How to Deploy and configure DNS 2016 – (Part2)
In Part 1 we’ve had a chance to explore the zones that got created when Active Directory was setup, so let’s take a look at creating our own zones.
Now there’s several reasons you may need your own zones. One example would be you have namespaces that have nothing to do with Active Directory and you want to be able to do name resolution for them, like with web servers, sharepoint apps etc. So let’s create one.
I will configure it on my DC01 (which is domain controller and DNS is integrated)
Right-Click on Forward Lookup Zones and select New Zone
Welcome to the New Zone Wizard will pop-up, Click Next
Zone Type page, The first question that we have to answer is what kind of zone do we want and this is a very important question. I will create Primary Zone (When you create primary zone it will be the read/writable copy , which means I can add and delete records from it.)
I also want to store this zone in AD. Now what’s the primary benefit to Active Directory Integrating your zones? It is much more secure. Click Next
(I will also show you what will happen if I uncheck that, later in this post)
On Active Directory Zone replication scope page, we need to specify who do we want this replicated to. I will leave the defaults and click next
On Zone Name page, type in the name and click Next
On Dynamic Updates page, we need to answer do we want dynamic updates and if so, how do we want them done? Now again, a client can update their IP address making our lives much easier, so we don’t have to manually do this, and of course, with DHCP possibly assigning that client a different address this works out best, but what’s the most secured option? Well that’s the first one, only secure dynamic updates, which means the client has to be authenticated in order to do the update. Now not all of your machines are going to be able to authenticate. You may have them not members of the domain and so you may need to set this to allow both non-secure and secure dynamic updates. Now this isn’t as highly secured as the first one, but it might be an option that you have to use. This does make some vulnerabilities. It’s a possibility that somebody could be making updates that you aren’t aware of. You can also decide to set this that is not allowed to do dynamic updates. We’ll take the middle one. I’ll click Next
and now it’ll create the zone. Click Finish
And that’s it. Our zone is created.
Let’s create another Primary Zone but this time I will uncheck Store the zone in Active Directory….
Right-Click on Forward Lookup Zones and select New Zone
Welcome to the New Zone Wizard will pop-up, Click Next
On Zone Type page, Leave Primary Zone but uncheck Store the zone in AD….Click Next
On Zone Name page, type in the name and click Next
Zone File page, Here comes the interesting part. This time we’re going to create a file. What this means, is that all the information for this zone is going to go into this file and this file is located under Windows\System 32\ DNS (we can navigate out there and look at it if we want) and this file is on your machine, it’s not in Active Directory, it’s not going to get replicated, you don’t have any fault tolerance. This is the, I don’t want to say old fashioned way, but if you don’t have Active Directory or you don’t want it integrated this is the normal way that we create a zone with and so, I’m going to hit Next.
Again, we get the options with the dynamic updates (Default option is Do not allow dynamic updates). Notice that we can’t select Allow only secure updates… This option is only working if you integrate the zone in AD. I will take the middle one and click Next and Finish
and it will create the zone and the zone pretty much looks and works the same way only now if I go into the Properties of this zone it’s not Active Directory Integrated, it’s a primary zone and it’s running.
If we want to integrade this zone in AD we can click on Change
and select Store the zone in Active Directory….
SECONDARY ZONE
We just completed creating primary zones, both Active Directory Integrated and a standard primary, and remember that the primary zones are the master copies. Those are the read/writable copies that I can edit and add records to. Now as I was saying, is that — Active Directory Integrated makes our life easier because it replicates these to other DNS servers, kind of creating our own fault tolerance, but if you’re not using Active Directory Integrated it’s just a file on your local DNS server. In the case of this primary there is no other backup copy of this. Well in real life here’s how we handle this and in your environment you may already be doing this. When I have a primary zone that isn’t Active Directory Integrated, for two reasons, I want to have another copy of this, and we can use another DNS server to act as its secondary copy.
Let’s create secondary zone. Before that, I will add my second DNS server DC02 to this console, which is not Domain Controller.
Right-Click DNS and select Connect to DNS Server
Type in your second DNS server and click OK
DC01
Let’s configure zone transfer first. Right-Click on zone you want to transfer (MEHIC.SE) in my case and select properties. Switch to Zone Transfers tab and click Only to servers listed on the Name Servers tab
Notify –> When you click on this button you can configure notification so that secondary server knows when records are changed/modified
Click on it and select Automatically notify (if not selected) and choose Servers listed on the Name Servers tab
Switch to Name Servers Tab and add our second DNS server into the list
Now switch to your second DNS server and right-click on Forward Lookup Zones and select New Zone
Welcome to the New Zone Wizard will pop-up, Click Next
On Zone Type page, Select Secondary Zone. Store the zone in AD option is disabled . You can’t have secondary’s that are integrated with Active Directory and it tells you right here that this is going to create a copy of that primary. Click Next
On Zone Name, give you zone a name and click next
On Master DNS Servers page, put in your Primary DNS server name or IP address, this is where you tell your secondary DNS where to copy all the DNS info from. When you type in the IP use tab button to resolve it. Click next
Click next and finish. Wait for few seconds and that’s it.
