DNS and DHCP

Course Transcript
Microsoft Windows Server 2012 R2 -

Configuring Advanced Services: DHCP & DNS
Configuring Advanced DHCP Settings
1. Advanced DHCP Features in Windows Server 2012 R2
2. Windows Server 2012 R2 Highly Available DHCP
Configuring Advanced DNS Settings

1. Managing and Optimizing DNS in Windows Server 2012 R2
2. Securing DNS with Windows Server 2012 R2
IP Address Management – IPAM

1. Windows Server 2012 R2 IPAM Overview
2. Windows Server 2012 R2 IPAM
3. Advanced DHCP and DNS Configurations

Advanced DHCP Features in Windows Server
2012 R2
Learning Objective
After completing this topic, you should be able to
◾ identify DCHP features and their uses
1. Meet your instructor

Microsoft Windows Server 2012 R2 - Configuring Advanced Services: DHCP & DNS
[Welcome to Microsoft Windows Server 2012 R2 - Configuring Advanced Services: DHCP &
DNS.]
Hi! My name is Jason Gates and I am a Microsoft Certified Trainer, or MCT. In this course, we
are going to take a look at some of the important infrastructure services. Now you probably are
familiar with most of these Dynamic Host Configuration Protocol, or DHCP, and DNS. But we
are going to take another look at these and talk about them from, kind of, an advanced point of
view. For instance, with DHCP we are going to talk about some of the advanced scope options
like multicast scopes and how that integrates with multicast applications like Windows
Deployment Services, or WDS. We will also talk about super scopes and how to provide fault
tolerance and load balancing. We will also look at how DHCP integrates with DNS and then we
will take a look at some of the advanced features around DNS.
In particular, we are going to pay attention to the way we secure and protect DNS. With DNS
security features and advanced server options, we will also talk about DNS Security
Extensions, or DNSSEC. The last thing we are going to talk about is how to manage both of
these in a centralized administrative model. We are going to take a look at IP Address
Management, or IPAM, in Windows Server 2012 R2. So lot to work through, let's get started.
[The goal of the course is to understand how to configure advanced features for DHCP, DNS,
and IPAM.]
2. DHCP and DNS

Dynamic registration means someone other than you creates the all important records in the
DNS. Now these records are important because they include the address records and we are
talking about the pointer, or PTR, records. Now often the client can register these records
itself; but to improve security, administrators can limit who actually performs the dynamic
updates. For instance, they can limit it to only authorize Dynamic Host Configuration Protocol,
or DHCP, servers. Now the way that this works is, after a client receives an IP address from a
DHCP server, that DHCP server then turns around and registers a record or both, the address
record and PTR record, automatically on behalf of the client into DNS, kind of like, when you
go and register at a hotel at the same time when you buy an airplane ticket, a two for one kind
of deal.
This is how you configure your DHCP server to interact with DNS. You will find these settings
on the Properties of the scope. And with a couple of checkmarks, you can enable your DHCP
server to update the pointer record or both the pointer record and the address record into DNS
on behalf of your DHCP clients. Now when you do this, you must also use an additional DHCP
option and this is called the client fully qualified domain name, or FQDN, option or option 81.
Now option 81 includes the client's FQDN. It also helps the client notify DHCP that it needs
record registration. Now Windows Server 2012 R2 adds a little bit more excitement to this
because it allows you to create DHCP policies based on your client's FQDN and option 81. In
other words, administrators have a little bit more control of DNS registration for devices on
their network including those devices that are part of a workgroup or guest devices.
Now the final thing I want to say here is if you install DHCP on a domain controller, or DC, it
may not perform DNS registrations as you might expect. That is because it doesn't use its
service account to register the records; because it is on a DC, that service account would be
the computer account and there are some potential security issues with that. So what ends up
happening is it stops setting option 81 and well, the clients are left to have...have to configure
themselves despite what you actually configure here. So to fix that problem all you need to do
is go to the Properties here of your scope, go to the Advanced tab and provide some
additional credentials, a user account that the DHCP servers can use to perform these
registrations.
[The scope properties dialog box includes General, DNS, Network Access Protection, and
Advanced tabs of which the DNS tabbed page is open. The DNS tabbed page is used for
setting the DHCP server to automatically update authoritative DNS servers with the host and
pointer records of DHCP clients. This page includes the "Enable DNS dynamic updates
according to the settings below:" and "Discard A and PTR records when lease is deleted"
checkboxes, which are selected. It also includes "Dynamically update DNS A and PTR records
only if requested by the DHCP clients" radio button, which is also selected and "Configure",
"OK", and "Cancel" buttons.]
3. Advanced scope types

Now most of you already know what a scope is. Basically a scope is an address pool, which
allows DHCP to reach in, select an address, and pass it out to a client. Now your most basic
scope is an Internet Protocol version 4, or IPv4, scope. And not only does it pass out an IP
address, but it also might pass out the location of a router or a DNS server. There are also
these advanced scopes. Take the superscope here, for example. A superscope is a team of
scopes with different subnet addresses; different subnet addresses, did you catch that? We
are not talking about different scopes with different ranges on the same network, the console
wouldn't even let you do that actually. The idea here is, these are independent scopes for
different networks that have been teamed up into this superscope.
So here is what happens. When a client requests an IP address and it is connected to the
superscope, they will get an address from one of the scopes, rather random like. That means
clients on the same piece of wire could actually be configured as if they are on separate
networks. Now normally this would be a problem but if your router supports multinetting, it can
route those packets over a single interface. And you might ask yourself why would you ever
need a superscope? Well I have always looked at these as kind of something to avoid, the
result of poor planning even. But if you happen to merge a couple of networks together and
you don't want to re-IP everything, you could yoke your scopes together and make it super
provided you have the routing, of course, to support it.
As most of you know there are three types of IP traffic. There is the unicast, which is one-to-
one, then you have got your broadcast, which is one-to-everyone, and then the multicast,
which is one-to-many. Now multicast is less consuming on the network typically than a
broadcast and it can be sent across different routers through different networks like a unicast.
It is ideal for certain types of applications that want to send a single packet to many, many
hosts; applications like video applications and telephony applications.
Another good example is WDS here, Windows Deployment Services because it is sending out
packets for operating system installation to multiple hosts. Now what has this got to do with
DHCP? Well in WDS, you have two options for multicast configuration...multicast addressing
configuration. You can either tell WDS to actually pass out the addresses itself and you
provide it a range or you can tell WDS to go talk to DHCP. So in DHCP, you can create
multicast scopes that include an address range for these different multicast applications like
WDS and to provide basically an address pool for operating system installation.
4. DHCP and IPv6

Now the whole idea behind DHCP is to make life easier, and that DHCP automatically passes
out IP addresses and all the other IP configuration settings automatically. Now with the advent
of IP version 6 we now have much larger number, so you might think DHCP is even more
important than ever. But actually, you don't need DHCP to configure Internet Protocol version
6, or IPv6, address. That is because many implementers of IPv6 rely on what is called
stateless address autoconfiguration. And that essentially relies on self-assigned addresses
and other router solicitations. Basically, the router can provide the additional address. Now this
works great but an administrator might want to provide additional settings to its clients using
DHCP, and you can do this by creating a Dynamic Host Configuration Protocol for IPv6, or
DHCPv6, scope in Windows Server with the different settings you need. Then what you do is
you go to your router and configure the router with what is called the O flag or Other Stateful
Configuration flag.
This tells the clients to retrieve its settings from the DHCP server but retrieve its address from
the router. Now you don't have to do it this way. You could resort to a DHCP configuration with
version 6 that is 100% stateful not stateless meaning your DHCPv6 scope provides both the
address and the configuration settings. Now to do this, you configure your DHCPv6 scope but
you also need to configure your router advertisements to include stateful configuration. And
that means configuring that O flag but it also means another flag called the M flag that is M for
Managed Address flag. Now with both of those flags raised in your router advertisements, it
will tell the client to retrieve both its address and its configuration settings from a DHCPv6
server, just like it did with IP version 4.
Building a scope in DHCP for IPv6 or a DHCPv6 scope, well, it is a little different than when
you created a scope for IP version 4. Many of the differences can be found based on the
actual IPv6 address structure itself. First of all, you create this thing called a prefix, which is
associated with an IPv6 address. There is no subnet mask because v6 addresses are split
right down the middle. You have 64 bits for the network portion and 64 bits for the host. You
also have a preference configuration in your DHCPv6 scope and that is used if you have
multiple DHCP servers. Then like in IPv4 scope, you can also exclude addresses and when
you do that keep in mind you need to exclude the IPv6 address of the DHCP server itself,
which is most likely going to be static.
Now another configuration you will need to enable are these things called lifetimes. And I think
of them as the renewal times in IPv4, and it has to do with how long a client can keep a v6
address from DHCP before it is no longer valid. So you have got this valid lifetime value that is
really kind of the doomsday clock meaning if that expires, then the client will stop actually
using that address. And then lastly, you have your additional options just like v4, so you can
configure things like the DNS server and so forth.
5. DHCP name protection

Let's talk now about Name Protection. Now Name Protection guards your local universe from
any alien systems trying to perform name abduction. Now by alien systems I mean non-
Windows devices and by name abduction I mean systems who attempt to overwrite existing
DNS registrations. Now this can occur by accident or it could be malicious. Either way it can be
an annoyance. Now because DHCP is already configured to perform name registration in DNS
on behalf of its clients, it can also turn around and perform a name check to see if a name is
already in use by a Windows system.
So if an alien system like a Linux system or something like that comes into the network and
tries to use the same name of an existing Windows system, Name Protection will prevent that
DNS registration from being overwritten. Now the way it works is it uses an additional record in
DNS to do this. It is called the DHC ID resource record. Now this is stored in DNS like any
other resource record except it is used by DHCP to determine if a name has already been
assigned. Now you configure Name Protection in DHCP not DNS and there are actually two
places, you do, to do this. You can go to the DNS tab and that is found on the Properties of the
IP nodes or go to the DNS tab from the Properties of the scope.
[The Name Protection dialog box includes "Enable Name Protection" checkbox and "OK" and
"Cancel" buttons.]
Windows Server 2012 R2 Highly Available
DHCP
Learning Objective
◾ recognize the characteristics of DHCP failover modes
1. DHCP failover and split scopes

Dynamic Host Configuration Protocol, or DHCP, in most organizations is a critical service
because it passes out those very important IP addresses and we often expect that it provides
those addresses to any authorized client at any time. But that isn't always going to be the case
if your DHCP server is not highly available because stuff happens, right? Motherboards need
to be switched out; patches, reboots may be disasters. So how do you protect DHCP and
make it always available? Well in the past, you might put them in a failover cluster but the
problem with that approach is complexity in things like shared storage. Another approach you
could take is split scopes. Split scopes are nice but they don't protect the existing IP address
assignments or the entire...the entire scope. 2012 gives us a fresh approach with what is
called DHCP failover, and that is because DHCP servers running Windows Server 2012 can
be arranged into failover relationships. So if one fails, the other one can take over the entire
scope and this creates high availability.
Now there are two types of relationships. You can create a load-balancing relationship, which
is active/active or you can create a hot standby relationship, which is active/passive. Now the
difference between these two is really in the details, but both of them have this in common; if
one of those DHCP servers goes down and whether that is planned or unplanned, the other
server can continue to serve new and existing clients. This is because they actually
synchronize the DHCP database between them. So DHCP failover gives you high availability
without requiring clustering services or additional hardware or software and it is part of every
edition of Windows Server. So what you get is, you get low cost high availability for one of your
core infrastructure services.
Now if you have a mix of servers, that is, you have some older Windows servers like 2008,
2008 R2 and you have some newer servers, well you are not going to be able to take
advantage of the new DHCP failover mechanism but you can still use split scopes. Now split
scopes are limited in their capability but they can still provide a degree of load balancing and
failover, especially if you have a generous pool of IP addresses. Now split scopes don't provide
intelligent relationships between the servers; but what you do is you split the responsibility of
your address pool among the different servers.
And a typical way to do this is to carve it up where the server that is in closest proximity to the
clients has the majority of the actual addresses. So it has 80% of the scope and it is going to
be the one that will respond typically first to the clients. But then you have another server
typically on the other side of a router, it can be kind of the overflow server and it has 20% to
30% of the actual scope. Now splitting the scope like this will provide some redundancy. But if
you have a short supply of addresses and your scopes are kind of exhausted, well then your
clients will discover, kind of, a slow network and it might be unforgiving, so you also need to
plan accordingly.
2. Demo: Configuring DHCP failover

