Windows Server 2019 Module 3 Whole Set
Studied by 0 people
Knowt Play
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/158
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
159 Terms
What is the most common use for DNS
Resolving Host Names to an IP
Naming structure in DNS
DNS Namespace
DNS NameSpace is
hierarchical
Internet facing Domain names
Non-internal names that can be seen on the web
What does Internet Corporation for Assigned Names and Numbers (ICANN) do
Register Domain Names
A DNS Server responds to a request for DNS Records that are made by
DNS Resolvers
What is a DNS Resolver
A client that needs to resolve DNS Records
DNS Resolver Cache
When a client saves the answer to a question it has already asked
Command to see DNS Client Cache
Get-DnsClientCache
DNS Zone
The NameSpace that the DNS Server is responsible for
Most common record type
Host Record
What is a host record used for
It is used to resolve a Host Name to an IP Address
When using AD DS the DNS Server contains information relating to
The name of the Domain
Reverse Lookup Zone
Takes an IP and gives a name
Why would you want to use Reverse Lookup Zone
In case an Admin wants to log a certain IP, they may use it to find the name of the computer that has the IP
For best practice with Reverse Lookup Zones you should create them
for all the IP address ranges on your internal network and host them on your internal DNS servers.
What would be the range in Reverse Zone Lookup for 192.168.26.91 255.255.255.0
26.168.192.in-addr.arpa
Reverse Lookup Zones are always based on a ““ of IP address
full octet
You can only do what in the primary zone
create, edit, or delete resource records
Can you manage the record in the secondary Zone?
NO
You can store DNS Records either
locally or in AD DS
If you store the zone data in AD DS you get
Active Directory Integrated Zone which has additional features, such as secure dynamic updates
Active Directory Integrated Zone is only Available on
Windows Domain Controllers
The purpose of a stub zone would be to
provide a list of name servers that can be used to resolve information for a domain without synchronizing all the records locally.
For a stub server to work the following are synchronized
name server records, their corresponding host records, and the start of authority record
DNS Records are stored where
DNS Zones
DNS Records have the information needed to respond to
DNS Request
A start of authority record for a zone contains
configuration information for the zone, including the name of the primary DNS server and how often secondary servers should be synchronized. There is only one per zone.
Name Server (NS)
record identifies a DNS server for the domain. There is one name server record for each DNS server that has a copy of the zone.
The most common record type created in reverse lookup zones is
Pointer Record (PTR)A
A pointer record is used to
Resolve an IP to a Name
Time to Live (TTL)
State how long DNS Responses can be Cached
By default which group can manage all aspects of a DNS server in its home domain
Domain Admins
Which group can manage all of the DNS server within a forest by default
Enterprise Admins
You can also use what to manage DNS servers
IP Address Management (IPAM)
Stale records
A resource Record that may be wrong and taking up valuable space on a DNS Server
Aging is determined by which two variables
No - Refresh interval
Refresh interval
no-refresh interval
a period during which the client does not update the DNS record if there are no changes. By default the interval is 7 days
Refresh Interval
The time span after the no - refresh interval in which the client can refresh the record. If it is not updated during this time it becomes eligible for scavenging. If it is updated the no-refresh interval restarts. The default time is 7 days.
How often does a client try to refresh its record
on startup and every 24 hours while the system is running.
To preform aging and scavenging you need to
enable aging on the zone containing the resource records and enable scavenging on a DNS server
Static Records you enter manually are not effected by
Aging and salvaging
Where is the primary zone that is not stored in AD DS file located
%windir%\System32\DNS and has the file name ZoneName.dns *Example: YouTube.com.dns
How to backup an AD integrated zone
dncmd.exe or Export-DnsServerZone cmdlet
You must create a DNS Resource Record before they can be resolved within DNS Infrastructure. How can this be done
Either manually or the most common way dynamically
Why is dynamic creation better
Clients will automatically register and update their DNS resource records
Some common ways to trigger Dynamic DNS Registration
When the client starts, and the DHCP client service starts
Every 24 hours while the DHCP client service is running
When an IP address is configured, added, or changed on any network connection
When an administrator executes the Register-DNSClient cmdlet
When an administrator runs the ipconfig /registerdns command
Dynamic updates can only happen when?
When the client talks to the DNS Server that holds the primary zone
Zone file vs AD DS stored zone
One is stored locally on the Server while the other is in AD DS on the domain controllers and on the Sever locally
If you choose to put the zone in AD DS you can choose from the following options
choose from the following options:
All DNS servers running on domain controllers in this forest.
