70-411: Administering Windows Server 2012 Chapter 3 Configure Network Services and Access.

70-411: AdministeringWindows Server 2012

Chapter 3Configure Network Services and Access

Objective 3.1: ConfiguringDNS Zones

© 2013 John Wiley & Sons, Inc. 3

Understanding DNS• Domain Name System (DNS) is a

naming service used by TCP/IP networks and is an essential service used by the Internet.

• Translates URLs to IP addresses.• Early TCP/IP networks performed name

resolution using hosts files stored locally on each computer.


Benefits of DNS

Ease of use and simplicity

Scalability

Consistency


Understanding DNS Names and Zones

• Fully qualified domain names (FQDNs) map a host name to an IP address.

• Example:o computer1.sales.microsoft.com represents an

FQDNo computer1 host is located in the sales domain,

which is located in the Microsoft second-level domain, which is located in the .com top-level domain


DNS Hierarchy


DNS Terms• Each node or leaf in the domain name tree is

a resource record (RR), which holds information associated with the domain name.

• Top-level domains consist of generic top-level domains and international country codes.

• Second-level domains are registered to individuals or organizations.

• A host is a specific computer or other network device in a domain.


Address Resolution Mechanism

Using a recursive query to perform DNS forwarding, when needed


Address Resolution Mechanism

Performing an iterative query


Primary and Secondary Zones

• Primary zone: Provides an authoritative, read-write copy of the zone.

• Secondary zone: Provides an authoritative, read-only copy of the primary zone.

• Forward lookup zone: Contains most of the resource records for a domain. Used primarily to resolve host names to IP addresses.

• Reverse lookup zone: Used to resolve IP addresses to host names.


Primary and Secondary Zones

A server can host all primary zones, all secondary zones, or a mix of primary and secondary zones as follows:• Primary name servers: Servers that

host primary zones.• Secondary name servers: Servers that

host secondary zones.


Active Directory-Integrated Zones

• DNS can be stored in and replicated with Active Directory, as an Active Directory-integrated zone.

• By using Active Directory-integrated zones, DNS follows a multi-master model:o Each server enables all DNS servers to have

authoritative read-write copies of the DNS zone.

• A change made on one DNS server replicates to other DNS servers.


Benefits of Using Active Directory to

Store DNS

Fault Tolerance Security

Efficient Replication


Configuring Zone Delegation

• A DNS subdomain is a child domain that is part of a parent domain and has the same domain suffix as the parent domain.

• Subdomains allow you to :o Assign unique names to be used by a particular

department, subsidiary, function, or service within the organization.

o Break up larger domains into smaller, more manageable domains.


Stub Zones• A stub zone:

o Is a copy of a zone that contains only necessary resource records in the master zone and acts as a pointer to the authoritative name server.

oAllows the server to forward queries to the name server that is authoritative for the master zone without going up to the root name servers and working its way down to the server.


Caching-Only Servers• A caching-only server does not host any

zones and is not authoritative for any domain.

• It receives client requests, and as the DNS servers fulfill DNS queries, the server adds the information to its cache.


Configuring Forwarding/ Conditional Forwarding

• When a client contacts a DNS server and the DNS server does not know the answer, it performs an iterative query to find the answer.

• DNS servers can be configured to be forwarded to another DNS server or a conditional forwarder based on the domain name queried.

• A forwarder controls name resolution queries and traffic.o Can improve the efficiency of name resolution on a

network.


Zone TransfersEvents that trigger a zone transfer:• The initial transfer occurs when a

secondary zone is created.• The zone refresh interval expires.• The DNS Server service is started at the

secondary server.• The master server notifies the secondary

server that changes have been made to a zone.


Three Types ofZone Transfers

Full Incremental

DNS Notify

Objective 3.2: Configuring

DNS Records


DNS Records• A DNS zone database is made up of a

collection of resource records, which are used to answer DNS queries.

• Each resource record (RR) specifies information about a particular object.

• Each record has a type, an expiration time limit, and some type-specific data.


DNS RecordsMany of the resource records are automatically created:• Clients or the DHCP servers create the

host and Pointer (PTR) records.• When you install a DNS server, NS records

are usually created.• When you install domain controllers,

Service Location (SRV) records are created.


Creating and Configuring DNS Resource Records

When you create a new zone, two types of records are automatically created:

SOA •Specifies authoritative information about a DNS zone

NS •Specifies an authoritative name server for the host


Most CommonResource Records

• Host (A and AAAA) record: Maps a domain/host name to an IP address.

• Canonical Name (CNAME) record: Sometimes referred to as an Alias, maps an alias DNS domain name to another primary or canonical name.

