Microsoft Official Course

Module 4

Designing and Implementing Name

Resolution
Module Overview

Designing a DNS Server Implementation Strategy

Designing the DNS Namespace
Designing and Implementing DNS Zones
Designing and Configuring DNS Zone Replication
and Delegation
Optimizing DNS Servers
• Designing DNS for High Availability and Security
Lesson 1: Designing a DNS Server
Implementation Strategy

Gathering Information About Your Network

Infrastructure
Planning DNS Server Capacity
Determining DNS Server Placement
Selecting DNS Server Roles
Security Considerations for DNS Servers
• Demonstration: Installing the DNS Server Role
Gathering Information About Your Network
Infrastructure
Type Point of consideration

Locations • Number of locations

Hosts • Number of hosts at each location

DNS servers • Existence of any prior DNS servers

• Existence of, or plans to include an

AD DS
Active Directory infrastructure

NetBIOS client • Location of NetBIOS client computers

computers
Planning DNS Server Capacity

To plan DNS server capacity:

• Determine the number of zones for each server
• Determine the size of each zone
• Determine the number of queries for each server
Determining DNS Server Placement

DNS server

Subnet 2
DNS zone

DNS client

Subnet 1

DNS client
DNS server

Subnet 3
DNS zone
DNS client
 Selecting DNS Server Roles

Role Situation
• A remote office has a limited amount of available
Caching-only/ bandwidth
Forwarding
servers
• You want to manage the DNS traffic between your
network and the Internet

Non-recursive • You have Internet-facing DNS servers that are

servers authoritative for one or more zones
• For all zones, you must configure at least two DNS
Authoritative
servers as authoritative servers for any given DNS
servers domain
Security Considerations for DNS Servers

Options for securing DNS servers:

• Use firewalls, including Windows Firewall
• Restrict zone transfers
• Use Active Directory–integrated zones
• Secure dynamic updates
• Forward, to limit Internet name resolution
Demonstration: Installing the DNS Server Role

In this demonstration, you will see how to install

the DNS Server role with Server Manager
Lesson 2: Designing the DNS Namespace

DNS Namespace Scenarios

Choosing a Namespace Design
• Considerations for Hosting Namespaces
DNS Namespace Scenarios

Same Unique
Subdomain
Namespace Namespace

Public DNS Public DNS Public DNS

namespace namespace namespace

Contoso.com Contoso.com Contoso.com

Internal Internal Internal

namespace namespace namespace

contoso.com contoso.local corp.contoso.com

Choosing a Namespace Design

Same namespace:
• Internal records should not be available externally
• Records may need to be synchronized between internal
and external DNS
Unique namespace:
• Record synchronization is not required
• Existing DNS infrastructure is unaffected
• Clearly delineates between internal and external DNS
Subdomain:
• Record synchronization is not required
• Contiguous namespace is easy to understand
Considerations for Hosting Namespaces

Option Description
• All internal and external DNS are hosted on a
single server
Complete DNS
• Simple deployment
• Poses security risks

• External and internal DNS are hosted on separate

servers
Split DNS • Internal DNS servers can forward Internet DNS
requests
• Increased security over complete DNS

• External and internal DNS are hosted on separate

servers
Split-Split DNS • One external server host resolves local records
only and the other external server resolves non-
local records only
Lesson 3: Designing and Implementing DNS
Zones

Types of DNS Zones

Location of Zone Data
Discussion: Designing a DNS Zone Strategy
Considerations for the NetBIOS Name Resolution
• Demonstration: Creating DNS Zones
Types of DNS Zones

Type of Zone Description

Primary Read/write copy of a DNS database

Secondary Read-only copy of a DNS database

Stub Copy of a zone containing only

records used to locate name servers

Active Directory- Zone data stored in AD DS rather

integrated than in zone files
Location of Zone Data

• Disk
• Used by traditional primary and secondary zones
• Chosen for integration into existing infrastructure
• Does not require server to be a domain controller

• Active Directory
• Used by Active Directory–integrated zones
• Replicates to all domain controllers automatically
• Allows multiple servers to update zone data

• Combination
• Used to integrate with traditional DNS
• Active Directory–integrated zones act as primary zone to
traditional secondary zones
Discussion: Designing a DNS Zone Strategy

