Specifies the name (DNS or NetBIOS) of the other domain in the
trust.
/quarantine Instructs netdom to manage the state of SID filtering.
<yes | no> Turns SID filtering on or off
Tip: restartable AD DS rather than having to reboot
Configuring Sites and Replication
While forests, trees, and domains represent the logical architecture of AD DS, sites represent the physical
network architecture upon which it is deployed. A sound site design and DC placement is necessary to
ensure performance and reasonable bandwidth consumption. Typically, a site hosts at least one DC and
includes one or more Internet Protocol (IP) subnets that share a high-speed network and are connected to
other sites via slower links. When you install the first DC in a new forest a site called Default-First-Site-
Name is created, all computers are assigned to this site until additional ones are created. When sites have
been defined computers will automatically be assigned to the appropriate one based on their IP address, if
their address does not belong to any of the subnets defined for the sites it will be assigned to the Default-
First-Site-Name site.
You manage sites and their components using the Active Directory Sites and Services console. Although
you can create the objects in any order you wish and easily modify existing ones there is a logical
progression that might save you time and effort. First create the site; then define the AD subnets for the
site; then create site links between the new site and one or more sites that already exist; finally, assign one
or more domain controllers to the site.
Adding Sites
46. To add a site using Active Directory Sites and Services do the following:
1. Right-click on Sites in the console tree and select New Site
2. Type a name for the site in the Name text box.
3. Select a site link object from the list below Link Name and click OK.
To add a server to a site using Active Directory Sites and Services do the following:
1. Navigate to the desired site in the console tree and expand the view by clicking on the plus sign.
2. Right-click on Servers, select New, and then click Server.
3. Specify the name of the server and click OK.
Creating Active Directory Subnets
To add a subnet using Active Directory Sites and Services do the following:
1. Right-click on Subnets in the console tree and select New Subnet…
2. Enter the prefix for the subnet address using network prefix notation, e.g. if the 192.168.2.0 subnet had
a subnet mask of 255.255.255.0 its prefix would be 192.168.2.0/24 while a subnet of 10.2.0.0 with a subnet
mask of 255.255.0.0 would have a prefix of 10.2.0.0/16.
3. Assign the subnet to a site by selecting the site from the Site Name list, then click OK.
Managing Site Links
To manage a site link using Active Directory Sites and Services do the following:
1. Expand the Inter-Site Transports folder.
2. Right-click the desired transport protocol, either IP or SMTP, the former refers to the protocol native
to AD DS, RPC over IP, while SMTP is the Simple Mail Transport Protocol.
3. Select New Site Link.
4. Type a name for the site in the Name text box.
5. Select a site to add to the link from the Sites not in this site link: list and click Add. Repeat this
procedure to place more sites in the link, as shown in figure 6.
47. Figure 6: Adding Sites to a Link.
Creating a site link as described above creates a transitive link between sites, for most situations this is
ideal, however if you want to create a link that is not transitive select New Site Link Bridge instead of
New Site Link in step 3 above.
You can manage other settings for these objects by right-clicking on them in the console tree and selecting
properties, as shown in figure 7. By default replication occurs every 3 hours across a link and each link is
available 24 hours per day, 7 days per week. You may want to adjust the cost of your links the replication
frequency, and the schedule in order to more closely control bandwidth usage. While RPC over IP is a
robust replication protocol for most situations, SMTP is ideal for replication across unreliable network
connections. SMTP only supports replication of the schema, configuration, and global catalog and it
requires and enterprise certification authority (CA). Note that the AD Knowledge Consistency Checker
(KCC) builds the intersite replication topology automatically based on the sites, subnets, and links that you
define. Replication will automatically follow the lowest cost routes between sites. The KCC updates the
topology every 15 minutes, you can force it to update at any time by navigating to a server object under the
site container in Active Directory Sites and Services, right-clicking NTDS Settings for the server,
selecting All Tasks, and then clicking Check Replication Topology.
48. Figure 7: Site Properties Dialog Box.
Understanding Bridgehead Servers
The KCC automatically assigns the role of bridgehead server to one DC in each site. Replication between
sites occurs between these bridgehead servers. Normally there is no need to alter them, if you do and the
manually assigned server goes offline replication will be disrupted. To want to manually assign a preferred
bridgehead server to a site in Active Directory Sites and Services, navigate to the desired domain
controller in the console tree, right-click on it and click Properties. You can select one or more transports
and click Add on the General tab to make that DC the preferred bridgehead server, as shown in figure 8.
Figure 8: Manually Configuring a Preferred Bridgehead Server.
Exercise 1: Adding the Distributed File System Role Service
This is a quick exercise that will help you practice the tasks discussed in the next part of this section.
Previously you added AD DS server role to your practice computer, which resulted in the installation of the
first domain controller in your lab. By default, choosing this server role adds two more: the DNS Server
and File Services roles. DFS is an optional role service for the File Services role.