• Pointer (PTR) record: Maps an IP address to a domain/host name.

• Mail Exchanger (MX) record: Maps a DNS domain name to the name of a computer that exchanges or forwards e-mail for the domain.

• Service Location (SRV) record: Maps a DNS domain name to a specified list of host computers that offer a specific type of service, such as Active Directory domain controllers.


Name Server (NS) Records

• The Name Server (NS) resource record identifies a DNS server that is authoritative for a zone including the primary and secondary copies of the DNS zone.

• Because a zone can be hosted on multiple servers, there is a single record for each DNS server hosting the zone.

• The Windows Server DNS Server service automatically creates the first NS record for a zone when the zone is created.


Host (A and AAAA) Records

• DNS Host records: A and AAAA• The "A" stands for address.• The A record maps a domain/host name to

an IPv4 address.• The AAAA record maps a domain/host

name to an IPv6 address.


Canonical Name (CNAME) Records

• The Canonical Name (CNAME) resource record is an alias for a host name.

• It used to hide the implementation details of your network from the clients that connect to it, particularly if you need to make changes in the future.

• Example:o Instead of creating a Host record for www, you can

create a CNAME that specifies the web server that hosts the www websites for the domain. If you need to change servers, you just point the CNAME to another server’s Host record.


Pointer (PTR) Records• The Pointer records (PTR) resolve host

names from an IP address.• Different from the Host record, the IP

address is written in reverse.• For example, the IP address 192.168.3.41

that points to server1.sales.contoso is:

41.3.168.192.in-addr.arpa. IN PTR server1.sales.contoso.com


Mail Exchanger (MX) Records

• The Mail Exchanger (MX) resource record specifies an organization’s mail server, service, or device that receives mail via Simple Mail Transfer Protocol (SMTP).

• For fault tolerance, you can designate a second mail server.

• Although each external mail server requires an MX record, the primary server is designed with a lower priority number.


Mail Exchanger (MX) Records

• For example, if you have three mail servers that can receive e-mail over the Internet, you would have three MX records for the contoso.com domain:@ IN MX 5 mailserver1.contoso.com.@ IN MX 10 mailserver2.contoso.com.@ IN MX 20 mailserver3.contoso.com.

• The primary mail server is the first one because it has a lower priority number.


Service Location (SRV) Records

• SRV resource records are used to find specific network services.

• The format for an SRV record:Service_Protocol.Name [TTL] Class SRV Priority Weight Port Target


Service Location (SRV) Records

• For example, to log in with Lightweight Directory Access Protocol (LDAP), you could have the following SRV records for two domain controllers:ldap._tcp.contoso.com. IN SRV 0 0 389 dc1.contoso.com.ldap._tcp.contoso.com. IN SRV 10 0 389 dc2.contoso.com.


Configuring Record Options

• The DNS console provides a GUI interface for managing resources for Windows servers.

• Before you can create resource records, you need to first create the appropriate:o Forward lookup zoneso Reverse lookup zones


Configuring Round Robin

• Round robin is a DNS balancing mechanism that distributes network load among multiple servers by rotating resource records retrieved from a DNS server.

• By default, DNS uses round robin to rotate the resource records returned in a DNS query where multiple resource records of the same type exist for a query’s DNS host name.

• Round robin can be enabled or disabled by opening the server properties within the DNS Manager console.


Configuring Secure Dynamic Updates

• DNS supports dynamic updates, where resource records for the clients are automatically created and updated at the host’s primary DNS server.

• For Active Directory-integrated zones, these records are automatically replicated to the other DNS servers.

• Because standard dynamic updates are insecure, Microsoft added secure dynamic updates.


Configuring Secure Dynamic Updates

• Standard dynamic updates are not secure because anyone can update a standard resource record.

• If you enable secure dynamic updates, only updates from the same computer can update a registration for a resource record.


Configuring Zone Scavenging

• By default, Windows updates its own resource record at startup time and every 24 hours after startup.

• As some records become stale and are not removed or updated, the DNS database becomes outdated.

• To help with stale data, you can configure zone scavenging to clean up the stale records.

• Aging in DNS is the process of using timestamps to track the age of dynamically registered resource records.

• Scavenging is the mechanism to remove stale resource records.


Configuring Zone Scavenging

To enable aging and scavenging:• Resource records must either be

dynamically added to zones or manually modified to be used in aging and scavenging operations.

• Scavenging and aging must be enabled both at the DNS server and on the zone.


DNS Troubleshooting Tools

IPConfig command

NSLookup command

DNS Console


IPConfig• ipconfig /all displays the full TCP/IP

configuration for all adapters including host name, DNS servers, and the physical address (or MAC address).