Branch Office 4
Branch Office 3
NWT-DC1

NWT-NS1 NWT-NS2

Head Office

Branch Office 2
Branch Office 1
Considerations for the NetBIOS Name
Resolution

If your organization implements NetBIOS, you can

choose one of the following strategies:
• Implement WINS if your organization relies heavily
on NetBIOS applications
• Implement GNZ if your organization uses only a few
NetBIOS applications
• Combine DNS and WINS to configure clients to use a
single name service while still supporting NetBIOS
Demonstration: Creating DNS Zones

In this demonstration, you will see how to:

• Create a primary reverse lookup zone
• Create a new secondary forward lookup zone
Lesson 4: Designing and Configuring DNS Zone
Replication and Delegation

When to Implement Secondary Zones

Zone Transfers and Replication
Planning Zone Transfer Security
Integrating Namespaces
• Demonstration: Configuring Zone Transfers
When to Implement Secondary Zones

Create a secondary zone when you want to:

• Provide zone redundancy
• Reduce DNS network traffic
• Reduce loads on a primary server for a zone
 Zone Transfers and Replication

Active Directory–integrated zones Traditional DNS zones

Replication Zone transfer

Active Directory– Primary zone

integrated
zones

Active Directory–
integrated
zones Secondary zone

Zones Description

Active Directory–integrated • Perform incremental replication between DNS servers

zones • Adjust the Active Directory replication schedule

• Replicate between primary and secondary zones

Traditional DNS zones
• Perform an incremental rather than a complete zone transfer
Planning Zone Transfer Security

• Restrict zone transfer to specified servers

• Encrypt zone transfer traffic
• Consider using Active Directory–integrated zones

Primary Zone Secondary Zone

Integrating Namespaces

Root (.) Servers

Contoso.com

com

Training.contoso. Sales.contoso.com
com Microsoft
Demonstration: Configuring Zone Transfers

In this demonstration, you will see how to:

• Enable zone transfers on a zone
• Perform a zone transfer
Lesson 5: Optimizing DNS Servers

Optimizing DNS Recursion

Optimizing DNS Root Hints
Optimizing DNS Server Responsiveness
Optimizing DNS Server Functionality
Optimizing Active Directory-Integrated Zones
• Discussion: DNS Performance Optimization
Optimizing DNS Recursion

Disable recursion to limit name resolution to a specific

server, or as a failover for another DNS server:
• Benefit. You can reduce the load on the DNS server
• Consequence. You will not be able to resolve names
outside of your own zone
Optimizing DNS Root Hints

• Delete root hints on servers

that do not need to
communicate with DNS
servers that are authoritative
for the root domain
• Modify root hints if the root
domain is internal
• Update root hints when DNS
servers that are authoritative
for the root domain change

Note: If you delete the root hints file, you should

configure servers to forward requests to another server
that has a root hints file
Optimizing DNS Server Responsiveness

To improve DNS server response time:

• Install sufficient memory to cache all DNS zones
in memory
• Disable local subnet prioritization
• Arranges the query response so that records closest to
the client subnet are listed first
• Disable round-robin rotation
• Used when multiple records match a request
• Rotates the order of responses for load-balancing
Optimizing DNS Server Functionality

• To optimize zone transfer:

• Modify depending on how often your DNS data changes
• Modify if more frequent updates are not required
• Use incremental zone transfers

• To reduce network traffic:

• Use caching-only servers if you have a slow WAN link
• Configure caching-only servers to perform recursive
queries
Optimizing Active Directory-Integrated Zones

• Select an appropriate application partition:

• ForestDNSZones replicates to all domains
• _msdcs subdomain is in ForestDNSZones by default
• DomainDNSZones replicates within a domain
• To optimize Active Directory–integrated zones:
• Optimize Active Directory performance
• Use Active Directory sites
• Place logs and the Active Directory database on
dedicated partitions
Discussion: DNS Performance Optimization