In this demonstration, I want to show you DHCP failover in Windows Server 2012. Now I
currently only have one DHCP server in this office but I have another great candidate in this
other domain controller right here. So to begin I am going to actually add the DHCP role to this
other server - couple of quick clicks here through Server Manager; and once this is finished, I
will show you how easy it is to configure the failover relationships. Okay, I finished installing
DHCP on DC14. Now what I want to do is configure failover. So I am going to right-click on
DC1 and open up DHCP Manager, and we will expand this here, give myself a little room,
expand DC1 and you can see that I have one active scope, I have a pool of about a 100
addresses with just a handful of Address Leases. So I want to configure DHCP failover
between DC1 and DC14. So I am going to right-click here, this top node and Configure
Failover. Now this gives me a short wizard, Available scopes are listed there and my Partner
Server..., so this is where I want to indicate DC14 so I can choose from among a list of
authorized DHCP servers, and then this brings me to my failover relationship page.
[Server Manager in Windows Server 2012 R2 is open, which includes Dashboard, Local
Server, All Servers, AD DS, DHCP, DNS, and "File and Storage Services" tabs. The "DHCP"
tab is already selected, which displays the DHCP tabbed page. The instructor clicks the "AD
DS" tab and the AD DS tabbed page is displayed. This page includes a Search box and
"TASKS" drop-down list. It also includes Server Name, IPv4 Address, Manageability, and Last
Update columns and two rows. Then the instructor right-clicks the second row and selects
"Add Roles and Features" and the "Add Roles and Features" page is displayed. On this page,
the instructor clicks Next. Then the instructor clicks Next, Next, and then selects the "DHCP
Server" option and a dialog box is displayed. This dialog box includes "Include management
tools (if applicable" option, which is already selected and Add Features and Cancel buttons.
The instructor clicks "Add Features" button and then clicks Next, Next, and Next again. Then
the instructor clicks Install and the Installation progress page is displayed. Once the installation
finishes, it gets back to the DHCP tabbed page. On this page, the instructor right clicks on the
first row and selects DHCP Manager and the DHCP Manager window is displayed. This
window includes File, Action, View, and Help menu. It also includes DC1.corp.brocadero.com
node. This node includes IPv4 and IPv6 nodes. The IPv4 node includes Scope, Server
Options, Policies, and Filters folders. The Scope folder includes Address Pool, Address
Leases, Reservations, Scope Options, and Policies sub folders. The instructor clicks "Address
Pool" sub folder and the Start IP Address is displayed for which an End IP Address and
Description is mentioned. Then the instructor clicks the Address Leases sub folder and the
client IP addresses is displayed each of which contain a name, lease expiration, and type.
Then the instructor right-clicks the IPv4 node and selects Configure Failover and the Configure
Failover wizard is displayed. On this wizard, the instructor clicks Next, then clears the "Reuse
existing failover relationships configured with this server (if any exist)" option, and then clicks
"Add Server" button and the Add Server dialog box is displayed. This dialog box includes "This
server" and "This authorized DHCP server" options of which "This server" option is selected by
default. Below "This authorized DHCP server" option a list of IP addresses is displayed each of
which contain a name. The instructor selects "This authorized DHCP server" option and
selects "dc14.corp.brocadero.com" name from this list and clicks OK and the name is
displayed in the Partner Server drop-down list. Then the instructor clicks Next and the Create a
new failover relationship page of the Configure Failover wizard is displayed.]
So there are couple of settings here I what to bring to your attention. First of all, I can configure
the Mode. What type of failover relationship do I want to enable? I can choose the active/active
or load-balancing mode or I can choose the active/passive, which is the Hot standby mode.
Because both of these servers DC1 and DC14 are in the same site and same location, I want
to use the load-balancing mode. Now the way that that works is, both DC1 and DC14 are
going to calculate incoming requests. So as a client makes a request they, of course, have a
Medium Access Control, or MAC, address and the DHCP servers perform what is called hash
bucket algorithm against the MAC address; and they determine between each other which one
will actually take that role based on the results of the algorithm. So they have predetermined
that though, you know, one of them will take the first half of the results and the other one will
take the second half. And I say half because that is based on the default Load Balance
Percentage. If I want to skew or weight, you know, weight either the responses, so I want, for
instance, this server to handle may be 60%. I can do that and that will yield a different result in
terms of the algorithm so that this Local Server here, DC1 will handle the majority of the client
request.
[The Create a new failover relationship page of the Configure Failover wizard is open. This
page includes Relationship Name textbox in which .corp.brocader.com-
dc14.corp.brocadero.com is entered. It also includes Maximum Client Lead Time, which
displays hours and minutes drop-down lists in which 1 and 0 is selected by default. It also
includes Mode drop-down list, which consist of Load balance and Hot standby options of which
Load balance is selected by default. Further the page includes Local Server and Partner
Server drop-down lists in which 50 and 50 is selected by default. The instructor deletes the
value in the Local Server drop-down list and enters 60, which changes the value in the Partner
Server drop-down list from 50% to 40%.]
Now another thing I want to bring to your attention has to do with the intervals here. There is a
communication protocol between the two DHCP partners, for instance, if one of them can't see
the other one, then they will go into a state called communication interrupted. They will stay in
communication interrupted unless the administrator indicates that that other Partner Server is
actually down in which case, the surviving server will take over the...the entire scope. But if you
wanted to automatically transition from a communication interrupted to a partner down state,
you can turn on this State Switchover Interval. You also have this Maximum Client Lead
Time and this really has to do with the Time to Live, or TTL, if you will, regarding the partner
down state. So if you have a situation where one of the partners goes down, then after one
hour's time the surviving server will assume full responsibility of the scope until, of course, its
partner comes back online. Now you might be wondering well what happens if a DHCP partner
goes down and clients that well, are expecting to be serviced by that partner are looking for a
DHCP server and need an IP address.
Server drop-down lists in which 60 and 40 is already selected. The page also includes State
Switchover Interval option, which has a minutes drop-down list next to it in which 60 is selected
by default. It further includes Enable Message Authentication option, which is already
selected.]
Well even if these intervals haven't expired, you don't have to worry because those clients will
actually track how long they have been looking for that DHCP or how long they have been
looking for an IP address in general. And so the surviving server will notice, "Hey, that client
has been looking for about six seconds here for an IP address and my partner hasn't
responded, so I am going to step in and reply". So what I am trying to get out is, even with
these intervals in place, you don't have to worry about a client waiting for an hour before it is
going to get an address from the surviving server; because built into the DHCP protocol is a
resiliency mechanism to ensure clients get IP addresses in a timely manner. So they have
thought about everything. Down here I can Enable Message Authentication so that my
partner has a way to ensure they are talking to the right DHCP server, so I can configure
Shared Secret between them and that is a good thing to do. I am going to cheat, leave that out
and then Finish this up. So that is how you configure the DHCP load-balancing relationship.
Server drop-down lists in which 60 and 40 is already selected. The page also includes State
Switchover Interval option, which has a minutes drop-down list next to it in which 60 is selected
by default. It further includes Enable Message Authentication option, which is selected by
default. The instructor clears the Enable Message Authentication option, clicks Next, and then
clicks Finish and a dialog box for the progress of failover configuration is displayed. Then the
instructor clicks Close and the DHCP window is displayed.]
Now if you have a DHCP server in a remote office, Hot standby is a great way to create
intersite protection for DHCP. For instance, I have got a server I am going to add here that is in
a branch office that is also running DHCP, but I want to provide protection in case this server
goes down and yet the link is still available, of course, I have to have routing that will support
passing DHCP packets, and I do.
So what I want to do now is come in here and right-click and Configure Failover from the
branch server to DC1. So the Partner Server in this case is going to be dc1 in the head office.
This time I am going to choose Hot standby. Now this has some of the same kinds of
parameters regarding the transition states to a partner down state and the client lead time
values. One of the things this will help facilitate is whether or not this server will step in, in kind
of, a Hot standby manner. In other words, this is an active/passive. Primarily, the Read Only
Domain Controller, or RODC, server that I am configuring here will be responsible for
configuring the majority of the addresses, so I need to configure its role as Active.
[The DHCP window is open. This window includes File, Action, View, and Help menu. It also
includes DC1.corp.brocadero.com node. This node includes IPv4 and IPv6 nodes. The IPv4
node includes Scope, Server Options, Policies, and Filters folders. The Scope folder includes
Address Pool, Address Leases, Reservations, Scope Options, and Policies sub folders. The
instructor right-clicks the DHCP node and selects Add Server and the Add Server dialog box is
displayed. This dialog box includes "This server" and "This authorized DHCP server" options of
which "This server" option is selected by default. Below "This authorized DHCP server" option
a list of IP addresses is displayed each of which have a name. The instructor selects "This
authorized DHCP server" option and selects "rodc2.corp.brocadero.com" name from this list
and clicks OK and "rodc2.corp.brocadero.com" is displayed added as a node under the DHCP
node. The "rodc2.corp.brocadero.com" node includes IPv4 and IPv6 nodes. The IPv4 node
includes Scope [10.0.7.0] BRANCH1, Server Options, Policies, and Filters folders. The Scope
folder includes Address Pool, Address Leases, Reservations, Scope Options, and Policies sub
folders. Next the instructor right-clicks the Scope [10.0.7.0] BRANCH1 folder and selects
Configure Failover and the Configure Failover dialog box is displayed. On this wizard, the
instructor clicks Next and then clicks "Add Server" button and the Add Server dialog box is
authorized DHCP server" option and selects "dc1.corp.brocadero.com" name from this list and
clicks OK, then clicks Next and the Create a new failover relationship page of the Configure
Failover wizard is displayed. This page includes Relationship Name textbox in which
dc2.corp.brocader.com-dc1.corp.brocadero.com is entered. It also includes Maximum Client
Lead Time, which displays hours and minutes drop-down lists in which 1 and 0 is selected by
default. It also includes Mode drop-down list, which consist of Load balance and Hot standby
options of which Load balance is selected by default. The instructor then selects Hot standby.
The page also includes Role of Partner Server drop-down list, which includes Active and
Standby options. It also includes Addresses reserved for standby server drop-down lists in
which 5 is selected by default. Further the page includes State Switchover Interval option,
which has a minutes drop-down list next to it in which 60 is selected by default. It further
includes Enable Message Authentication option, which is selected by default. Next the
instructor selects Active in the Role of Partner Server drop-down list.]
But the standby server is going to be that server in the central office, and in the event that this
server is unavailable or becomes partner down, then it can resume and take over the role of
renewing IP addresses for the branch office and do that all from that central location.
Now during that transition time I don't want to lose anybody, so it is useful to actually set aside
some addresses for the actual standby server. Now this is not to be confused with split scopes
and 80-20 and that kind of arrangement. This is strictly for the transition period. So that when
the standby server starts assuming the responsibility of renewing addresses, it has some free
addresses to work with until it takes over the rest of this...the address pool. So granting it 5 to
10% of the addresses is very useful. All right, so couple of clicks and that is back. So if I go
back to...actually let's do it this way; if I come in here now and I can force replication to occur,
when I go back up to DC1 now and let's Refresh this, you can see I now have two scopes and
that is because DC1 is the standby server for this other server down here.
[The Create a new failover relationship page of the Configure Failover wizard is open. On this
page, the instructor clears the Enable Message Authentication option and clicks Next, then
Finish, and then Close and the DHCP window is displayed. On this window, the instructor
right-clicks the Scope [10.0.7.0] BRANCH1 folder under the IPv4 node under the
"rodc2.corp.brocadero.com" node and selects Replicate Scope and the Failover Scope
Configuration Replication dialog box is displayed. On this dialog box, the instructor clicks Close
and the DHCP window is displayed. On this window, the instructor then right-clicks the
DC1.corp.brocadero.com node under the DHCP node and selects Refresh.]
3. Demo: Configuring DHCP split scopes

In this demonstration, I want to look at the alternative to DHCP failover. You can also configure
good old fashioned split scopes. Split scopes are especially useful if you have a mix of
Windows Server 2012 and Windows Server 2008, 2008 R2 servers. So what I am going to do
is, I am going to use DC10. I have configured it with DHCP and I am going to jump into the
DHCP Manager tool. DC10 now doesn't have an actual active scope. So the first thing I need
to do is configure a scope. So I am going to right-click, New Scope, and this is going to be for
my East Office, and let's give it a start and stop range like so this is going to be a 24-bit
mask, it is about 100 addresses there. Here is my lease duration, we are going to leave that as
the default. Do I want to configure additional DHCP options? Yes I do. The main one I need to
configure is this guy right there that is my router and then my DNS. It is going to validate that,
there we go, no whims and we are activated.
[Server Manager in Windows Server 2012 R2 is open, which includes Dashboard, Local
Server, All Servers, AD DS, DHCP, DNS, and "File and Storage Services" tabs. The "DHCP"
tab is already selected and the DHCP tabbed page is displayed. This page displays different
server names each of which have an IPv4 address and a manageability option for it. The
instructor right-clicks the DC10 server name and selects DHCP Manager and the DHCP
window is displayed. This window includes File, Action, View, and Help menu. It also includes
DC10.corp.brocadero.com node, which includes IPv4 and IPv6 nodes. The IPv4 node includes
Server Options, Policies, and Filters folders. The instructor right-clicks the IPv4 folder and
selects New Scope and the New Scope Wizard is displayed. On this wizard the instructor
clicks Next and the Scope Name page of the wizard is displayed. This page includes Name
and Description textboxes. Then the instructor enters East Office in the Name textbox and
clicks Next and the IP Address Range page of the wizard is displayed. This page includes
Start IP address, End IP address, and Subnet mask textboxes and a Length drop-down list in
which 0 is selected by default. Then the instructor enters 10.0.6.100 in the Start IP address
textbox and hits enter, which displays 8 in the Length drop-down list and 255.0.0.0 in the
Subnet mask textbox. Next the instructor enters 10.0.6.200 in the End IP address textbox and
enters 24 in the Length drop-down list and 255.255.255.0 is displayed in the Subnet mask
textbox. Then the instructor clicks Next and the Add Exclusions and Delay page of the wizard
is displayed on which the instructor clicks Next and the Lease Duration page is displayed. On
this page then instructor then clicks Next and the Configure DHCP Options page of the wizard
is displayed. This page includes Yes, I want to configure these options now and No, I will
configure these options later options of which Yes, I want to configure these options now is
selected by default. The instructor then clicks Next on this page and the Router (Default
Gateway) page of the wizard is displayed. This page includes IP Address textbox and another
textbox below it, which displays the entered IP address. It also includes Add, Remove, Up, and
Down buttons. On this page, the instructor enters 10.0.6.254 in the IP address textbox, clicks
Add and the IP address 10.0.6.254 in the second textbox is displayed, and then clicks Next
and the Domain Name and DNS Servers page of the wizard is displayed. This page includes
Parent domain textbox, which has corp.brocadero.com by default. It also includes Server name
and IP address textboxes. Then the instructor enters 10.0.6.10 in the IP address textbox, clicks
Add and the DNS validation dialog box is displayed, and then clicks Next and the WINS
Servers page is displayed. On this page the instructor clicks Next and the Activate Scope page
of the wizard is displayed. This page includes Yes, I want to activate this scope now and No, I
will activate this scope later options of which Yes, I want to activate this scope now option is
selected by default. On this page the instructor clicks Next and Completing the New Scope
Wizard page is displayed on which the instructor clicks Finish.]
All right, so now I have got a basic scope but there is no resiliency, no failover. So if something
goes wrong with DC10, the machines in the east office are going to have no IP addresses after
a while and, of course, a loose network connectivity and everything that is tied to that. So what
do I do? So I am going to opt for a Split-Scope.
We do Advanced-Split-Scope and there is this nice wizard that I can actually reach out and
configure this, otherwise on the older Windows servers and other devices, we can split the
scope without this wizard with just a matter of calculating the number of addresses and
creating individual scopes that don't collide with each other. You don't want two servers that
are giving up the same exact IP address, you have to be careful about that. This wizard really
helps me avoid that problem. So what is my Additional DHCP Server? Now that is going to be
dc1 in my head office. Now here is where I can actually dictate the waits or the split the scope
actually. This is where I can decide what server DC10 or DC1 is going to have which portion of
the pool.
includes DC10.corp.brocadero.com node, which includes IPv4 and IPv6 nodes. The IPv4 node
includes Scope [10.0.6.0] East Office, Server Options, Policies, and Filters folders. The Scope
folder includes Address Pool, Address Leases, Reservations, Scope Options, and Policies sub
folders. The instructor right-clicks the Scope [10.0.6.0] East Office folder, selects Advanced,
and then selects Split-Scope and the DHCP Split-Scope Configuration Wizard is displayed. On
this wizard the instructor clicks Next and Additional DHCP Server, Host Name of Server, and
IPv4 Address of Server textboxes and Add Server and Retry buttons are displayed. The Host
Name of Server and IPv4 Address of Server textboxes have dc10.corp.brocadero.com and
10.0.6.10 values by default. Then the instructor clicks Add Server and the Add Server dialog
box is displayed. This dialog box includes "This server" and "This authorized DHCP server"
options of which "This server" option is selected by default. Below "This authorized DHCP
server" option a list of IP addresses is displayed each of which have a name. The instructor
selects "This authorized DHCP server" option, then selects "dc1.corp.brocadero.com" name
from this list and clicks OK and "dc1.corp.brocadero.com" in the Additional DHCP Server
textbox is displayed. Then the instructor clicks Next and a page that includes a slider to choose
the percentage of the scope is displayed. It also displays Host DHCP Server, Added DHCP
Server, Start IPv4 Address, and End IPv4 Address textboxes.]
Now remember with DHCP failover you actually have a sharing of information, a sharing of
lease information between the servers. With split scopes there is no sharing, instead we are
just kind of drawing a line and saying, "You have got this part and you got this part" and there
is no communication between the two, it is just a matter of timing really. So how do I want to
split this up? Well the general idea is this - DC10 is going to be in proximity to the client, so it is
most likely going to be the one to respond first. That means I usually want to give it the
majority of the actual addresses - 80%, 70%.
The server that is less near is the one that gets the smaller portion. And I could split this other
ways, may be the servers are in the same site, typically they are not when we are doing split
scopes, but may be they are. So I have this sliding bar here that let's me, kind of, adjust how I
am splitting the scope. So we will leave it as...as this here, 80, 20. Now this can be useful
because this allows me to actually determine a delay on the DHCP so I can make sure that the
local DHCP server has adequate time to respond.
[The DHCP Split-Scope Configuration Wizard is open. It includes a slider to choose the
percentage of the scope. It also includes Host DHCP Server and Added DHCP Server
textboxes, which have the values 80 and 20 by default. It also includes Start IPv4 Address and
End IPv4 Address textboxes. The instructor clicks Next and Host DHCP Server and Added
DHCP Server spin boxes are displayed that have the value 0 by default.]
DHCP clients will accept a lease from any DHCP server, and so it is, kind of, a first-come first-
serve. But if my first DHCP server is a little slow and the other server doesn't have a delay, it
could be that the two are providing addresses.
In other words, I could have my server with the 20% be responding to clients and it exhausts
its scopes sooner than I would like. So a delay can help me, kind of, control that a little bit. So I
am going to leave this as is and click Next, click Finish. All right, that is it. So the next thing I
want to show you is what it looks like on the other server. So we are going to add a server, we
are going to grab dc1 right here. When I go to dc1, you will notice...look at that the East Office
is already listed. I didn't have to create this ahead of time. That split scope wizard actually did it
for me because I have administrative privileges on both servers. I am going to right-click on
this and Activate this scope.
[The DHCP Split-Scope Configuration Wizard is open and Host DHCP Server and Added
DHCP Server spin boxes that have the value 0 by default. The instructor clicks Next and the
Finish page of the wizard is displayed. On this page the instructor clicks Finish and then Close
and the DHCP window is displayed. This window includes File, Action, View, and Help menu. It
also includes a DHCP node, which includes DC10.corp.brocadero.com node. The
DC10.corp.brocadero.com node includes IPv4 and IPv6 nodes. The IPv4 node includes Scope
[10.0.6.0] East Office, Server Options, Policies, and Filters folders. The Scope folder includes
Address Pool, Address Leases, Reservations, Scope Options, and Policies sub folders. The
instructor right-clicks the DHCP node and selects Add Server and the Add Server dialog box is
authorized DHCP server" option and selects "dc1.corp.brocadero.com" name from this list and
clicks OK and dc1.corp.brocadero.com node is added in the DHCP window. Then the
instructor right-clicks the Scope [10.0.6.0] East Office folder under the dc1.corp.brocadero.com
node and selects Activate.]
Now let's look at the actual Address Pool. Notice here on dc1, which is responsible for the 20%
of the Address Pool, it is excluding that 80% of the addresses, 100 through 179, which means
only 180 to 200 is actually available for dc1 to pass out. DC10 has the opposite. It has an
exclusion that is removing the top 20% leaving behind the 80% of the majority of the
addresses in the Address Pool. Now of course, I could come in here and make these
exclusions in these ranges manually but that split scope wizard did it all for me, which is great.
includes dc1.corp.brocadero.com and DC10.corp.brocadero.com nodes. The
dc1.corp.brocadero.com node includes IPv4 and IPv6 nodes. The IPv4 node includes Scope
[10.0.0.3] HQ - CorpNet, Scope [10.0.6.0] East Office, Scope [10.0.7.0] BRANCH1, Server
Options, Policies, and Filters folders. The Scope [10.0.6.0] East Office folder includes Address
Pool, Address Leases, Reservations, Scope Options, and Policies sub folders. The instructor
clicks the Address Pool sub folder in the dc1.corp.brocadero.com node and the start and end
IP addresses are displayed each of which include a description. Then the instructor clicks the
Address Pool sub folder in the DC10.corp.brocadero.com node and the start and end IP
addresses are displayed each of which include a description.]
Managing and Optimizing DNS in Windows
Server 2012 R2
Learning Objective
◾ identify the function of DNS features
1. Demo: Managing DNS