• ipconfig /flushdns flushes and resets the contents of the DNS client resolver cache.

• ipconfig /displaydns displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local hosts file and any recently obtained resource records for name queries resolved by the computer.


IPConfig• ipconfig /registerdns initiates manual

dynamic registration for the DNS names and IP addresses that are configured at a computer.

Objective 3.3: Configuring VPN and

Routing


Routing and Remote Access (RRAS) Terms

• Remote access server (RAS): A server that enables users to connect remotely to a network, even across the Internet, using various protocols and connection types.

• Routing and Remote Access (RRAS): A Microsoft application programming interface that provides remote access.


RRAS Functionality• A virtual private network (VPN) gateway

where clients can connect to an organization’s private network using the Internet.

• Connect two private networks using a VPN connection using the Internet.

• A dial-up remote access server, which enables users to connect to a private network using a modem.


RRAS Functionality• Network address translation (NAT), which

enables multiple users to share a single public network address.

• Provide routing functionality, which can connect subnets and control where packets are forwarded based on the destination address.

• Provide basic firewall functionality and allow or disallow packets based on addresses of source and/or destination and protocols.


Configuring Routing and Remote Access

Options for configuring RRAS:• Remote access (dial-up or VPN)• Network address translation (NAT)• Virtual private network (VPN) access and

NAT• Secure connection between two private

networks• Custom configuration


Configuring RRAS for Dial-Up Remote Access

• Dial-up remote access enables remote computers to connect to a network via a modem.

• Remote computers act as though connected locally.

• Dial-up connections have much slower transfer speeds compared to DSL, cable technology, and other forms of networking.

• To support multiple dial-users that connect simultaneously, you must have a modem bank that supports multiple modem connections over the phone lines.


Virtual Private Networks

• Virtual private networks (VPNs) link two computers or network devices through a wide-area network (WAN) such as the Internet.

• The data sent between the two computers or devices across a VPN is encapsulated and encrypted.


VPN Connections

Encapsulation

Authentication

Data encryption

Data integrity


Tunneling Protocols

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

IKEv2

Secure Socket Tunneling Protocol (SSTP)


VPN Authentication

User-level

•Uses Point-to-Point Protocol (PPP) authentication.•Is usually username and password

Computer-level

•Uses IKE to exchange certificates or pre-shared key•Is performed only for L2TP/IPsec connections


Windows 8/Server 2012 VPN

Authentication

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

Microsoft CHAP version 2 (MS-CHAP v2)

Extensible Authentication Protocol (EAP-MS-CHAPv2)


Configuring Split Tunneling

• Can route a client's Internet browsing through a home Internet connection rather than going through the corporate network.

• Disable the Use Default Gateway on Remote Network option.

• Disabling this option is called using a split tunnel.


Troubleshooting Remote Access

Problems

Check connectivity and network name resolution.

Check logs.

Use ipconfig, ping, tracert, and nslookup.


Network Address Translation (NAT)

• Enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic.

• As a result, you can:o Provide a type of firewall by hiding internal IP

addresses.o Enable multiple internal computers to share a

single external public IP address.


Network Address Translation (NAT)

The private network addresses as expressed in RFC 1918:• 10.0.0.0–10.255.255.255• 172.16.0.0–172.31.255.255• 192.168.0.0–192.168.255.255


Demand-Dial Routing• Demand-dial routing is a connection to

a remote site that is activated when data is sent to the remote site and disconnected when there is no more data to be sent.

• Can reduce connection costs.


DHCP Relay Agent• DHCP requires a range of IP addresses that

can be distributed.• A scope defines a single physical subnet

on a network to which DHCP services are offered.

• DHCP server has to be physically connected to the subnet, or you have to install a DHCP Relay Agent or DHCP Helper on the subnet that relays the DHCP requests to the DHCP server.

Objective 3.4: Configuring DirectAccess


DirectAccess• Overcomes limitations of VPNs• Automatically establishes a bi-directional

connection from client computers to the network using IPsec and IPv6

• Transition mechanisms for IPv6:o 6to4o Teredoo Intra-Site Automatic Tunnel Addressing

(ISATAP )


DirectAccess Server Requirements

• The server must be part of an Active Directory domain.

• The server must be running Windows Server 2008 R2 or Windows Server 2012.

• If the DirectAccess server is connected to the intranet and published over Microsoft Forefront Threat Management Gateway (TMG) or Microsoft Forefront Unified Access Gateway 2010 (UAG), a single network adapter is required. o If the DirectAccess server is connected as an edge

server, it will need two network adapters (one for the Internet and one for the intranet).



