Review from 70-410 4.3:
DNS Basics
DNS namespace, Name Servers, Resolver(client that sends dns queries)
Recursive query: Resolver clients send recursive queries to their dns servers. This tells the DNS server to query the hierarchy of dns servers until it gets resolution from the authoritative server(s)
Iterative query: a single request respond between dns servers. The only time dns servers will send recursive query to other dns servers is when they are querying a forwarder.
DNS forwarders are set up to do the full recursive queries on behalf of other dns servers
reverse name resolution: resolves a name from an ip address
Zones:
Primary: master copy of the zone. If not integrated with AD, a local database file holds the zone.
Secondary: duplicate of the primary. replicates the zone file using zone transfer. read-only
Stub: copy of primary zone that forwards or refers requests.
Zones that are not ad-integrated are saved in a "zone file" in %systemroot%\system32\dns
AD-integrated
RR = resource records
top-level domains, second-level domains, hosts
nslookup
udp/tcp port 53
install DNS - Server Roles DNS Server(DNS), includemanagementtools = RSAT-DNS-SERVER
MMC=dnsmgmt.msc, PS module=DNSServer, command line=dnscmd.exe
dnscmd dc.contoso.com /enumzones
PS:
get-dnsserverzone
3.1.1 Configure primary and secondary zones
Primary Zone:
Forward Lookup
DNS Managet(dnsmgmt.msc)
right click forward lookup zones, right click Forward Lookup Zones and New Zone. Choose primary. Enter a zone name, which includes the portion of the dns namespace for which the server will be authoritative. (such as contoso.com, or onezone.contoso.com)
Create a new zone file.
Dynamic Update - secure updates are for AD integrated
dnscmd /zoneadd bartledoo.contoso.com /primary
dnscmd /zoneinfo bartledoo.contoso.com
dnscmd /zonedelete bartledoo.contoso.com
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns"
get-dnsserverzone -name bartledoo.contoso.com
remove-dnsserverzone -name bartledoo.contoso.com
Reverse v4 primary:
right click Reverse Lookup Zones-> New Zone
Ipv4 reverse lookup zone
Type in Network id or specify the reverse lookup zone name manually. Entering the network id will auto update the reverse lookup name(network ID backwards+.in-addr.arpa)
Create a new zone file
Choose Dynamic update setting(Do not allow for non-AD)
dnscmd /zoneadd 10.168.192.in-addr.arpa /primary
add-dnsserverprimaryzone -networkid 192.168.10.0/24 -zonefile "10.168.192.in-addr.arpa.dns"
Reverse v6 primary:
Reverse Lookup Zones -> New Zone
select Primary zone
Ipv6 Reverse Lookup
Enter network prefix for ipv6 zone(ie. fe80:0:3891:0405:::/64)
dnscmd /zoneadd 5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa /primary
add-dnsserverprimaryzone -networkid fe80:0:3891:0405::/64 -zonefile "5.0.4.0.1.9.8.3.0.0.0.0.0.8.e.f.ip6.arpa.dns"
Secondary Zone:
Forward Lookup zone-> New Zone
Secondary zone
in the zone name, enter the dns namespace name
master DNS Servers, enter the IP address of the primary zone server(s)
dnscmd /zoneadd bartledoo.contoso.com /secondary 192.168.10.8
add-dnsserversecondaryzone -name "bartledoo.contoso.com" -zonefile "bartledoo.contoso.com.dns" -masterservers 192.168.10.8
AD-integrated:
When choosing Primary, Secondary, Stub, "Store the zone in AD"
option(AD-integrated) is available if the DNS server is a read-write
Domain Controller. See 3.1.4.
3.1.2 configure stub zones
A stub zone only contains basic RR's: SOA, NS, certain "glue" A records and points to the authoritative NS.
Right click Forward Lookup Zone-> New Zone. Choose Stub zone. Enter domain namespace. On master DNS servers, enter primary zone dns server(s).