Hi again, I want to talk about DNS and that is because, of course, it is so important and critical.
So much is dependent on its name resolution and its service location everything from web
services, e-mail communications, and, of course, the Active Directory. So to ensure we have
got healthy communications, I want to talk about DNS management. Now couple of things, first
of all let's look at my current zone that I have and it has got a lot of records in here. I have got
client records, I got server records, I have domain controller records. Now these records have
all been placed in here through a feature called dynamic update. Dynamic update is great
because it saves me from having to put these entries in here manually. The problem with
dynamic update is I could have servers or clients put a record in here, then leave the network
unexpectedly, and now I have got stale records. And as time goes by, I get an accumulation of
stale and old data artifacts, if you will, and it will be great to clean those out. So especially in
environments with dynamic update turned on, how do I remove stale records? Well there is a
process called scavenging and scavenging relies on aging. These are two separate settings.
They work together to discover old and stale records and then remove them. So let me show
you how this works.
[The DNS Manager window is open. This window includes File, Action, View, and Help menu.
It also includes DNS node, which further includes the DC1 node. The DC1 node includes
Forward Lookup Zones, Reverse Lookup Zones, Trust Points, Conditional Forwarders, and
Global Logs folders. The Forward Lookup Zones includes _msdcs.corp.brocadero.com,
corp.brocadero.com, and DEV.BROCADERO.COM sub folders.]
If I go to the Properties of my zone, this is where I can actually set aging on this particular
zone. Now you can set the defaults on the server level, but individually on each existing zone
you want to set up Aging. So if I go to aging, I can enable scavenge stale records and define
the actual aging setting. Now this is a little misleading because turning on Scavenge stale
resource records doesn't mean it is going to actually scavenge it. What this does is it sets up
the actual clocks. The clocks are important so that when scavenging runs, it knows which
records are fresh and which ones are stale. Moreover, these terms I think are a little confusing.
First we have No-refresh interval. This isn't about actually updating the records themselves, it
has to do instead with the timestamps in the clocks. So when a record is created or its
timestamp has been refreshed, it starts into this No-refresh interval, which means its
timestamp is not changed or updated for a period of seven days.
If after seven days the record then is still in use, then what will happen is the client or server or
dynamic update or Dynamic Host Configuration Protocol, or DHCP, with dynamic update
comes along, will refresh and update the record; and along with it, it will also refresh the
timestamp, which starts the No-refresh interval over again.
It also includes DNS node, which then includes the DC1 node. The DC1 node includes
corp.brocadero.com, and DEV.BROCADERO.COM sub folders. The instructor right-clicks the
corp.brocadero.com sub folder and selects Properties and the corp.brocadero.com Properties
dialog box is displayed. This dialog box includes WINS, Zone Transfers, Security, General,
Start of Authority (SOA), and Name Servers tabs of which the General tab is selected by
default and the General tabbed page is displayed. This page includes Pause, Change, and
Aging buttons. It also includes Dynamic updates drop-down list in which Secure only is
selected by default. The instructor clicks Aging and Zone Aging/Scavenging Properties dialog
box is displayed. This dialog box includes Scavenge stale resource records option which is
selected by default. It also includes No-refresh interval and Refresh interval textboxes in which
7 is entered by default and there is a drop-down list next to the textboxes in which days is
selected by default. This dialog box also includes OK and Cancel buttons.]
But here is what happens. If that timestamp on a record is not refreshed, then seven days
goes by, so a total of 14 days since that record was created or last updated, then the
scavenging process will see it as a candidate and remove it at anytime or any period after,
these two together, 14 days. So this concurrent configuration in the default says, "Don't allow
any record beyond 14 days to remain in my zone". Now there are two settings to this as I said
before and I am not referring to these two clocks. And one common mistake, by the way, just
to throw this in is to set these numbers too low. One of the important things about aging and
scavenging is to be patient with it and to allow the process to work in your favor. If you set
these too low, you are actually going to exhume resource records that you may not want to be
removed. So be careful of setting these too low. But what I mean by two settings is I am
referring to...this is the aging property and I am also referring to the scavenging settings. So
there are actually two places we need to go. This sets aging, which has to do with the clocks
and the timestamps; the actual scavenging process is set on my server.
[The Zone Aging/Scavenging Properties dialog box is open. This dialog box includes
Scavenge stale resource records option which is selected by default. It also includes No-
refresh interval and Refresh interval textboxes in which 7 is entered by default and there is a
drop-down list next to the textboxes in which days is selected by default. This dialog box also
includes OK and Cancel buttons. The instructor clicks Cancel and the corp.brocadero.com
Properties dialog box is displayed on which the instructor clicks Cancel and the DNS Manager
window is displayed.]
If I go to the Properties on my server, I go to Advanced, right here is where I can tell it to

actually execute the scavenging process, detect stale records that are, you know, more than
14 days old based on those intervals we have defined, and then remove them. Notice right
now this server doesn't do that, so records are not going to be scavenged. You need both
aging and scavenging enabled, so I am going to turn that on. Now I got this other seven day
period. What this has to do with is how often the scavenging process runs not related to the
timestamp. Now this actual value is when this particular DNS server examines the timestamps,
tries to find stale records, and removes them. Now one tip I will give you. Best practice here is
to limit the number of DNS servers that are actually have...that are actually running the
scavenging process.
The reason for that is because if you have problems, then you have more than one server you
have to actually troubleshoot. And the more servers you have scavenging records, well if you
have replication issues or communication issues, you could actually be nuking records that you
really need. So be careful about these settings and how many servers are set for scavenging.
DC1 node and selects Properties which displays the DC1 Properties dialog box. This dialog
box includes Debug Logging, Event Logging, Monitoring, Security, Interfaces, Forwarders,
Advanced, and Root Hints tabs of which Interfaces tab is already selected. Then the instructor
clicks the Advanced tab and the Advanced tabbed page is displayed. This tabbed page
includes various server options. It also includes Name checking and Load zone data on startup
drop-down lists in which Multibyte (UTF8) and From Active Directory and registry is already
selected respectively. This dialog box also includes Enable automatic scavenging of stale
records option, which the instructor selects, which then enables the Scavenging period textbox
and the drop-down list next to it. In the Scavenging period textbox, 7 is already entered and in
the drop-down list next to it, days is selected by default.]
The Security tab is where I can go if I want to delegate administration. And notice I have got a
built-in group for that in fact. So all I need to really do is make users a member of the DNS
admin's group and they can administer this server. If I need to do troubleshooting, I have got a
couple of tabs here to help me with that. On the Monitoring tab, I can perform simple tests,
Event Logging allows me to scale up or scale down the kinds of events that are reported to
Event Viewer and Debug Logging is really useful and shows me the kinds of queries and
responses that my DNS server engages in. So I can have Log packets for debugging,
indicate the file path, I can even filter packets by the IP address for even concise
troubleshooting.
Now I have got PowerShell commands and DNS cmd command line commands that can also
be beneficial. So for instance, if I want to retrieve statistical information about this DNS server
and its queries, well then I can run Get-DnsServerStatistics and I get a lot of
information along those lines. If I need to back up my server before I make a change to it, well
then I can use this command dnscmd and zoneexport and this will actually create a
backup. And this is a good thing to do before you make big changes to your DNS server, of
course, frequent regular backups are also going to be important to do, but this allows me to do,
kind of, a one-off backup.
[The DC1 Properties dialog box. This dialog box includes Debug Logging, Event Logging,
Monitoring, Security, Interfaces, Forwarders, Advanced, and Root Hints tabs of which
Advanced tab is already selected. Then the instructor clicks the Security tab and the Security
tabbed page is displayed. This tabbed page includes various group or user names,
permissions for DNS admins, and Add and Remove buttons. Then the instructor clicks the
Monitoring tab and the Monitoring tabbed page is displayed. This page includes A simple
query against this DNS server and A recursive query to other DNS servers options of which A
simple query against this DNS server option is selected by default. Next the instructor clicks
the Event Logging tab and the Event Logging tabbed page is displayed. This page includes No
events, Errors only, Errors and warnings, and All events options of which All events is selected
be default. The instructor then clicks the Debug Logging tab and the Debug Logging tabbed
page is displayed. This page includes Log packets for debugging option, which is selected by
default. It also includes the following sections: Packet direction, Transport protocol, Packet
contents, Packet type, and Other options. The Packet direction section includes Outgoing and
Incoming options, which are selected by default. The Transport protocol section includes UDP
and TCP options, which are selected by default. The Packet contents section includes
Queries/Transfers, Updates, and Notifications options of which Queries/Transfers and Updates
options are selected by default. The Packet type section includes Request and Response
options, which are selected by default and the Other options sections includes the following
options: Log unmatched incoming response packets, Details, and Filter packets by IP address
This dialog box also includes the File path textbox in which c:\dns\dns.log is entered by default
and Maximum size (bytes) textbox in which 500000000 is entered by default. Then the
instructor navigates to the Administrator: Windows PowerShell command window and
executes the Get-DnsServerStatistics command and the following statistical information is
displayed: Error Statistics, Security Statistics, Private Statistics, Database Statistics, NetBIOS
Statistics, Packet Statistics, and Record Statistics. Next the instructor navigates to another
Administrator: Windows PowerShell command window and the dnscmd /zoneexport
corp.brocadero.com backup.txt command is displayed, which creates a backup.]
2. Demo: Optimizing DNS name resolution