NWT-BR-DC2

Branch Office 2 NWT-DC1

NWT-PER-NS2
NWT-NS1
NWT-NS2 NWT-PER-NS1

Head Office Perimeter

Branch Office 1
Lesson 6: Designing DNS for High Availability
and Security

Best Practices for Making DNS Highly Available

How to Use Network Load Balancing for Providing
Availability of DNS
Discussion: Guidelines for Designing the Availability
of DNS
Common DNS Security Attacks
Selecting a DNS Security Strategy
Selecting Additional Security Settings
• Discussion: Guidelines for Designing DNS Security
Best Practices for Making DNS Highly Available

To make DNS highly available:

• Have at least two DNS servers authoritative for
each zone
• Place DNS servers in separate subnets and/or
physical locations
• Locate at least one DNS server in each AD DS
site
• Configure clients with two DNS servers
How to Use Network Load Balancing for
Providing Availability of DNS

Network Load Balancing:

• Provides availability and scalability for DNS
resolution
• Requires all DNS servers to be on the same subnet
• Does not protect against failed network links
• Is suitable for a centralized implementation of
DNS
Discussion: Guidelines for Designing the
Availability of DNS
Branch Office 4 Branch Office 3

NWT-DC1

NWT-NS1 NWT-NS2

Head Office

Branch Office 1 Branch Office 2

Common DNS Security Attacks

DNS Attack Description

• Building a diagram of DNS
Footprinting infrastructure by capturing data such as
computer names and IP addresses
Denial-of- • Flooding a DNS server with queries to
service make it unavailable for normal use
Data • Falsifying records in DNS to falsify
modification servers or redirect email messages
• Supplying false responses to external
Redirection queries by a DNS server to corrupt the
cache with false information
Selecting a DNS Security Strategy

Security
Description
level
• Default configuration

Low • Use when there is no concern about DNS data

• Typically used when there is no external connectivity

• Disables dynamic update and limits zone transfers

Medium • Available without running on domain controllers

• Internet resolution is performed through a proxy
• Includes medium-level security measures

High • Must run on domain controllers to use Active

Directory–integrated zones and secure dynamic
updates
Selecting Additional Security Settings

You can enable and configure the following

security features:
• Global query block list
• DNS security extensions
• DNS cache-locking
• DNS socket pool
Discussion: Guidelines for Designing DNS
Security

NWT-BR-DC2

Branch Office 2 NWT-DC1

NWT-PER-NS2
NWT-NS1
NWT-PER-NS1
NWT-NS2
Head Office Perimeter

NWT-BR-NS1

Branch Office 1
Lab: Designing and Implementing Name
Resolution

Exercise 1: Designing a DNS Name Resolution

Strategy
Exercise 2: Planning a DNS Server Placement
Strategy
Exercise 3: Planning DNS Zones and DNS Zone
Replication
• Exercise 4: Implementing DNS
Logon Information
Virtual machines: 20413A-LON-DC1
20413A-LON-SVR1
User name: Adatum\Administrator
Password: Pa$$w0rd
Estimated Time: 90 minutes
Lab Scenario

A. Datum Corporation has experienced rapid

growth, and the migration to Windows Server
2012 provides an ideal opportunity to validate,
and where necessary, redesign and reconfigure
the DNS infrastructure. As part of this process, you
have been asked to review the DNS infrastructure
in Contoso, Ltd, a current partner and imminent
acquisition. You must examine, and where
necessary, suggest changes to the DNS design.  
Lab Scenario (continued)

The following tables provide some additional information

about the various network locations at Contoso.
Regional Hubs and Head Office
Location Function Characteristics
Paris, France Head office. Planned Current employees:
role is sales, marketing, 1,800
and distribution center (Planned employees:
for Europe 4,700)
Rome, Italy Regional hub office Employees: 250
Barcelona, Spain Regional hub office Employees: 200
Munich, Germany Regional hub office Employees: 200
Athens, Greece Regional hub office Employees: 200
Lab Scenario (continued)

Regional Branches and Distribution Centers

Number of Users

Number of
(total across all
Location Servers Branches
branches)
1 at each
Germany branch 100 3
1 at each
Spain branch 250 5
1 at each
Italy branch 250 5
1 at each
Greece branch 75 2
Lab Review

• What was your approach to the DNS design

exercises?
• Did your design differ from the suggested
solution?
Module Review and Takeaways

• Review Question(s)