If you integrate the stub zone into Active Directory Domain
Services(AD DS), you have the option to specify that the DNS server
hosting the stub zone uses a local list of master servers when it
updates the stub zone's resource records, rather than having the DNS
server use the master servers list that is stored in AD DS
Caching-only server:Install DNS but do not configure a zone. in DNS Manager, Click on DNS in
the menu, select New Server, and type in the IP address of your computer
where you have installed DNS.
dnscmd /zoneadd stubby.contoso.com /stub 192.168.10.9
dnscmd /zonedelete stubby.contoso.com
dnscmd /zoneadd stubby.contoso.com /dsstub 192.168.10.9 /dp /domain
dnscmd /zonedelete stubby.contoso.com /dsdel
add-dnsserverstubzone -name "stubby.contoso.com" -zonefile "stubby.contoso.com.dns" -masterservers 192.168.10.9
add-dnsserversstubzone -name "stubby.contoso.com" -replicationscope domain -masterservers 192.168.10.9
3.1.3 configure
conditional forwards
Forwarding:
Right click DNS server and properties, Forwarders tab. Click edit, Add DNS servers to forward to.
Conditional forwarding: You can forward DNS requests for certain domain names.
Expand the server and right click Condition Forwarders->New conditional forwarder
Enter the domain to forward
Add the IP address(es) of the servers to forward this domain to.
Check to store this forwarder in AD. Set timeout on forward queries for this conditional forwarder.
dnscmd /zoneadd google.com /forwarder 8.8.8.8
/timeout /slave
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8
3.1.4 configure zone and conditional forward storage in
Active Directory
Zones are only stored in AD on AD-integrated DNS servers.
1.To all DNS on DC in forest, stored in the following application partition in AD:
cn=microsoftdns,dc=forestdnszones,dc=contoso,dc=com
2.To all DNS on DC in domain, stored in the following application partition in AD:
cn=microsoftdns,dc=domaindnszones,dc=contoso,dc=com
3.To all domain controllers(Windows 2000 compatibility).
In 2000, DNS was stored in the domain partition(cn=microsoftdns,cn=system,dc=contoso,dc=com)
4.To all domain controllers in the score of this directory partition.
Conditional forward storage:
By default stores in domain partition.
/DP switch with dnscmd to choose partition (or fqdn of custom partition)
========
dnscmd /zoneadd bartledoo.contoso.com /dsprimary /dp /domain
/dp forest
/dp legacy
dnscmd /zonedelete bartledoo.contoso.com /dsdel
PS:
just add -replicationscope domain|forest|legacy|FQDN
add-dnsserverprimaryzone -name "bartledoo.contoso.com" -replicationscope domain
Conditional forwarder:
dnscmd /zoneadd google.com /dsforwarder 8.8.8.8 /dp /domain
add-dnsserverconditionalforwarderzone -name "google.com" -masterservers 8.8.8.8 -replicationscope domain
3.1.5 configure zone delegation
When you want another dns server to be authoritative for a subdomain, you have to delegate the permission for the zone to it.
Create a primary zone on the target dns server for the subdomain space it will host.
On the master server, right click the parent zone and select new delegation
enter the full dns name with child name.
Enter the ip address or FQDN of the dns server that will be authoritative for the child namespace
dnscmd /recordadd contoso.com child NS 192.168.10.119
add-dnsserverzonedelegation -name "contoso.com" -childzonename "one" -nameserver "server2" -ipaddress 192.168.10.119
3.1.6 configure zone transfer
settings
zone transfers can transfer full or partial dns data from one zone to another.
Zone transfer causes:
Initial transfer when a secondary zone is created and pointed at a primary
zone refresh interval expires
DNS server service startup on secondary server
Primary master notifies secondary server(s) that changes have been made and need to be replicated.
Manual zone transfer initiated.
Types of transfers:
Full(AXFR) - copies the entire zone. Used for initial transfer.
Incremental(IXFR) Secondary requests updated records from primary. Only sends RR's that have changed. Serial number field in the SOA on each server are compared. If primary is higher, replication is needed.
DNS Notify: primary tells secondary it needs to update. secondary initiates IXFR.
Right click forward or reverse zone to configure, properties, zone transfers tab. Check allow zone transfers, then set:
to any server
to servers listed on NS tab
to specific servers
dnscmd /zoneresetsecondaries contoso.com
/nonsecure
/securens
/securelist
/noxfr (no transfer)
set-dnsserverprimaryzone -name contoso.com -securesecondaries
transferanyserver
transfertozonenameserver
transfertosecureservers -secondaryservers
notransfer
3.1.7 configure notify settings
Also on zone transfer settings tab, click Notify. Check "Automatically notify" then set:
Servers listed on NS tab
Specific servers
dnscmd /zoneresetsecondaries contoso.com /securens
/notify
/notifylist (ip addresses)
/nonotify
set-dnsserverprimaryzone -name contoso.com -securesecondaries -notify
notify
notifyservers -notifyservers
nonotify
No comments:
Post a Comment