Let's continue the conversation about optimizing and managing DNS. So I am back on the
Advanced tab where I was earlier configuring scavenging. Now I want to mention a couple of
things about these two settings, round robin and netmask ordering. Now both of these can be
useful. Round robin is, kind of, a poor man's load-balancing mechanism, allows me to have
multiple records with different IP addresses yet the same name. So queries from a client could
get slightly different results directing them to different servers for the purpose of load
balancing. Netmask ordering attempts to prioritize those responses from the server based on
the client's IP address, what subnet it is located in. So let me give you an example. If I come
over here to my zone, I have got some records for nlbweb and I have got multiple nlb records
but you will notice that the IP addresses are different. So a client sending the query looking for
nlbweb will get not just one answer but will get different answers and in a different order each
time. That is what round robin does to attempt to distribute the load between 3.55, 3.54, and
100.55.
[The DC1 Properties dialog box. This dialog box includes Debug Logging, Event Logging,
Advanced tab is already selected and the Advanced tabbed page is displayed. This tabbed
page includes the following server options: Disable recursion (also disables forwarders),
Enable BIND secondaries, Fail on load if bad zone data, Enable round robin, Enable netmask
ordering, Secure cache against pollution, and Enable DNSSEC validation for remote
responses of which Enable round robin, Enable netmask ordering, Secure cache against
pollution, and Enable DNSSEC validation for remote responses options are selected by
default. It also includes Name checking drop-down list in which Multibyte (UTF8) is selected by
default. It also includes Load zone data on startup drop-down list in which From Active
Directory and registry is selected by default. This dialog box also includes Enable automatic
scavenging of stale records option, which is already selected. The instructor clicks Cancel and
the DNS Manager window is displayed. This window includes File, Action, View, and Help
menu. It also includes DNS node, which then includes the DC1 node. The DC1 node includes
corp.brocadero.com, and DEV.BROCADERO.COM sub folders. The instructor clicks the
corp.brocadero.com sub folder and different records are displayed.]
Now notice that this server and this server, the 100 versus the three are in different subnets.
So what netmask ordering does is, any client sending the query from the 10.0.3 subnet should
get prioritized...these two records here. That is because the assumption is they are near or
closer to this location because they have the same subnet address as opposed to the
10.0.100, which is assumed to be in a different network. Now that is all true provided that these
are actually Class C addresses. What if they are Class B? Well then the actual configuration
does not work. So what you have to do if you are using Class B subnet masks is tell netmask
ordering to use a Class B address instead. And there is a little DNS command that allows you
to do that. The actual Class B mask is actually in hexadecimal. All right, let's go back now into
the configuration of my server and talk about two other tabs. Let's talk about the Forwarders
tab, and I want to talk about the Root Hints tab. Now the Forwarders tab is also a way I can
optimize my DNS server's response to queries, and that if it gets a query it cannot answer,
what is it supposed to do with that. Well, by default, it will actually go and try to talk to the root
servers, which are listed on the Root Hints tab. These are the 13 DNS root clusters out there
on the Internet whose job is to help other DNS servers and those making queries to discover
resources on the Internet, e-mail servers, web sites, and the whole kit and caboodle.
corp.brocadero.com, and DEV.BROCADERO.COM sub folders. The instructor navigates to the
Administrator: Windows PowerShell command and the Dnscmd
/Config/LocalNetPriorityNetMask 0x0000FFFF command for using a Class B address is
displayed. Then the instructor navigates to the DNS Manager window, right-clicks the DC1
node, and selects Properties and the DC1 Properties dialog box is displayed. This dialog box
includes Debug Logging, Event Logging, Monitoring, Security, Interfaces, Forwarders,
Advanced, and Root Hints tabs of which Interfaces tab is already selected and the Interfaces
tabbed page is displayed. This tabbed page includes All IP addresses and Only the following
IP addresses options of which All IP addresses is selected by default. Next the instructor clicks
the Event Logging tab and the Event Logging tabbed page is displayed. This page includes No
events, Errors only, Errors and warnings, and All events options of which All events is selected
be default. The instructor then clicks the Forwarders tab and the Forwarders tabbed page is
displayed. This page includes the IP address and the Server FQDN for it. It also includes Use
root hints if no forwarders are available option, which is selected by default. Next the instructor
clicks the Root Hints tab and the Root Hints tabbed page is displayed. This page includes the
server fully qualified domain names and the IP addresses for each of them. Then the instructor
clicks the Forwarders tab and the Forwarders tabbed page is displayed.]
So this server is already configured and postured to go do that if it doesn't have an answer for
a client request. But what if I don't want it to go to the Root Hints first. Well I can actually
configure a forwarder, and this is often an ISP or another device in my network who is
designed to go out and look up on the Internet for me. This turns this DNS server into, kind of,
a client. It is going to send a recursive query to these other DNS servers saying, "Hey, I am
looking for Microsoft.com out there, can you go look it up?". Now if that other DNS server
doesn't have an answer and it is doing an external lookup, then it needs to know the location of
these root hints servers or forward to a server that does. Now if I want some isolation where I
want to prevent this DNS server from making those external lookups, well then I have got this
option here, Use root hints if no forwarders are available. If this is enabled, then it will fall
back to using the list in the Root Hints tab. If I don't want that to occur, I can clear that and this
means talk to the forwarder but only talk to the forwarder.
[The DC1 Properties dialog box is open. This dialog box includes Debug Logging, Event
Logging, Monitoring, Security, Interfaces, Forwarders, Advanced, and Root Hints tabs of which
the Root Hints tab is already selected and the Root Hints tabbed page is displayed. This page
includes the server fully qualified domain names and the IP addresses for each of them. The
instructor then clicks the Forwarders tab and the Forwarders tabbed page is displayed. This
page includes the IP address and the Server FQDN for it. It also includes Use root hints if no
forwarders are available option, which is selected by default. The instructor clears the Use root
hints if no forwarders are available option.]
Now what happens if the forwarder is unavailable or if this is cleared out, then it might come
back with a negative reply. If I want complete isolation preventing this DNS server from talking
to even forwarders or root hints servers, then I can do a next step and the next step is to
create my own root zone. This is for a much stronger isolation where I actually create a zone
and I name it root and by naming it root you just put a period there. And now I have created a
root zone, which tells my DNS server "Don't bother asking for help because you are part of the
root". So if I go back now to the Properties of that server, I will notice that the Forwarders tab
has been cleared out and the Root Hints tab has been cleared out because this server is not
going to do external lookups. So client queries asking for external resources aren't going to get
help from this DNS server. They are going to have to look somewhere else, may be to a proxy
server or to another server designed to actually perform those external lookups, or may be I
have an environment that never talks to the Internet. So that is an interesting, kind of,
configuration that is available to you. Now I am going to go back and Delete this root and when
I do, it should repopulate the Root Hints, and it does that because there is a file called
cache.dns that has these all in a list and it just reloaded those for me.
[The DC1 Properties dialog box is open. This dialog box includes Debug Logging, Event
Logging, Monitoring, Security, Interfaces, Forwarders, Advanced, and Root Hints tabs of which
the Forwarders tab is already selected and the Forwarders tabbed page is displayed. This
page includes the IP address and the Server FQDN for it. It also includes Use root hints if no
forwarders are available option, which is not selected. The instructor clicks Cancel and the
DNS Manager window is displayed. This window includes File, Action, View, and Help menu. It
also includes DNS node, which then includes the DC1 node. The DC1 node includes Forward
Lookup Zones, Reverse Lookup Zones, Trust Points, Conditional Forwarders, and Global Logs
folders. The Forward Lookup Zones includes _msdcs.corp.brocadero.com,
corp.brocadero.com, and DEV.BROCADERO.COM sub folders. Then the instructor right-clicks
the Forward Lookup Zones sub folder and selects New Zone and the New Zone Wizard is
displayed. On this wizard the instructor clicks Next and the following different zone type
options are displayed: Primary zone, Secondary zone, and Stub zone of which Primary zone is
selected by default. It also includes Store the zone in Active Directory option, which is selected
by default. Next the instructor clicks Next and the Active Directory Zone Replication Scope
page of the wizard is displayed. This page includes the following options: To all DNS servers
running on domain controllers in this forest: corp.brocadero.com To all DNS servers running on
domain controllers in this domain: corp.brocadero.com To all domain controllers in this domain
(for Windows 2000 compatibility): corp.brocadero.com, and To all domain controllers specified
in the scope of this directory partition of which To all DNS servers running on domain
controllers in this domain: corp.brocadero.com is selected by default. Then the instructor clicks
Next and the Zone Name page of the wizard is displayed. This page includes a Zone name
textbox in which the instructor enters a dot (root) and clicks Next and the Dynamic Update
page of the wizard is displayed. This page includes the different types of dynamic updates of
which Allow only secure dynamic updates (recommended for Active Directory) is selected by
default. Then the instructor clicks Next and the Completing the New Zone Wizard page is
displayed. On this page the instructor clicks Finish, which then displays the DNS Manager
window. This window displays the .(root) sub folder added up under the Forward Lookup
Zones folder. Then the instructor right-clicks the DC1 node and selects Properties and the DC1
Properties dialog box is displayed. This dialog box includes Debug Logging, Event Logging,
Interfaces tab is already selected and the Interfaces tabbed page is displayed. This tabbed
page includes All IP addresses and Only the following IP addresses options of which All IP
addresses is selected by default. Next the instructor clicks the Forwarders tab and the
Forwarders tabbed page is displayed. This page includes the Use root hints if no forwarders
are available option, which is disabled. Then the instructor clicks the Root Hints tab and the
Root Hints tabbed page is displayed. Next the instructor clicks Cancel and the DNS Manager
window is displayed. On this window the instructor right-clicks the .(root) sub folder and selects
Delete and a DNS confirm box with the message "Do you want to delete the zone .(root) from
the server?" is displayed. The instructor clicks Yes and another DNS confirm box giving a
warning message is displayed. Then the instructor clicks Yes again, which then displays
another DNS confirm box asking whether to add root hints to allow recursive queries. The
instructor then clicks Yes and the DC1 Properties dialog box is displayed. This dialog box
displays the server fully qualified domain names and the IP addresses for each of them under
the Root Hints tab.]
Now instead of having a generic forwarder that I send all external queries to, I can specify a
conditional forwarder. And that is useful if I have a well frequented access name. Maybe I have
got an internal subsidiary or resource that my clients often access and it is using the same
label. And so I have a set of servers that really need to be the ones I want them to query rather
than going out and doing Internet lookups all the time. So I can create a conditional forwarder
that says, "Look if you go to earthfarm.lab, don't go ask the other forwarder or root hints
server instead the server that I want you to talk to is going to be this server here". So this is
really useful in optimizing the way name lookups work. Now the downside to conditional
forwarding is this is a static manual entry...some you make it just now. If this server that I am
pointing to, this forwarder server that I am referencing is down or unavailable, the name
lookups for earthfarm.lab might fail. So it would be useful to have something that is more
dynamic and that is where stub zones come in. So let's build a stub zone.
Conditional Forwarders folder and selects New Conditional Forwarder and a New Conditional
Forwarder dialog box is displayed. This dialog box includes DNS Domain textbox, which is
empty. It also includes IP Address, Server FQDN, and Validated columns. This dialog box also
includes Store this conditional forwarder in Active Directory, and replicate it as follows option.
Then the instructor enters earthfarm.lab in the DNS Domain textbox and 192.168.1.99 in the IP
Address column and clicks OK and earthfarm.lab is added up under the Conditional
Forwarders folder in the DNS Manager window. Next the instructor right-clicks the Forward
Lookup Zones folder and selects New Zone and the New Zone Wizard is displayed.]
A stub zone is like a conditional forwarder. In that, it is going to allow me to actually resolve
names for another zone or name. This time though I am going to store some information and it
is going to be available to me dynamically. So I need to indicate it where I am going to store it.
So it is not just a manual entry. Here I can store it in Active Directory, or AD, I can share it with
other DNS servers, or use earthfarm.lab once again. Instead of this being a static entry
though, this is going to be the address of where I can retrieve information about DNS servers
for earthfarm. So I am going to do a transfer, there we go.
Now the benefit of this is if any of these DNS servers are removed or new ones are added,
then through that zone transfer process I will get up-to-date information about who has got the
records for earthfarm.lab. This is useful for organizations where you have got trust between
different entities because they have to permit me the ability to actually transfer this information.
If I don't have as much trust but I still want to optimize name resolution, I can rely on
Conditional Forwarders or just plain old straight up forwarders.
[The New Zone wizard is open. On this wizard the instructor clicks Next and the following
different zone types are displayed: Primary zone, Secondary zone, and Stub zone of which
Primary zone is selected by default. It also includes Store the zone in Active Directory option,
which is selected by default. The instructor selects the Stub zone option and clicks Next and
the Active Directory Zone Replication Scope page of the wizard is displayed. This page
includes the following options: To all DNS servers running on domain controllers in this forest:
corp.brocadero.com To all DNS servers running on domain controllers in this domain:
corp.brocadero.com To all domain controllers in this domain (for Windows 2000 compatibility):
corp.brocadero.com, and To all domain controllers specified in the scope of this directory
partition of which To all DNS servers running on domain controllers in this domain:
corp.brocadero.com is selected by default. Then the instructor clicks Next and the Zone Name
page of the wizard is displayed. This page includes a Zone name textbox in which the
instructor enters earthfarm.lab and clicks Next and the Master DNS Servers page of the wizard
is displayed. This page includes IP Address, Server FQDN, and Validated columns. Then the
instructor enters 192.168.1.99 in the IP Address column and clicks Next and Completing the
New Zone Wizard page is displayed. On this page the instructor clicks Finish and the DNS
Manager window is displayed. This window displays earthfarm.lab sub folder added up under
the Forward Lookup Zones folder. Next the instructor right-clicks the earthfarm.lab sub folder
and selects Transfer from Master. Then the instructor again right-clicks earthfarm.lab sub
folder and selects Refresh.]
3. Demo: GlobalName zone
Here is a scenario. Let's say I am trying to access a resource that is in a different domain and I
am using the single label name or just the host name. Now this particular example is I am
going to a location called intranet but intranet is in a different zone than I am or different
domain. I am in corp.brocadero.com and intranet is in dev.brocadero.com. Of
course, if I put in the fully qualified domain name and ping that, let's do that
dev.brocadero.com, well then it is successful. But what if I want to provide support for
single labeled names even if they are in different parts of my network under different labels.
Well you can do that and historically, we have this thing called Windows Internet Naming
Service, or WINS, which provided that kind of support. But if I am transitioning from WINS and
go into DNS, well one of the things I can employ is global name zones. So what I am going to
do is I am going to create another type of zone called global name zones and this is going to
allow me to support single label name resolution. Now when I do this, I want to replicate it to all
the DNS servers in the forest so I am going to change the scope. It needs to be called
GlobalNames and then inside the GlobalNames zone, I am going to create an alias record
for intranet but this is going to intranet.dev.brocadero.com, like so.
[The Administrator: Windows PowerShell command window is open. The instructor enters ping
intranet and the message "Ping request could not find host intranet. Please check the name" is
displayed. Then the instructor enters the ipconfig /all command and intranet in different zones
or domains is displayed. Next the instructor enters the cls command to clear the screen and
then enters the command ping intranet dev.brocadero.com, which gives successful replies.
Then the instructor minimizes the PowerShell command window and navigates to the DNS
Manager window. This window includes File, Action, View, and Help menu. It also includes
DNS node, which then includes the DC1 node. The DC1 node includes Forward Lookup
Zones, Reverse Lookup Zones, Trust Points, Conditional Forwarders, and Global Logs folders.
The Forward Lookup Zones includes _msdcs.corp.brocadero.com, corp.brocadero.com, and
DEV.BROCADERO.COM sub folders. The instructor right-clicks the Forward Lookup Zones
folder and selects New Zone and the New Zone wizard is displayed. On this wizard the
instructor clicks Next and the following different zone types are displayed: Primary zone,
Secondary zone, and Stub zone of which Primary zone is selected by default. It also includes
Store the zone in Active Directory option, which is selected by default. The instructor clicks
Next and the Active Directory Zone Replication Scope page of the wizard is displayed. This
page includes the following options: To all DNS servers running on domain controllers in this
forest: corp.brocadero.com To all DNS servers running on domain controllers in this domain:
corp.brocadero.com To all domain controllers in this domain (for Windows 2000 compatibility):
corp.brocadero.com, and To all domain controllers specified in the scope of this directory
partition of which To all DNS servers running on domain controllers in this domain:
corp.brocadero.com is selected by default. The the instructor selects To all DNS servers
running on domain controllers in this forest: corp.brocadero.com option and clicks Next and the
Zone Name page of the wizard is displayed. This page includes a Zone name textbox in which
the instructor enters GlobalNames and clicks Next and the Dynamic Update page of the wizard
is displayed. This page includes the following types of dynamic updates: Allow only secure
dynamic updates (recommended for Active Directory), All both nonsecure and secure dynamic
updates, and Do not allow dynamic updates of which Allow only secure dynamic updates
(recommended for Active Directory) is selected by default. Then the instructor clicks Next and
the Completing the New Zone Wizard page is displayed. On this page the instructor clicks
Finish, which then displays the DNS Manager window. This window displays the GlobalNames
sub folder added up under the Forward Lookup Zones folder. Next the instructor right-clicks on
the right pane of the window and selects New Alias (CNAME) and New Resource Record
dialog box is displayed. This dialog box includes Alias name, fully qualified domain name, and
fully qualified domain name for target host textboxes. The fully qualified domain name textbox
has Global Names. entered by default. The instructor enters intranet in the Alias name textbox,
which then displays intranet.GlobalNames. in the fully qualified domain name textbox. Next the
instructor enters intranet.dev.brocadero.com in the fully qualified domain name for target host
textbox and clicks OK.]
Now next thing I need to do is enable global names support and this is done on all the DNS
servers in my organization that I want to be authoritative. For this zone I am going to do
dnscmd and I am going to do config /enableglobalnamessupport, put a one there.
Now I am going to flush my cache and we will ping intranet and it is successful this time.
And the reason for that is because this GlobalNames zone, kind of, bridges the gap. It has an
entry here in my...it automatically knows when it sees that to actually resolve that to
intranet.dev.brocadero.com. So that is how you can create a global name zone.
[The Administrator: Windows PowerShell command window is open. The instructor enters the
command dnscmd . /config /enableglobalnamessupport 1 and the message "Registry property
enableglobalnamessupport successfully reset" is displayed. Then the instructor enters ipconfig
/flushdns to flush the cache. Next the instructor enters the command ping intranet, which is
successful. Then the instructor closes the PowerShell command window and navigates to the
DNS Manager window. On this window, the instructor clicks the GlobalNames folder and the
entry "intranet" is displayed for which a type and data has been defined.]
Securing DNS with Windows Server 2012 R2
Learning Objective
◾ recognize the characteristics of DNS security features
1. Demo: DNS cache locking and socket pool