• Implementation of DirectAccess in Windows Server 2012 does not require two consecutive static, public IPv4 addresses as was required with Windows Server 2008 R2. o To achieve two-factor authentication with a

smart card or Operational Data Provider (OTP) deployment, DirectAccess server still needs two public IP addresses.



• You can deploy Windows Server 2012 DirectAccess behind a NAT support, which avoids the need for additional public addresses. o Only IP over HTTPS (IP-HTTPS) is deployed,

allowing a secure IP tunnel to be established using a secure HTTP connection.

• With Windows Server 2012, you can use Network Load Balancing (up to eight nodes) to achieve high availability and scalability for both DirectAccess and RRAS.


Network Infrastructure for

DirectAccess• An Active Directory domain• Group policy• One domain controller• Public Key Infrastructure (PKI)• IPsec policies


Network Infrastructure for

DirectAccess• Internet Control Message Protocol Version

6 (ICMPv6) Echo Request traffic• IPv6 and transition technologies such as

ISATAP, Teredo, or 6to4• (Optional) Network Access Protection

(NAP)


DirectAccess Client Requirements

Operating system• Windows 7 Enterprise

Edition, Windows 7 Ultimate Edition, Windows 8, Windows Server 2008 R2, or Windows Server 2012

Client must be joined to an Active Directory domain


Implementing Client Configuration

DirectAccess Connectivity Assistant (DCA)

• Window 7 and Windows Server 2008 R2

Network Connectivity Assistant (NCA)

• Windows 8


Implementing Infrastructure Servers• DirectAccess clients use the network

location server (NLS) to determine their locations.

• To configure an NLS:o Install IIS on a Windows server.o For a website, bind a name and associate a NLS

DNS name to the IP address.o Make sure the server is highly available.

• Ensure that DirectAccess clients can correctly detect when they are on the Internet.


Configuring DNS for DirectAccess

• DirectAccess requires internal and external DNS.

• DirectAccess requires two external DNS A records:o DirectAccess server, such as

directaccess.contoso.como Certificate Revocation List (CRL), such as

crl.contoso.com

• Internally, DNS needs the DNS records for the NLS server and one for the CRL.


Configuring DNS for DirectAccess

• ISATAP provides a transition between networks that are based on IPv4 to IPv6.

• If you need to use ISATAP, remove ISATAP from the DNS global query block list by executing this command:

dnscmd /config /globalqueryblocklist isatap


Configuring Certificates for DirectAccess

The DirectAccess server requires these certificates:• The IP-HTTPS listener on the DirectAccess

server requires a Web site certificate• The DirectAccess client must be able to

contact the server hosting the CRL for the certificate.

• The DirectAccess server requires a computer server to establish the IPsec connections with the DirectAccess clients.


Troubleshooting DirectAccess

• The DirectAccess client computer must run Windows 8, Windows 7 Ultimate, or Windows 7 Enterprise edition.

• The DirectAccess client computer must be a member of an Active Directory Domain Services (AD DS) domain and its computer account must be a member of one of the security groups configured with the DirectAccess Setup Wizard.

• The DirectAccess client computer must have received computer configuration Group Policy settings for DirectAccess.

• The DirectAccess client must have a global IPv6 address, which should begin with a 2 or 3.



• The DirectAccess client must be able to reach the IPv6 addresses of the DirectAccess server.

• The DirectAccess client on the Internet must correctly determine that it is not on the intranet. You can type the netsh dnsclient show state command to view the network location displayed in the Machine Location field (outside corporate network or inside corporate network).

• Use the netsh namespace show policy command to show the NRPT rules as configured on the group policy.

• Use the netsh namespace show effectivepolicy command to determine the results of network location detection and the IPv6 addresses of the intranet DNS servers.



• The DirectAccess client must not be assigned the domain firewall profile.

• The DirectAccess client must be able to reach the organization’s intranet DNS servers using IPv6. You can use Ping to attempt to reach the IPv6 addresses of intranet servers.

• The DirectAccess client must be able to communicate with intranet servers using application layer protocols. If File and Printer Sharing is enabled on the intranet server, test application layer protocol access by typing net view \\IntranetFQDN.

• Use the DirectAccess Connectivity Assistant on computers running Windows 7 and Network Connectivity Assistant on computers running Windows 8 to determine the intranet connectivity status and to provide diagnostic information.

70-411: Administering Windows Server 2012 Chapter 3 Configure Network Services and Access.

Documents

Transcript of 70-411: Administering Windows Server 2012 Chapter 3 Configure Network Services and Access.