If you don’t see records on your second dns you can right-click on zone and select transfer from Master
Remember –> You can not make any DNS changes from your secondary DNS. Secondary DNS is a read-only DNS, Any DNS changes have to be done from the primary DNS.
STUB ZONE
Like I said secondary zone is a read-only copy of a primary zone. Basically, we can use them to offload some of DNS traffic like queries, from areas in our network that are more heavily used. If your primary zone were to become unavailable, the secondary zone could provide name resolution until the primary zone is restored.
Stub zone is also a copy of zone and only store the name server and SOA records. They can be used to minimize the network traffic. Stub zones are dynamic, so they can be used to update records for the parent zones. We can integrate them to AD so on this way the zone will be available domain or forest-wide, depending on replication scope.
Now, it’s really, really useful, if you’ve got a relationship with a partner organization, instead of sort of setting up a full secondary of their zone, what you can do is you can configure a stub zone on your DNS server, and when your clients query your DNS server, they’re referred to the most up-to-date location of the name service for that stub zone.
Let’s create Stub zone
I have one primary zone called StubZone on my second DNS server DC02.
I will create Stub zone on my primary dns server dc01 and point to that one.
On your second DNS server (DC01 in my case) right-click on Forward Lookup Zones and select New Zone
Welcome to the New Zone Wizard will pop-up, Click Next
On Zone Type page, Select Stub Zone and I will store my in AD, Click Next
On Active Directory Zone replication scope page, we need to specify who do we want this replicated to. I will leave the defaults and click next
On Zone Name, give you zone a name (You can click on Browse and browse to the zone on second DNS server which hosts that zone you want to copy) and click next.
On Master DNS Servers page, put in your Primary DNS server name or IP address (In my case DC02), this is where you tell your secondary DNS (DC01) where to copy all the DNS info from. When you type in the IP use tab button to resolve it. Click next and Finish
Notice that we have no records on DC01. If I check on DC02 I will find 2 A records.
If you refresh or if you right-click and choose transfer from master nothing will happen.
If I try to ping for example 192.168.0.50 from my dc01 it will find IP.
It found it because of stub zone on DC01, my DNS server said, look, I should be able to resolve this, so I’m going to go over to this guy DC02 where the records really exist, and pick the answer out of there and then give it back to the client who just asked for it. What this does is it means that let’s say I’m that DNS server, these records are getting updated frequently. Rather than having a stored copy on my side that might get out of date, this always gets you to the latest and updated records, so those are the three primary zone types and remember, you can have a primary that’s Active Directory Integrated or not, you have a stub zone that’s Active Directory Integrated or now, however, when you have a secondary from some other DNS server’s primary that can’t be Active Directory Integrated.
REVERSE LOOKUP ZONE
Reverse lookup zone is mostly created and configured if the network is very large, and/or for testing purposes. The reverse lookup zone’s a special type of primary or secondary zone that’s used to resolve IP addresses to fully qualified domain names, instead of fully qualified domain names to IP addresses. And you can configure, using a Windows server DNS, either an IPv4 reverse lookup zone, or an IPv6 reverse lookup zone.
Reverse lookups are possible because of a special domain called the in-addr.arpa domain, which provides a separate fully qualified domain name for every possible IP address on the Internet.
To create reverse lookup zone open dns manager, easiest way is to run powershell as admin and type in dnsmgmt
In DNS Manager, right click on Reverse Lookup Zone and select New Zone
Welcome to the New Zone Wizard will pop-up, Click Next
I will create Primary zone and I will also store it in AD, click next
On Active Directory Zone replication scope page, we need to specify who do we want this replicated to. I will leave the defaults and click next
On reverse Lookup Zone Name page, I will leave the defaults and click next
On Reverse Lookup Zone Name page, In the available field, type the network ID that the current DNS domain uses. In my case 192.168.0, and click next
On the Dynamic Update window, leave the default settings, and click Next
On the Completing the New Zone Wizard window, click Finish to finally create a new reverse lookup zone for the selected domain.
To enable a reverse lookup for a particular IP address, all you have to do is create a PTR record in a reverse lookup zone (a zone that is authoritative for a portion of the in-addr.arpa domain). The PTR record maps the in-addr.arpa domain name for the address to the host’s actual domain name.
Right-Click on some A – record in Forward Lookup Zone and choose properties.
Tick the Update associated pointer (PRT) record box and click OK
Switch back to reverse lookup zone and hit refresh (F5) if you don’t see record.
What we covered!
- What is Primary Zone
- What is Secondary Zone
- What is Stub Zone
- What is Reverse Lookup Zone
- Difference Between zones
- How can we create those zones
No comments:
Post a Comment