Let's talk about DNS security for a moment. When a query is sent to a DNS server and the
DNS server doesn't have an answer, we will turn around and ask other DNS servers. That is
called recursion. It happens on the Internet all the time. Now when my DNS server receives a
response from the other DNS servers, it not only passes it on to me or whoever is making the
request; it also caches that information so that subsequent requests go much faster. But that
creates also a vulnerability because malicious users or malicious systems might step in there
and try to fill up the cache with bunk information. You can see the cache on a Windows Server
by going up to...see or choose View here and turning on this Advanced option and then that
exposes these Cached Lookups and so you can see the cache here. So how do we ensure
that this cache is protected. One of the ways we can do that is we can put a lock on it. So
entries that come into the cache are protected from being overwritten. So we have got this
Time to live, this particular response from a DNS server is in my cache for a whole day, 24
hours.
command ping www.google.com, which gives successful replies. Then the instructor navigates
to the DNS Manager window. This window includes File, Action, View, and Help menu. It also
includes DNS node, which then includes the DC1 node. The DC1 node includes Forward
Lookup Zones, Reverse Lookup Zones, Trust Points, Conditional Forwarders, Global Logs,
and Cached Lookups folders. The Cached Lookups folder includes the .(root) sub folder, which
includes arpa, com, and net sub folders. The com folder includes bing, examroar, google,
Microsoft, and worldnic sub folders. The instructor clicks the google sub folder and the cache
on the right pane of the DNS Manager window is displayed. Then the instructor right-clicks the
row which has the name ns4 and selects Properties and the ns4 Properties dialog box is
displayed. This dialog box includes Host, FQDN, and IP address textboxes in which ns4,
ns4.google.com, and 261.239.38.10 is entered by default. It also includes Record time stamp
and Tile to live (TTL) textboxes.]
Now what would prevent a malicious user from coming in and changing the IP address on this
and thus redirecting users? Well cache locking does that. So we can actually look at this using
the dnscmd command cachelockingpercent, and I am doing dnscmd /info.
And right now those entries are protected for 100% of their Time to live and you could change
this if you want to. But this ensures that those records...and really what it does is it just makes
it more difficult for those records from being overwritten. Now another protection in DNS is to
randomize the ports that are used when DNS servers are communicating to each other. If
there was a sequential set of ports or a predictable set of ports, then it will be easier for
observers and attackers to guess the transaction and to, kind of, raise to the answer and
provide a false answer before the legitimate server can reply. So by randomizing the ports we
do a little, kind of, cat and mouse, we make it much more difficult for attackers to guess the
details of a DNS transaction with other DNS servers.
[The ns4 Properties dialog box is open. This dialog box includes Host, FQDN, and IP address
textboxes in which ns4, ns4.google.com, and 261.239.38.10 is entered by default. It also
includes Record time stamp and Tile to live (TTL) textboxes. The instructor clicks Cancel and
the DNS Manager window is displayed. Then the instructor navigates to the Administrator:
Windows PowerShell command window and enters dnscmd /info /cachelockingpercent and the
following output is displayed: Dword: 100 (00000064) Command completed successfully.]
Now this can be seen much like I can see my cache locking in dnscmd, and I can see the
number of sockets or ports that I am using for this randomization using socketpoolsize.
Right now I am using 2500 ports. I can adjust this size if I want to make it a little larger, maybe
we will do 3000 and that just gives additional port.
I can also include a command to exclude certain ports if I have an application that is using a
port in the upper range of the...of my TCP and User Datagram Protocol, or UDP, ports where
DNS might pull these sockets from. Now all of these configurations with dnscmd are actually
occurring in their registry, so you can also see those here. If you come into this path down
here, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS and then you click
on Parameters, here is where you can actually see the SocketPoolSize and the
CacheLockingPercent.
command dnscmd /info /socketpoolsize and the following output is displayed: Dword: 2500
(000009C4) Command completed successfully. Then the instructor enters the command
dnscmd /config /socketpoolsize 3000 and the following output is displayed: Registry property
socketpoolsize successfully reset. Command completed successfully. Next the instructor
navigates to the registry window. This window includes the DNS folder, which includes
Parameters and Performance sub folders. Then the instructor clicks the Parameters sub folder
and an entry for SocketPoolSize and CacheLockingPercent is displayed each of which has a
type and data for it.]
2. DNSSEC
DNS is very popular and that is one of its pitfalls. It is central to every Internet communication
like the web and e-mail. And the way I think of it is well, it is as necessary as electricity and
how do you protect something that is as big and as popular as electricity? Well it is not easy
and DNS is no different. DNS is especially vulnerable to spoofing and man-in-the-middle types
of attacks. Well what happens if a million bots all turn their effort towards a major ISP's DNS
server? Well the result is a lot of fake data going around, a lot of clients being misdirected. So
to address this very real vulnerability a DNS Security Extensions, or DNSSEC, was developed.
Now this DNSSEC thing uses digital signatures and cryptographic keys in order to guarantee
that the DNS data that we are using is authentic and valid. One of DNSSEC's key components
is this thing called a trust anchor.
Now a trust anchor is configured on your validating DNS server and it consists of what is called
a public key that can be used to verify the responses from other DNS servers and that helps
avoid rogue or malicious DNS servers trying to jump in there and provide fake replies. Now
you can create these trust anchors on Windows DNS servers and you can replicate
information through Active Directory among your DNS servers. As for the clients well, Windows
8, Windows 7, and Windows Vista they support DNSSEC and they can use what is called the
Name Resolution Policy Table, or NRPT. Now this NRPT thing tells the client which DNS
names they should really be paying attention to and validating. So for example, you can
require your clients to perform this DNSSEC validation for very specific namespaces. This way
you can secure namespaces that reference sensitive resources.
Now at the heart of DNSSEC is the digital signature. Now digital signatures are generated
using cryptographic and Public Key Infrastructure, or PKI, methods. You may have heard of
digital signatures before. So when you want to secure a DNS zone, what you do is you digitally
sign that zone and you use what is called a private key and so that zone gets signed along
with all of its records. Now these digitally signed records are known as RRSIG records or
Resource Record Signature. Now because they were signed with a private key, you actually
use the public key to verify this signature is valid when needed. And the public key is called the
DNS key and it is available upon request. So clients in DNS servers can use this DNS key to
validate the RRSIG records. Now another type of record that is important here is the DS record
or Digital Signer record. The DS record identifies the DNS key for delegated zones and, kind
of, glues zones together.
Now what if a client is making a request for a name that doesn't exist? Well if that requires then
the DNS server to give a negative response, we want to be sure that negative response can be
authenticated and valid as well. It is, kind of, hard to do if no record actually exists to be signed
in the first place. So how does DNS server do this? How does it prove what is called authentic
denial? Well the answer comes in another type of record called the NSEC record or Next
Secure record. The NSEC records give DNS servers the ability to actually return an
authenticated negative reply that can then be validated.
3. Demo: DNSSEC
Okay. In this demonstration, I want to show you how to configure DNSSEC. Now I am starting
from a Windows 8 client and I am using PowerShell to issue the resolve-dnsname cmdlet
to a very specific record that is in my secret.brocadero.com zone. I am indicating
exactly what server I want to query and I am letting the DNS server know that I actually
support dnssec. So I am going to issue this command and you can see I am not getting any
RRSIG in my response, and that is because I haven't configured DNSSEC on the server yet.
So let's do that now and see the difference in the response. So I am going to go back to DC1,
here is this secret.brocadero.com zone, here is my record, which I call top and I now want to
apply DNSSEC. That is easy to do, I just right-click and in the right-click menu there is an
option to Sign the Zone. Now when I do this, I can choose between, kind of, the default
options or a more advanced configuration. And that is where I can customize the actual zone
signing parameters. Choosing this first option actually lets me come in and actually make
changes to these specific keys that I want to use. So I can come in here and I can indicate
specifics about validity periods, replication in Active Directory, key strengths, and other types
of values.
[The Administrator: Windows PowerShell command window is open. The instructor executes
the command resolve-dnsname top.secret.brocadero.com and the following output is
displayed: Name Type TTL Section top.secret.brocadero.com
A 3600 Answer Name: Query Type: OPT TTL: 32768 Section: Additional Data: {}
Then the instructor navigates to the Hyper-V Manager window. This window includes the
following sections: Virtual Machines, Checkpoints, Client5 8.1 Ent. Next the instructor
navigates to the DNS Manager window. This window includes File, Action, View, and Help
menu. It also includes DNS node, which then includes the DC1 node. The DC1 node includes
Forward Lookup Zones, Reverse Lookup Zones, Trust Points, Conditional Forwarders, Global
Logs, and Cached Lookups folders. The Forward Lookup Zones includes
_msdcs.corp.brocadero.com, corp.brocadero.com, and DEV.BROCADERO.COM,
GlobalNames, and secret.brocadero.com sub folders. The instructor right-clicks the
secret.brocadero.com sub folder, selects DNSSEC, and then selects Sign the Zone and the
DNS Security Extensions (DNSSEC) wizard is displayed. On this wizard, the instructor clicks
Next and the Signing Options page of the wizard is displayed. This page includes the following
options: Customize zone signing parameters Sign the zone with parameters of an existing
zone, and Use default settings to sign the zone of which Customize zone signing parameters is
selected by default. The instructor clicks Next and the Key Master page of the wizard is
displayed. This page includes the options The DNS server DC1 is the Key Master and Select
another primary server as the Key Master of which The DNS server DC1 is the Key Master
options is selected by default. Then the instructor clicks Next and the Key Signing Key (KSK)
page of the wizard is displayed. On this page the instructor clicks Next and a list of
cryptographic algorithms is displayed for which KSKs are specified is displayed. Next the
instructor clicks Edit and the following sections are displayed: Key Generation, Key Properties,
and Key Rollover. On this page the instructor clicks Cancel and the Key Signing Key (KSK)
page of the wizard is displayed.]
What I want to do though is go ahead and choose use the default settings and a few clicks and
a Refresh here, my records will be signed with the appropriate keys. Now take a moment and
notice how many more records that are here, and notice that we have the different types of
records we have been talking about. So we have got the DNS keys, which are those public
keys. If I open that up, actually shows me what the Public Key is here. I have the original
record but I have a corresponding record for it down here that is an RRSIG record and this is
the digitally signed version of that record. So here is the actual Signer's name, which is this
particular zone itself, the total fully qualified domain name, or FQDN. In addition to that, I have
the NSEC records for negative replies from the server and I also have records digitally signed
for the name servers and the startup authorities. So all of those records have been signed and
the different necessary DNSSEC components are present.
[The Key Signing Key (KSK) page of the DNS Security Extensions (DNSSEC) wizard is open.
The instructor clicks Back and navigates to the Signing Options page of the wizard. This page
includes the following options: Customize zone signing parameters Sign the zone with
parameters of an existing zone, and Use default settings to sign the zone of which Customize
zone signing parameters is selected by default. On this page the instructor then selects Use
default settings to sign the zone option and clicks Next, Next again, and then clicks Finish and
the DNS Manager window is displayed. On this window, the instructor right-clicks the
secret.brocadero.com folder and selects Refresh and different records on the right pane of the
window are displayed. Then the instructor right-clicks the record which has the type DNS KEY
(DNSKEY) and selects Properties and the secret.brocadero.com Properties dialog box is
displayed. This dialog box includes DNS Public Key (DNSKEY) and Security tabs of which
DNS Public Key (DNSKEY) tab is selected by default and the DNS Public Key (DNSKEY)
tabbed page is displayed. This page includes Name, Fully qualified domain name, Key Tag,
Public Key, and Record time stamp textboxes. Next the instructor clicks Cancel and the DNS
Manager window is displayed. Then the instructor right-clicks the record named "top" which
has the type RR Signature (RRSIG) and selects Properties and the top Properties dialog box is
displayed. This dialog box includes RR Signature (RRSIG) and Security tabs of which RR
Signature (RRSIG) tab is selected by default and the RR Signature (RRSIG) tabbed page is
displayed. This page includes Host, FQDN, Labels, Key tag, Original time to live, Signer's
name, Signature (base 64), Record time stamp, and Time to live (TTL) textboxes. The Host
and FQDN textbox has top and top.secret.brocadero.com entered by default respectively. The
Signer's name textbox has secret.brocadero.com entered by default. Then the instructor closes
this dialog box and the DNS Manager window is displayed.]
Now let's see what the client reply looks like, up here, go back to my client and see what is
different about it. So now you can see it is getting a DNSSEC answer, QueryType is RRSIG
compared to the previous response, which was just a standard query response. Now what if I
want to require that the DNS response be validated with DNSSEC. Well that requires that I
enable a Name Resolution Policy Table. And to do that I am going to go back to my domain
controller, I am going to go to Group Policy, I am going to Edit the Default Domain Policy, and
this is where I can create a Name Resolution Policy Table. So I am going to go into Windows
Settings, here it is and this is where I can set up rules around specific DNS name. So for
instance, I can say for this secret.brocadero.com zone, I want to enable DNSSEC but I
also want to require DNS clients to check and validate names. Now I will choose...scroll down
here and choose Create. I can see the entry in the table. The table is actually down below
here little hidden but if I expand this, I can see the validation has been turned on and then I
Apply it.
Forward Lookup Zones, Reverse Lookup Zones, Trust Points, Conditional Forwarders, Cached
Lookups, and Global Logs folders. The Forward Lookup Zones includes
_msdcs.corp.brocadero.com, corp.brocadero.com, DEV.BROCADERO.COM, GlobalNames,
and secret.brocadero.com sub folders. The instructor navigates to the Hyper-V Manager
window. This window includes the following sections: Virtual Machines, Checkpoints, Client5
8.1 Ent. The Virtual Machines section includes a list of virtual machine names each of which
have a State, CPU Usage, and Assigned Memory for it. Then the instructor clicks the Client5
8.1 Ent from the list and the Administrator: Windows PowerShell command window is
displayed. On this window the instructor executes the command resolve-dnsname
top.secret.brocadero.com, which displays the following output: Name Type
TTL Section top.secret. A 3600 Answer brocadero.com Name:
top.secret.brocadero.com Query Type: RRSIG TTL: 3600 Section: Answer TypeCovered: A
Algorithm: 8 LabelCount: 4 OriginalTt1: 3600 Expiration: 12/30/2013 3:13:03 AM Signed:
12/20/2013 2:13:03 AM Signer: secret.brocadero.com Signature: {98, 202, 152, 82…} Name:
Query Type: OPT TTL: 32768 Section: Additional Data: {} Next the instructor then navigates to
the Group Policy Management window by clicks the Start menu and then clicking Group Policy
Management. This window includes the Group Policy Management node, which includes
Forest.corp.brocadero.com node. Further the Forest.corp.brocadero.com node includes
Domains, Sites, and Group Policy Results folders. The Domains folder includes
corp.brocadero.com sub folder. The corp.brocadero.com sub folder includes Default Domain
Policy, Domain Controllers, FileServers, People, Workstations, Group Policy Objects, WMI
Filters, and Starter GPOs sub folders of which the Default Domain Policy folder is already
selected and the Default Domain Policy page is displayed. Then the instructor right-clicks the
Default Domain Policy folder and selects Edit and the Group Policy Management Editor
window is displayed. This window includes Default Domain Policy node, which includes
Computer Configuration and User Configuration nodes, both of which include Policies and
Preferences sub folders. The Policies folder under Computer Configuration node includes
Software Settings, Windows Settings, and Administrative Templates sub folders. Further the
Windows Settings folder includes Name Resolution Policy, Scripts (Startup/Shutdown),
Security Settings, and Policy-based QoS sub folders. Then the instructor clicks the Name
Resolution Policy folder and the Name Resolution Policy page is displayed. This page includes
Overview, Description, Create Rules, and Certification authority sections. The Create Rules
section includes a drop-down list in which Suffix is selected by default and a textbox next it,
which is empty. The Certification authority section includes a textbox and a browse button next
to it. It also includes DNSSEC, DNS Settings for Direct Access, Generic DNS Server, and
Encoding tabs of which DNSSEC is selected by default and the DNSSEC tabbed page is
displayed. This page includes the Enable DNSSEC in this rule option. It also includes the
Validation and IPsec sections under the DNSSEC settings section. The Validation section
includes Require DNS clients to check that name and address data has been validated by the
DNS server option and the IPsec section includes Use IPsec in communication between the
DNS client and DNS server option. Next the instructor enters secret.brocadero.com in the
textbox which is in the Create Rules section, then selects the options Enable DNSSEC in this
rule and Require DNS clients to check that name and address data has been validated by the
DNS server in the Certification authority sections and clicks Create and an entry in the Name
Resolution Policy Table is displayed. This table displays secret.brocadero.com in the
Namespace column and Yes in the DNSSEC (Validation) column. Then the instructor clicks
Apply.]
Now of course, this is Group Policy, so if I go back to my client that means I need to do an
update. So let's do that gpupdate and the force isn't always necessary. I just do that out of
habit but we are going to run our update. And in a moment I will be able to validate whether or
not I received the new NRPT policy, here we go, computer update has occurred and then the
user update. So now I can do get-dnsclientnrptpolicy and there are the results. You
can see the Namespace .secret.brocadero.com and it says down here,
DnsSecValidationRequired is True. If I do my query then, you can see I am still getting the
same response.
[The Name Resolution Policy page is open in the Group Policy Management window. The
instructor navigates to the Hyper-V Manager window. This window includes the following
sections: Virtual Machines, Checkpoints, DC1 CORP 10.0.3.1. The Virtual Machines section
includes a list of virtual machine names each of which have a State, CPU Usage, and
Assigned Memory for it. Then the instructor clicks the Client5 8.1 Ent from the list and the
Administrator: Windows PowerShell command window is displayed. On this window the
instructor executes the command gpupdate /force and the following message is displayed:
Computer Policy update has completed successfully. User Policy update has completed
successfully. Next the instructor executes the get-dnsclientnrptpolicy command and the
following output is displayed: Namespace : .secret.brocadero.com QueryPolicy
: SecureNameQueryFallback :
DirectAccessIPsecCARestriction : DirectAccessProxyName :
DirectAccessDnsServers : DirectAccessEnabled : DirectAccessProxyType : NoProxy
DirectAccessQueryIPsecEncryption : DirectAccessQueryIPsecRequired : False
NameServers : DnsSecIPsecCARestriction : DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False DnsSecValidationRequired : True NameEncoding :
Utf8WithoutMapping Then the instructor executes the resolve-dnsname
top.secret.brocadero.com and the following output is displayed: Name Type
TTL Section top.secret. A 3600 Answer brocadero.com
Name: top.secret.brocadero.com Query Type: RRSIG TTL: 3600 Section: Answer
TypeCovered: A Algorithm: 8 LabelCount: 4 OriginalTt1: 3600 Expiration: 12/30/2013 3:13:03
AM Signed: 12/20/2013 2:13:03 AM Signer: secret.brocadero.com Signature: {98, 202, 152,
82…} Name: Query Type: OPT TTL: 32768 Section: Additional Data: {}]
Windows Server 2012 R2 IPAM Overview
Learning Objective
◾ recognize different IPAM deployment models
1. IPAM overview
So you need to track your IP address space. You need to know which IP addresses are still
available. Maybe, you need to know which subnets have been exhausted and which network
ranges need to be expanded. Maybe, you need increased visibility into your address space so
you know who is using what. And maybe you need to monitor the machine activity and the IP
addresses behind them, do some troubleshooting, do some forensics. Now the challenge here
is that is a lot of information so historically, you might have resorted to using a spreadsheet,
labor-intensive, right? Or maybe you gave up on the spreadsheet and spent some big dollars
and bought an address management tool. Or maybe somebody in your company built you a
tool that you could use internally.
The problem with the address management tools though, they have their own costs associated
with them whether it is support cost, licensing cost, or may be even expertise. Well in 2012,
you can throw that spreadsheet away and you can use the built-in IP Address Management
tool, or IPAM. Now IPAM I think of it as a built-in bloodhound because it will help you track,
and analyze, and monitor, and manage all of those IP addresses as well as those services that
help with IP management such as domain controllers, Dynamic Host Configuration Protocol, or
DHCP, and DNS servers.
[The IPAM Server Tasks page includes the following three hyperlinks: Connect to IPAM server
Provision the IPAM server Configure server discovery It also includes Quick Start, Actions, and
Learn More sections.]
So you might be wondering what can IPAM do for you. Well they can help you plan, they can
help you manage, they can help you track and audit all of the details around your IP
addresses. How does it do that? Well it has a couple of important features, a couple of
important modules. Essentially, there are four aspects to IPAM. First of all you have the
address space management and its job is to help you organize your IP addresses, assign IP
addresses, monitor the usage. And I just like that fact that I can actually take blocks of
addresses and assign them. Maybe, I have got a new network that I am developing and then I
have a new subnet coming or a new site coming online, so this helps me identify what address
spaces I can utilize that apply to that location. Then there is network discovery.
Now network discovery is useful because it helps me automatically locate those important IP
based servers, for instance, DHCP, DNS, and domain controllers. Then there is multiserver
management. So after I discover these servers, one of the things that I can do is centrally
configure various settings on those servers like maybe I need to change a DHCP option but I
need to do that on multiple DHCP servers. Now IPAM helps me do that in a much easier way.
And then lastly, just the increased visibility in the audit, the ability to track and monitor changes
that occur and also to provide real-time status information. So these are the four key areas
around IPAM administration.
[The IPAM administrative functions table includes two columns: IP administration area and
IPAM capabilities. In the IP administration area column the first item is Planning, which has
IPAM capabilities as Provides a tool set that can reduce the time and expense of the planning
process when changes occur in the network. In the IP administration area column the second
item is Managing, which has IPAM capabilities as Provides a single point of management and
assists in optimizing utilization and capacity planning for DHCP and DNS. In the IP
administration area column the third item is Tracking, which has IPAM capabilities as Enables
tracking and forecasting of IP address utilization. In the IP administration area column the
fourth item is Auditing, which has IPAM capabilities as Assists with compliance requirements,
such as HIPAA and Sarbanes-Oxley act of 2002, and provides reporting for forensics and
changes management.]
2. IPAM topology
Let's talk now about the deployment options with IPAM. Now you can do a lot with a single
IPAM server. It has been tested to support something like 150 DHCP servers with 40,000
DHCP scopes. As for DNS, it has been tested to support like 500 DNS servers at one time and
it has also been shown to support and store years worth of forensic data for large scale
organizations, something like a 100,000 users. Now despite its scalability you might want to
use another server configured as a backup or you might want to extend your IPAM
administration and the IP address space to include a distributed model. Now with a distributed
model what we are talking about is configuring multiple IPAM servers, typically one for each
site or location. You have to keep in mind there is no actual data they are sharing among these
different IPAM servers, so you would need to actually customize them and alter each one of
the server's purview so there is an overlap.
Now maybe you would limit the list of actual managed servers, so you could go in to each
IPAM server and indicate which servers it needs to manage or what you could do is actually
limit the scope of discovery. An IPAM server periodically goes out there and tries to locate
network services like DHCP and DNS, and you can limit the scope of discovery for that IPAM
server. Now to understand that it is helpful to know the way in which IPAM actually connects
and talks to these servers, it uses remote procedure call, or RPC, and Windows Management
Instrumentation, or WMI, and it uses...it needs that particular firewall's ports open in order to
facilitate this communication. The IPAM server also needs permission in each one of those
different services. So the easiest way to actually grant the necessary access for IPAM for
communication and for administration, well that is to use Group Policy.
Now the reason I mentioned this is because work Group Policy is also easy to scope. You can
scope it to specific organizational units, or OUs, or specific machine accounts and that can
help you control what your IPAM servers are allowed to manage. Now this means you can
adjust your deployment as you need it. Maybe, you need a centralized kind of model, maybe
you need something in between, something like a hybrid model. Now as your networks grow
and as those IP address needs grow, your network, of course, becomes more complex. And
what I like about these deployment topologies is IPAM can scale up and grow with us and help
us keep up with the growing needs and the growing demands of IP management.
3. IPAM roles
One question I have seen asked about IPAM is, what about delegation? I think that is a useful
question. I used to work for a company where the DHCP information, the address database
was made available to the helpdesk for troubleshooting purposes while the DNS administration
was reserved for another team. Now this isn't uncommon. And because IPAM addresses
multiple areas - DHCP, DNS, address management, and so forth well I think it is important that
the different functions of IPAM support delegation and you might find that important too.
So when you install IPAM one of the things you should know is it creates several local groups.
Now you can view these groups and read their descriptions in computer management. Each
one of these groups are designed with delegation in mind. So for instance, there is a group for
DNS record administration and another group for IP address administration and yet another
group for address space management versus the multiserver management function and, of
course, there is a group for full administrative rights. So if you need to delegate IPAM abilities,
take a look at these groups.
[The IPAM roles table includes three columns: Type, Name, and Description. In the Type
column the first item is Role, which has Name as DNS record administrator and Description as
Manages DNS resource records. In the Type column the second item is Role, which has Name
as IP address record administrator and Description as Manages IP addresses but not IP
address, ranges, blocks, or subnets. In the Type column the third item is Role, which has
Name as IPAM administrator and Description as Manages all settings and objects in IPAM. In
the Type column the fourth item is Role, which has Name as IPAM ASM administrator and
Description as Completely manages IP addresses. In the Type column the fifth item is Role,
which has Name as IPAM SHCP administrator and Description as Completely manages DHCP
servers. In the Type column the sixth item is Role, which has Name as IPAM DHCP
reservations administrator and Description as Manages DHCP reservations. In the Type
column the seventh item is Role, which has Name as IPAM DHCP scope administrator and
Description as Manages DHCP scopes. In the Type column the eighth item is Role, which has
Name as IPAM MSM administrator and Description as Completely manages DHCP and DNS
servers. In the Type column the ninth item is Access scope, which has Name as Global and
Description as By default all objects and IPAM are included in the global access scope. All
additional scopes that are configured are subsets of the global access scope.]
Windows Server 2012 R2 IPAM
Learning Objective
◾ identify fields that require configuration when creating an IP address block
1. Demo: Installing IPAM

There are some requirements in IP Address Management, or IPAM, you should be aware of.
First of all you need a dedicated server with .NET 4.5 and a minimum of two GBs of RAM. Now
don't install IPAM on a domain controller, or DC. In fact, I would avoid colocation in general.
IPAM works much better on a dedicated server. Now this server also needs to be a member of
your domain, as do the servers it is going to manage, at least the same forest. Keep in mind,
IPAM only supports Microsoft's Dynamic Host Configuration Protocol, or DHCP, DNS, and
domain controllers, and network policy servers and they all need to be running Windows
Server 2008 and above.
Now there are some new things in R2 you should be aware of. New in R2 is IPAM's ability to
work with the virtual address space. So if you have a cloud network and you have VMM, the
Virtual Machine Manager, you should be aware that IPAM integrates with VMM and allows you
to manage virtual networks as well as physical networks, which is a plus. Now R2 also lets you
do more on IPAM than you could before, so you can also manage DHCP failover and
superscopes. IPAM in R2 also supports an external SQL Database, whereas previously it was
limited to the Windows internal database. So if you are going to use Microsoft's IPAM, I would
encourage you to consider Windows Server 2012 R2.
[In the Server Manager, Overview node is selected in IPAM and the IPAM Server Tasks page
is open. The page has three buttons "QUICK START", "ACTIONS" and "LEARN MORE". The
links for performing IPAM server related tasks are displayed, namely, "Connect to IPAM
server", "Provision the IPAM server", "Configure server discovery", "Start server discovery",
"Select or add servers to manage and verify IPAM access" and "Retrieve data from managed
servers" are displayed.]
Hi so let's do some IPAM.
First thing I want to do is install it and I am going to use the install-windowsfeature

cmdlet and -includemanagementtools and there we are, it is fired off, this will take a
couple of minutes. Once it is finished, then we will be ready to do some of the provisioning and
other configuration around IPAM. So the installation is complete. Now when I come into Server
Manager and do a quick refresh, I will find a new node here for IPAM. And what I like about
this in Server Manager is this QUICK START option that it shows me exactly the next steps I
need to take. My next step is to Provision the IPAM server, so we are going to click on that.
Now this is going to help me configure my database and I have two choices: I can use SQL or
Windows Internal Database (WID) and this is where I am going to store configuration
information and it is where my IPAM database is going to live. So I am going to choose WID.
Now I have got a choice here between Manual or Group Policy Based provisioning for the
servers I am going to manage.
If I choose Manual, it means I have to configure the shares, security groups, and firewall rules
on each and every single server. If I choose Group Policy Based, well, those settings can be
delivered through Group Policy. I just need to indicate a prefix that I am going to use. Now
don't be fooled here. It is not going to make the Group Policy Objects, or GPOs, for you. You
are going to have to do that in the next step.
[The Server Manager Dashboard is open in Windows 2012 R2. The instructor navigates to
Windows PowerShell command prompt. At the command prompt, the instructor executes the
command install-windowsfeature ipam -includemanagementtools. After the installation is
complete, the instructor navigates back to the Server Manager and clicks Refresh, and the
node IPAM is now displayed in the navigation pane. Next in the navigation pane, the instructor
clicks IPAM and the IPAM Server Tasks page is displayed, which includes the Overview node
has been selected. In Overview window, the IPAM Server Tasks tile is displayed. It has three
buttons namely, Quick Start, Actions and Overview. The buttons have corresponding links for
performing IPAM server related-tasks. The instructor clicks Provision the IPAM server link as a
result of which the Provision IPAM wizard opens up. The instructor scrolls down and clicks
Next. This takes us to the next step with options to configure the database - Windows Internal
Database, or WID, and Microsoft SQL Server. The instructor chooses the WID option and then
scrolls down, and clicks Next. This leads to the next step where two options to select a
provisioning method for managed servers are displayed namely, Manual and Group Policy
Based. The instructor selects Group Policy Based option and enters the text IPAM in the GPO
prefix field under Group Policy Based option.]
And it actually tells me that right here, says Invoke-IpamGpoProvisioning is the

command I am going to need, but we are going to say Next to this, tells me what changes it is
going to make. It is going to basically build the IPAM database and some scheduled task and
security groups, hit Apply. Once this is finished, then I can configure my Group Policy Objects.
All right, IPAM provisioning is complete. The next thing I need to do is create those Group
Policy Objects. So let's go into PowerShell here and do that, give myself a little bit of room,
Invoke-IpamGpo there we go, hit enter to that and my domain, well, that is
corp.brocadero.com and the prefix is IPAM that is what I used in the configuration
database.
And do I want to go ahead and create those three GPOs? I am going to say Yes and way it
goes. And in a few moments, I can be able to...I will be able to validate that in Group Policy
Management console. So let's jump into that. I have it installed here as well, so we will open
that up and we will see the results of that Invoke-IpamGpo command, so here we go.
[The window displaying options to select a provisioning method for managed servers is open.
The instructor scrolls down and clicks Next. This leads to the last step in the wizard. The
instructor clicks Apply and this completes IPAM provisioning. The instructor then clicks and
opens the PowerShell command prompt and enters the cmdlet Invoke - IPAMGPOProvisioning
and hits Enter. It generates following output: cmdlet Invoke-IPAMGPOProvisioning at
command pipeline position 1 Supply values for the following parameters: Domain: The
instructor enters corp.brocadero.com in the Domain parameter and hits Enter. This displays
GPOPrefixName parameter. The instructor enters IPAM in it and hits Enter. The command
prompt asks for confirmation to create the GPOs on which the instructor enters Yes. The
instructor then minimizes the command prompt window and clicks Administrative Tools in the
Start menu and navigates to Group Policy Management console. This opens the Group Policy
Management window. A Contents tab page is open in the window which displays Name and
under it the node Forest: corp.brocadero.com. The navigation pane consists of the node
Forest: corp.brocadero.com and the sub nodes - Domains, Sites, Group Policy Modeling and
Group Policy Results under it. The instructor then clicks on the Domains node and it displays
the sub node corp.brocadero.com. The instructor expands this sub node and this displays four
links, three for the GPOs - IPAM_DC_NPS, IPAM_DHCP and IPAM_DNS - and one for
Default Domain Policy.]
Here are the three different GPOs that it created for me. I have got one for the domain
controller, DHCP servers, and DNS servers all listed right there. Now notice there are no
security filters, which means it is not targeting any servers at this point and that is going to
occur once I do some server discovery. So let's go back now to the IPAM interface. The next
step is to Configure server discovery, so let's click on that. And I want to add
corp.brocadero.com, and I want to look for domain controllers, DHCP servers, and DNS
servers, click OK. And we will see it actually running here once I hit this Start server
discovery. So it is going to start actually running through those tasks and we will see, kind of,
an accumulated result here in a few minutes. Now when server discovery begins and
completes, you can see a list of servers that are available for management in this list here,
under SERVER INVENTORY.
[The Group Policy Management window is open. The instructor clicks the IPAM_DC_NPS link
and it opens the Group Policy Management Console dialog box. The instructor clicks OK. The
instructor then randomly clicks the three links - IPAM_DC_NPS, IPAM_DHCP and IPAM_DNS
and the corresponding pages are displayed for the links when clicked. Next the instructor clicks
IPAM_DNS and it displays IPAM_DNS page which contains different tabs namely, Scope,
Details, Settings and Delegation. The Scope tab page is open. It consists of a section -
Security Filtering. The instructor navigates back to the IPAM interface and clicks the link
Configure server discovery. This open Configure Server Discovery wizard. It contains a drop-
down list Select Domains to discover and a list labeled Select the server roles to discover
which contains the columns namely, Domain, Domain controller, DHCP server and DNS
server. Select domains to discover drop-down list includes list items namely, (root domain)
DEV.BROCADERO.COM and (root domain) corp.brocadero.com. The instructor selects (root
domain) corp.brocadero.com and clicks on Add. As a result of this, (root domain)
corp.brocadero.com is automatically added under the Domain column in the Select the server
roles list. Also, checked boxes are displayed under the columns Domain controller, DHCP
server and DNS server, respectively. Next the instructor scrolls down and clicks OK. The IPAM
Server Tasks page is displayed again in the IPAM interface. The instructor clicks the link Start
server discovery. Next the instructor clicks the notification flag. It opens IPAM ServerDiscovery
task window. After the server discovery task is complete, the instructor clicks the link Select or
add servers to manage and verify IPAM access. This opens SERVER INVENTORY which is in
the navigation pane and displays IPV4 page conataining list of Server Names, their
Manageability Status, IPAM Access Status and Recommended Action in the view pane.]
Now there are different status or states that are reported based on the communication
between the IPAM server and these managed servers. First thing you need to do is set your
Manageability Status and as you can come in and edit these servers and say, "I want to
manage this server or I don't want to manage this server" and click OK to that. Now what you
are actually doing when you do that is you are adding that server to the Security Filtering field
in the Group Policy. And once the policy has been applied, the firewall rules and the different
group memberships that are part of this policy will also apply and you will be able to manage
that server. And what you will see is you will see the status go from yellow or red to green,
meaning I can now manage that server and its DHCP and DNS Services through IPAM.
[The IPV4 page conataining list of Server Names, their Manageability Status, IPAM Access
Status and Recommended Action is open. The instructor selects Set Manageability Status for
DC1 server and right-clicks it. This displays a list of options namely, Edit Server, Retrieve All
Server Data, Refresh Server Access Status and Delete. The instructor selects the Edit Server
option which opens the Basic configurations dialog box. The Manageability status drop-down
list displays the three options - Unspecified, Specified and Managed, of which the instructor
clicks the "Managed" option. The instructor then clicks OK and navigates back to the Security
Filtering section of the Scope tabbed page where the server names DC1$ (CORP\DC1$) and
DC10$ (CORP\DC10$) are now displayed. The instructor then navigates to the IPV4 page and
a green check mark is displayed and the Manageability Status for DC1 is displayed as
Managed.]
2. Demo: Configure IPAM

So let's have a look now at working with my IP addresses in IPAM. Now one of the important
concepts is this notion of an IP address block that is a large portion of your IP addresses that
can be carved up into smaller more manageable units. So you have an IP address block,
which is made up of subnets, IP Address Ranges, and the individual IP Addresses themselves.
Now to create these IP Address Blocks, you go to and navigate to the section called IP
Address Blocks, and you can change your Current view between those different pieces. So
you have the IP address block, which is the larger portion for documentation purposes, then
you can build subnets underneath that that are part of an IP address block, ranges of a
particular subnet, and individual IP addresses themselves.
[Windows Server Manager is open and the navigation pane displays the OVERVIEW,
SERVER INVENTORY, IP ADDRESS SPACE, VIRTUALIZED IP ADDRESS SPACE, and
MONITOR AND MANAGE nodes. The IP ADDRESS SPACE node is selected in the
navigation pane and the IP ADDRESS SPACE page is open. The IP ADDRESS SPACE
consists of sub nodes namely, IP Address Blocks, IP Address Inventory and IP Address Range
Groups. The instructor clicks IP Address Blocks. The IPV4 page opens and displays the drop-
down lists Current view and Tasks. The Current view drop-down list contains list of items - IP
Address Ranges, IP Addresses, IP Address Blocks and IP Address Subnets. The instructor
chooses IP Address Blocks as a result of which, a list with columns namely, Utilization,
network, Start IP Address, End IP Address, RIR, and a partially visible column Access... is
displayed. Next the instructor chooses IP Address Subnets option from the drop-down list. It
opens up a list consisting of columns namely, Utilization, Overlapping, Network, Name,
Virtualized and a partially visible column Access... Then the instructor again clicks the IP
Address Blocks option in the Current view drop-down list.]
So I have got two IP Address Blocks here. Let's say I wanted to create another one. I can
come in here and choose Add IP Address Block. And let's say I want to do 192.168.1.0,
this is going to be my IP address block; Prefix length, so it automatically detects that it is a 24-
bit or a Class C, so it gives me 24-bit prefix. Here is the start and stop of that range.
I can indicate a registry if it is a public IP address, and it knows...see I can't actually select the
Regional Internet registry, or RIR, and it knows that is actually a private reserved address. So
if I wish to put something in that was like 202, something like this, oops, let's do 1.0, notice it
automatically detects that this is a public IP address and it wants to know who my registrar is.
So I am going to go back now 192.168.1.0 and leave it like so. All right, then I can indicate
date, I can indicate Owner. This is all really useful in terms of documentation and for auditing.
So I know when this IP address block was introduced into my organization, who actually
introduced it, very useful just in terms of documentation. So I say OK to that, so that is an IP
address block.
[The IP ADDRESS BLOCKS node is selected in the Server Manager and the IPV4 page is
open in it. The instructor selects the first row from the table displayed on choosing the IP
Address Blocks option from the Current view: drop-down list. Then the instructor clicks the
Tasks drop-down list. The instructor chooses Add IP Address Block option from the list. This
opens Add or Edit IPv4 Address Block window which displays a table with columns namely,
Fields and Value. The Field consists following elements namely, Network ID, Prefix length,
Automatically assign address values, Start IP address, End IP address, Regional Internet
registry (RIR), Received date from RIR, Description, and Last assigned date. The instructor
enters 192.168.1.0 under the Value column against the Network ID field. Next the instructor
chooses 24 from the drop-down list as the value for Prefix Length. The values for Start IP
address and End IP address are automatically populated as 192.168.10 and 192.168.1.255,
respectively. In the Value column against the Regional Internet registry (RIR) field, the drop-
down list displays "Select" option. The instructor then goes back and changes the value
against Network ID to 202.0.1.0 as a result of which a red exclamation mark is displayed in the
Regional Internet registry (RIR) field. The instructor then clicks the drop-down list in the Value
column against Regional Internet registry (RIR) which displays a list of options namely,
Select..., AFRINIC, APNIC, ARIN, LACNIC and RIPE. The instructor again goes back and
changes the value of Network ID to 192.168.1.0. Against the Owner field, the instructor inserts
value "Jason" and clicks OK. The instructor navigates back to the list displayed on selecting IP
Address Blocks option from the Current view drop-down list.]
Then I can actually build subnets from within that block. So I can come in here, add an
additional IP address subnet. So in my case, I started off with a pretty small or narrow block,
so let's say I do 128 and my Network ID is going to be...oh the name I'm sorry I get those
backwards in my...skip that and put that there and we will just call this Building1, there we
go.
And so here is where it indicates a prefix length, so I am subnetting that IP address block
further. Then if I scroll down, I have other configurations I can include like if I am going to use
this for cloud computing and virtualization, I can indicate this particular address is assigned for
the cloud Provider or for the Customer, so there is some integration there with network
virtualization. I can indicate custom fields if this block belongs to or is associated with. So this
is just adding data that could then be used for auditing and monitoring and for management.
So I can indicate, for instance, that this IP address block belongs to the HQ AD Site.
[The IP ADDRESS BLOCKS node is selected in the Server Manager and the IPV4 page is
open in it. the instructor chooses IP Address Subnets option from the Current view drop-down
list. The list corresponding to the IP Address Subnets opens up. The instructor clicks the Tasks
drop-down list and chooses Add IP Address Subnet option. Add IPv4 Address Subnet page
opens up and consists fields namely, Name, Network ID, Prefix length (0-32) and VLAN ID
under IP Address Subnet Properties. The instructor enters the value 192.168.1.128 in the
Network ID field. Next the instructor enters the value Building1 in the Name field. as a result of
which, the Prefix length field is automatically populated with the value 25. The instructor scrolls
down. The Enable network virtualization check box is displayed under IP Address Subnet
Virtualization Properties. The instructor enables it. On enabling, two options are displayed
against "Use IP address subnet for:" namely, Provider and Customer, of which the Provider
option is selected by default. The other fields displayed are - Provider IP address space,
Logical network and Network site. The instructor then disables the option. Under Custom
configurations, the "Custom field" and "Value" fields are displayed. The "Custom field" has a
drop-down list from which the instructor selects "AD Site" option. The "Value" field has a drop-
down list from which the instructor selects "HQ" option.]
Now before I go any further, let me show you that under IP ADDRESS...the IP ADDRESS
SPACE, I can actually come up to Manage and I can configure some of those fields like if I go
to IPAM Settings, I have got several different settings I can define like the frequency in which
it does server discovery. But I can also Configure Custom Fields for labeling my IP
addresses, and IP Address Blocks, and subnets, and so forth. So for instance, here is one first
AD Site and I went ahead and populated that with the list of the different sites I have in my
organization.
But I can also come in here and I can create my own custom field. So I can say that this needs
to be Multi-Value and I can come in here and I can put in different names like the
WestBuilding, building 2, and so forth. So I can list different buildings that this belongs to
or whatever custom field suits me. And so that when I go and actually create like an IP address
subnet or an address range or even an individual IP address, I can associate that with those
custom fields.
[The instructor navigates back to the list displayed on selecting IP Address Subnets. On the
Server Manager menu bar, the instructor clicks Manage menu and a list of menu options is
displayed, of which the instructor chooses IPAM settings option. This opens the IPAM Settings
window which consists different links such as: Configure Server Discovery, Configure Custom
Fields and Configure Custom Field Associations. The instructor clicks the Configure Custom
Fields link, which opens the Configure Custom Field window. The window displays two tables
namely, "Add custom fields:" under Step 1 and "Select a muli-value custom field above and
provide unique values for the field:" table under Step 2. The "Add custom fields:" consists
columns namely, Custom Field Name, Multi-Value and Category. The intructor selects the first
row in the "Add custom fields:" table which consists of the following entries: "AD Site" under
Custom Field Name, "Yes" under Multi-Value and "Built-in" under Category, respectively. The
Custom Field value column of the Step 2 table consists following entries: Branch 1, East, HQ,
North and South. The instructor then adds a custom field in the "Add custom fields:"table and
enters the value "Building" under "Custom Field Name" column, selects the value "Yes" from
the drop-down list under "Multi-Value" column. The value under "Category" column is "User
defined". In the "Custom Field Value" in the "Select a muli-value custom field above and
provide unique values for the field:" table under Step 2, the instructor enters the entries -
WestBuilding and 2. Then the instructor clicks OK, following which a message box saying
"Custom Field Mapping is updated" opens. The instructor clicks OK on this message box. The
IPAM Settings window is displayed again. The instructor closes it and goes back to the table
displayed on selecting IP Address Subnets option from the drop-down list.]
So let's create an actual individual IP address. So if I go to IP address, you can see I got a few
addresses already listed. And I am going to add an IP address and let's use one from my
existing block, so 10.0.3.10 and we will just put in a Medium Access Control, or MAC,
address. Then I indicate who it is going to be managed by, we are going to say IPAM; the
Device type, so I can indicate what type of device this is for, so let's say it is for a Printer. It is
In-Use, Assignment type indicate Static or Dynamic. If I scroll down here, I can include
additional information: who owns it, the Asset tag, Serial number, virtualization information.
Then I have DHCP Reservation Synchronization and this is pretty cool.
So I am going to select this to drop the MAC ID information, the MAC address from the
previous field into this one. And then Reservation server name, so I can pick what server I
want to build a DHCP reservation on so it will automatically create a reservation for me into the
existing scope. Now if I put in an IP address, it does not actually have a scope. So if I create
and add an address that is outside of, kind of, my DHCP scopes, then I will not be able to
select a server. It is smart enough to know what scopes are hosted on what servers.
[The table displayed on selecting IP Address Subnets option from the drop-down list is open in
IPv4 page. The instructor chooses the "IP Addresses" option from the "Current view" drop-
down list. This opens a IP Addresses page which contains a table having columns namely,
"Duplicate", "Expiry Status", "IP Address", "MAC Address" and partially visible column
"Managed by S...".The instructor selects the first row of the table which consists the following
entries - "Yes" under the "Duplicate" column, "Not expired" under the "Expiry Status" column,
"10.0.3.103" under "IP Address" column and "MS DHCP" under the partially visible column
"Managed by S...". The instructor then selects Add IP Address Block option in the TASKS
drop-down list. This opens the Add IP Address window and various fields under Basic
Configurations are displayed in the window such as - IP address, MAC address, Managed by
service Service instance, Device type, Address state and Assignment type. The instructor
enters the value "10.0.3.10" in the IP address field and the value "aabbccddeeff" in the MAC
address field. In the Managed by service field, the instructor chooses the value "IPAM" from
the drop-down list. Next in the Device type field, the instructor chooses the value "Printer" from
the drop-down list. In the Assignment type field, in the Device type field, the instructor chooses
the value "Dynamic" from the drop-down list. Then the instructor scrolls down, and more fields
namely, Expiry date, Description, Owner, Asset tag and Serial number are displayed on the
screen. The instructor scrolls down further and the fields namely, "Client ID", "Reservation
server name", "Reservation scope name", "Reservation scope detail", "Reservation name,
Reservation type", and "Reservation description" are displayed under DHCP Reservation
Synchronization. The instructor selects the "Associate MAC to Client ID" option, as a result of
which the "Client ID" field is auto populated with the value "AABBCCDDEEFF". Next the
instructor selects "DC1.corp.brocadero.com" from the drop-down list in the "Reservation server
name" field, following which the instructor enters the value "prn1" in the "Reservation name"
field.]
So what name do I want to give this? We will call it prn1. What Reservation type? DHCP. I
can apply an additional description here if I want to, and then automatically create the
reservation for this address. Look at this, DNS is also listed here. So we will call prn1 and we
will put it in the corp.brocadero.com zone, what server, what reverse zone, what
reversed...what server is hosting that reverse zone, and then custom configuration. This is
where I can actually select, there is Building and I can say WestBuilding or whatever, so I
can add those custom fields and I can add additional fields if I need to. So we have got that. I
am going to click OK to this. Now we will create my IP address, give it just a second here,
there we go. So here is my IP address. If I scroll over, you can see its Device Name, it is a
Printer. You can see that the Reservation Exists and that is because of the checkmark that
said automatically create. But I don't actually have a host record yet because I didn't put the
checkmark there that automatically created that. But what I can do is I can right-click, Create
DNS Host Record and I can actually trigger the creation of those records just with the right
click.
[The table displayed on selecting "IP Addresses" option is open. In the "Reservation
description" field the instructor enters following text "color printer". The instructor scrolls down
again and the "DNS Record Synchronization" section is displayed with the fields "Device
name", "Forward lookup zone", "Forward lookup primary server", "Reverse lookup zone" and
"Reverse lookup primary" and a check box "Automatically create DNS records for this IP
address"- under it. The instructor enters "prn1" in the "Device name" field, selects
"corp.brocadero.com" from the drop-down list in the "Forward lookup zone" field and chooses
"DC1.corp.brocadero.com" from the drop-down list in the "Forward lookup primary server" field.
Next the instructor selects value "3.0.10.in-addr.arpa" from the drop-down list in the "Reverse
lookup zone" field and chooses "DC1.corp.brocadero.com" from the drop-down list in the
"Reverse lookup primary server" field. The instructor scrolls down further and the "Custom
Configurations" section is displayed, displaying the "Custom field" with its corresponding drop-
down list and the "Value" field with its corresponding drop-down list. The instructor selects the
value "Building" from the drop-down list in the "Custom field" and chooses "WestBuilding" from
the drop-down list in the "Defined Configurations" field. This auto populates the columns of the
table under "Defined Configurations" sub section with the entry "Building" in the "Custom Field"
column and the entry "WestBuilding" in the "Value" column. Then the instructor again changes
the values in the "Custom Field" and "Value" field, to "AD Site" and "Branch 1" respectively,
and scrolls down to the bottom of the window, and clicks OK. This opens the "Add IPv4
Address" page in the Add IP Address window, and in the navigation pane, nodes namely,
"Basic Configurations", "Virtualization", "DHCP Reservation", "DNS Record", "Custom
Configuration" and "Summary", are displayed. The "Summary" node is selected. In the view
pane under "Add IPv4 Address", a table with the columns "Task", "Target" and "Status" is
displayed. The entry under "Task" is "Create IPAM IP Address", the entry under "Target" is
"Server Name:IPAM.corp.brocadero.com; IP Address:10.0.3.10" and the entry under "Status"
is "Success". The instructor then navigates back to the "IP Address" page and the table below
it displays the entry "AA-BB-CC-DD-EE-FF" in the MAC Address field. As the instructor scrolls
to the right, more columns namely, "Service instance", "Access Scope", "IP Range",
"Virtualized", "Device Name", "Device Type", "IP Address State", "Assignment Type", "Expiry
Date","DHCP Reservation Sync", "DHCP Host Record Sync" and "DNS PTR Record Sync",
are displayed. The entry under "DHCP Reservation Sync" is "Reservation Exists". The
instructor right clicks the "DNS Host Record Sync" in the table which opens a short cut menu
appears with options namely, "Edit IP Address", Create DHCP Reservation", "Create DNS
Host Record", "Create DNS PTR" Record, "Delete DHCP Reservation", "Delete DNS Host
Record", "Delete DNS PTR Record" and "Delete". The instructor clicks "Creates DNS Host
Record" option, which opens the Create DNS Host Record window. The "IP Addresses" page
is open again. The entry under "DNS Host Record Sync" is "create Status". Next the instructor
right clicks the "DNS PTR Record Sync" which opens the short cut menu again. The instructor
clicks "Create DNS PTR Record" option from the list which opens the window "Create DNS
PTR Record" window.]
In addition to documenting and managing your IP Address Space, you can also manage and
monitor those servers, those IP Services like DNS and DHCP. So I can click on the DNS and
DHCP server node and I can actually filter and look at the different roles. So Server Type DNS
and DHCP, I can see the status of each of those servers and I can scroll over and look at
additional information. More information is found in the Details View and this includes like the
number of leases, whether or not I have auditing enabled, and if there are errors detected; a
whole list of different categories and I can, kind of, look at the additional settings here, kind of,
click through these if I had DHCP Policies, I would see those, here is Event Viewer so
additional details can be found by scrolling down. I can choose and filter which particular role I
want to examine like on the DHCP role, here is a list of my DHCP servers and I can change
my View from Server Properties to Scope Properties. And under Scope Properties, I can
scroll over. It shows me the utilization in terms of the scope. You can see there is not a lot of
excitement here because this is a lab environment but you can look at the percent that your
scopes have been utilized and you can scroll over and see if it has failover relationships.
[In the Server Manager "MONITOR AND MANAGE" node is selected and its sub nodes
namely, "DNS and DHCP Servers" and "DHCP Scopes" are displayed. The view pane displays
"MONITOR AND MANAGE" page. The instructor clicks "DNS and DHCP Servers" which
opens the IPv4 page with "Server Type" field, "View" field and "Tasks" drop-down list box. The
instructor selects "DNS and DHCP" server type in the drop-down list in the Server Type field.
This displays a table with columns "Server Availability", "Duration in Current State", "server
Name" and entries under it. The instructor scrolls to the right and more columns namely,
"Server Role", "Domain Name", "IP Address" and "Access Scope" are displayed. The instructor
scrolls down and in the Details View section, the "Server Properties" tabbed page is open. The
"Options", "Policies" and "Event Catalog" tabs are displayed beside \the "Server Properties"
tab. The instructor scrolls back to the IPv4 page and changes the Server Type to "DHCP". In
the "View" field, the instructor selects "Scope Properties" from the drop-down list. A table is
displayed with columns namely, "Utilization", "Scope Status", "Scope Name", "Scope ID",
"Access Scope", "Prefix Length", "Lease Duration", "Percentage Utilized", "Superscope
Name", "Server Name", Server Availability" and "Failover Relationship Name".]
Now there is more we can do here as well. If I click on DHCP Scopes, here is a list of my
scopes, lot of the same kind of information if I scroll to the right. I can right-click on this and I
can perform different administrative actions. So I can edit the DHCP scope, so this allows me
to come in here and change all kinds of things related to that DHCP scope. So I can do this
through IPAM centrally rather than open up DHCP Manager. So I can come in here and I can
change DNS Dynamic Updates and scope options and additional Advanced Properties. Other
things I can do is I can come in...in here and I can actually create reservations, I can configure
additional DHCP policies, activate, deactivate scope, configure DHCP failover settings or
remove failover configuration; quite a few on management tasks that I can do in here. The last
thing I want to show you is DNS Zone Monitoring, so I can also retrieve information about the
status in my DNS zone.
You can see I have got some warnings here. If I click on my corp.brocadero zone, I scroll
down, I can see I have got a warning listed here, click on Authoritative Servers, you can see I
have one server that is reporting some errors and that is generating an alert here in my
monitoring window. So these are some of the things that you can do in IPAM, management as
well as important monitoring and detailed information.
[The "DNS and DHCP" sub node under MONITOR AND MANAGE is selected. The instructor
clicks the "DHCP Scopes" sub node which opens IPv4 page, and a table with columns
"Utilization", "Scope Status", "Scope Name", "Scope ID", "Access Scope", "Prefix Length",
"Lease Duration", "Percentage Utilized", and the instructor right clicks Scope Status. This
opens a short cut menu with a list of options, of which the instructor clicks the "Edit DHCP
Scope" option. The "Edit DHCP Scope" window opens up and the Edit scope page is open in
it. The navigation pane has "General", "DNS Updates", "Options", "Advanced", and "Summary"
nodes. The "General" node is selected in the navigation pane. The instructor clicks on "Show
All". The view pane displays "General Properties" under which different fields namely, "Scope
name", "Description", "Start IP address", "End IP address" and "Subnet mask" are displayed.
Below the field option for "Lease duration for DHCP clients" is displayed. As the instructor
scrolls down, sections corresponding to the "DNS Updates", "Options", "Advanced", and
"Summary" nodes are displayed. The instructor then closes the window and navigates to the
IPv4 page with Scope Properties selected in the drop-down list of Current View field. In the
table in Scope Properties, the instructor right clicks "Scope Status" column, which opens the
short cut menu. The options namely, "Edit DHCP SCope", "Duplicate DHCP SCope", "Create
DHCP Reservation", "Configure DHCP Policy", "Remove DHCP Failover Configuration", of
which the instructor selects "Remove DHCP Failover Configuration". Next the instructor clicks
"DNS Zone Monitoring" sub node under "MONITOR AND MANAGE" which opens a table in
Ipv4, with columns namely "Zone Status", "Duration in Current State", Zone Name", and
partially visible column "Access Scope". The instructor selects row with following entries in the
table: "Warning" under "Zone Status", "8.20:06:52" under "Duration in Current State",
"corp.brocadero.com" under "Zone Name" and "\Global" under "Access Scope". The instructor
selects "cosrp.brocadero.com" and scrolls down to the "details View" section. which consists of
tabs "Zone Properties" and "Authoritative Servers". The "Zone Properties" tabbed page is open
and it displays "Zone Name" as "corp.brocadero.com", "Zone Status for All Servers" as
"Warning", "Duration in Current State" as "8.20:06:52" and "Access Scope" as "\Global". The
instructor selects the tab "Authoritative Servers" and this opens the "Authoritative Servers"
tabbed page, which opens the table with columns "Server Name", "Zone Status", "Duration in
Current Status" and a partially visible column "Zone...". The instructor selects
"RODC2.corp.brocadero.com" entry under "Server name". the instructor then navigates back
to "DNS Zone monitoring" page.]
Advanced DHCP and DNS Configurations
Learning Objective
◾ identify DHCP and DNS configuration requirements
1. Advanced DHCP
Now that you have learned about advanced IP management in IP Address Management, or
IPAM,
in Windows Server 2012 R2, let's try an exercise and test what you have learned.
You are working as a server administrator for Easy Nomad Travel. You have been asked to
assess the current
Dynamic Host Configuration Protocol, or DHCP, configuration so you can recommend some
high-availability functionality.
Question
You need to support multiple logical IP networks on a single physical subnet in a

multinet configuration. Which Dynamic Host Configuration Protocol, or DHCP, feature
enables a multinet configuration?
Options:
1. Superscopes
2. Multicast scopes
3. Dynamic Host Configuration Protocol for IPv6, or DHCPv6
4. DHCP failover
Answer
Option 1: Correct. Superscopes allow a DHCP server to lease addresses from

multiple scopes to clients on the same subnet.
Option 2: Incorrect. Multicast scopes enable servers to allocate multicast addresses

to clients using Multicast Address Dynamic Client Allocation Protocol, or MADCAP.
Option 3: Incorrect. DHCPv6 is used to issue Internet Protocol version 6, or IPv6,

addresses to DHCP clients.
Option 4: Incorrect. DHCP failover involves using multiple DHCP servers for high
availability.
Correct answer(s):
1. Superscopes
Question
You want to utilize a secondary server that doesn't issue IP address leases unless
the primary Dynamic Host Configuration Protocol, or DHCP, server goes offline.
Which DHCP failover mode should you use?
Options:
1. Hot standby
2. Load sharing
3. Split scope
4. Maximum Client Lead Time, or MCLT
Answer
Option 1: Correct. The Hot standby DHCP failover mode requires a replica of DHCP
server, which is not issuing addresses to be configured.
Option 2: Incorrect. Load sharing requires two active Dynamic Host Configuration
Protocol, or DHCP, servers, both actively issuing addresses.
Option 3: Incorrect. Split scope is a DHCP high-availability feature that allows you to
split a DHCP scope between servers so that issuing can continue in the event of a
server failure.
Option 4: Incorrect. The MCLT is an interval in Hot standby failover during which the
standby DHCP server is issuing from a smaller pool of addresses.
Correct answer(s):
1. Hot standby
2. Securing DNS
You now turn your attention to the DNS servers. You are particularly concerned about security.
Question
Which DNS security feature randomizes the source port when issuing DNS queries?
Options:
1. DNS socket pool

2. DNS cache locking
3. DNS Security Extensions, or DNSSEC
Answer
Option 1: Correct. DNS socket pool is a security feature that randomizes the source
port for DNS clients, thus making cache poisoning attacks more difficult.
Option 2: Incorrect. DNS cache locking locks the DNS cache to mitigate cache
poisoning attacks.
Option 3: Incorrect. DNSSEC is a set of extensions to DNS that provide

authentication and data integrity.
Correct answer(s):
1. DNS socket pool
Question
Which DNS security feature enables a zone and all records in the zone to be
cryptographically signed?
Options:
1. DNS socket pool

2. DNS cache locking
Answer
Option 1: Incorrect. DNS socket pool randomizes the source port for DNS clients.
Option 2: Incorrect. DNS cache locking locks the DNS cache for a given percentage
of Time to Live, or TTL.
Option 3: Correct. DNSSEC is a set of extensions to DNS that work by

cryptographically signing DNS zones and records.
Correct answer(s):
© 2018 Skillsoft Ireland Limited

DNS and DHCP

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DNS and DHCP

Hochgeladen von

Copyright:

Verfügbare Formate

Course Transcript

Microsoft Windows Server 2012 R2 -

2. Windows Server 2012 R2 Highly Available DHCP

Configuring Advanced DNS Settings

2. Securing DNS with Windows Server 2012 R2

IP Address Management – IPAM

2. Windows Server 2012 R2 IPAM

3. Advanced DHCP and DNS Configurations

1. Meet your instructor

2. DHCP and DNS

3. Advanced scope types

4. DHCP and IPv6

5. DHCP name protection

1. DHCP failover and split scopes

2. Demo: Configuring DHCP failover

3. Demo: Configuring DHCP split scopes

1. Demo: Managing DNS

If I go to the Properties on my server, I go to Advanced, right here is where I can tell it to

2. Demo: Optimizing DNS name resolution

1. Demo: DNS cache locking and socket pool

1. Demo: Installing IPAM

Hi so let's do some IPAM.

First thing I want to do is install it and I am going to use the install-windowsfeature

And it actually tells me that right here, says Invoke-IpamGpoProvisioning is the

2. Demo: Configure IPAM

You need to support multiple logical IP networks on a single physical subnet in a

Option 1: Correct. Superscopes allow a DHCP server to lease addresses from

Option 2: Incorrect. Multicast scopes enable servers to allocate multicast addresses

Option 3: Incorrect. DHCPv6 is used to issue Internet Protocol version 6, or IPv6,

1. DNS socket pool

Option 3: Incorrect. DNSSEC is a set of extensions to DNS that provide

1. DNS socket pool

1. DNS socket pool

Option 3: Correct. DNSSEC is a set of extensions to DNS that work by

3. DNS Security Extensions, or DNSSEC

© 2018 Skillsoft Ireland Limited

Das könnte Ihnen auch gefallen