All DNS servers running on domain controllers in this domain.
All domain controllers in this domain (for Windows 2000 compatibility).
All domain controllers in the scope of this directory partition
How are zones record synchronized from a primary to a secondary
By preforming a zone transfer
If you choose to allow zone transfers what are your options
Any Server - allows any server to request a Zone Transfer. Not recommended for security reasons
Only Servers listed - This option is useful if you are already adding the DNS servers hosting secondary zones as name servers for the zone.
Only the following servers - This option allows you to specify a list of servers that are allowed to request zone transfers.
Why would you enable configure notifications for zone transfers
To let secondary server know changes are available. Allows for faster synchronization.
Secure dynamic updates ensure that only
the client that owns the name can update its DNS record and not someone else with the same name.
Secure dynamic updates only works if
the zone is AD integrated
DNS forwarding
If a client is looking for a resource and a DNS server cant find it, it will forward it out to another DNS server or onto the public DNS server such as Google’s 8.8.8.8
Forwarders
If a DNS server receives a request for a zone for which it is not authoritative, and is not already cached by the server, the DNS server forwards that request to a ““. A DNS server uses a forwarder for all unknown zones.
Conditional forwarding can be configured for
Individual DNS Domains
Conditional forwarding applies only to
a single DNS domain
Trusted AD DS forests and partner organizations often use what feature
Conditional forwarding
When creating a conditional forwarder you can have it stored in either
AD DS or locally, if stored on AD DS it can be replicated to all DC in the domain or forest
AD DS is highly dependent on ““ Working
DNS
DNS is required to store the ““ records that domain joined clients use to locate the DCs
SRV
Another name for SRV records
locator records
A domain controller advertises its services by creating
SRV Records in DNS
SRV Records Map
services to host names
SRV Records contain what information
The service name and port and TCP or UDP protocol
Lightweight directory access protocol (LDAP) port number
389
Kerberos Port number
88
Kerberos Password (KPASSWD) port number
464
Global catalog services port number
3268
TCP and UDP are
Transport protocols
Microsoft clients only use ““ while UNIX Clients may use ““
TCP and Both
Host (A) record
Host name record
To force a DC to recreate its SRV record you can
restart the NetLogon service or domain controllerN
NetLogon service does what
dynamically registers the SRV records
If a DNS Server running AD integrated zone were to go down
Another Domain Controller with integrated zones will keep the DNS for that zone up and running
Any domain controller with a replicated zone can write to
Active Directory integrated zones
An active Directory integrated zone can be replicated by
Attributes, thus avoiding replicating the entire file
Secure dynamic updates can be enforced on
Active Directory Integrated Zones
Active Directory Integrated Zones let you delegate
administration of zones via ACLs
DNS Policies let you
manipulate how DNS servers manage queries based on different factors
Scenarios for using DNS Policies
Application High Availability
Traffic Management
Split - Brain DNS
Filtering
Split - Brain DNS
Client receives a response based on if they are internal or external
Filtering
DNS queries are blocked if they are from a list of malicious IPs or fully qualified domain names (FQDNs)
Forensics
Malicious DNS clients are redirected to a sinkhole instead of the computer they are trying to reach.
Time of Day Based Redirection
Clients are redirected to datacenters based on the time of the day.
DNS Policy Objects are required to use
DNS Policies
Policy Objects
Client Subnet
Recursion Scope
Zone Scope
Recursion Scope
a list of forwarders and specifies whether recursion is used.
Zone Scopes
DNS zones can have multiple””, and each ““ can contain its own set of DNS resource records. The same resource record can be present across multiple scopes, with different IP addresses depending on the scope. Additionally, zone transfers can occur at the zone-scope level
Client Subnet
You create subnets to later define policies that you apply based on the subnet that generates the requests. For example, you might have a split-brain DNS scenario where the name resolution request for www.contoso.com can be answered with an internal IP address to internal clients, and a different IP address to external clients.
Recursion policies only apply when query processing reaches the
recursion path
Domain Name System Security Extensions (DNSSEC) does what
Protects clients that are making DNS queries from accepting false DNS responses
The high-level steps for deploying DNSSEC are:
Sign the DNS zone
Configure the trust anchor distribution
Configure the name resolution policy table (NRPT) on client computers
A trust anchor is an
authoritative entity that is represented by a public key
If DNS is running on a domain controller the trust anchors are store where
on DNS servers on DCs in the forest if not stored locally in %windir%\system32\dns\TrustAnchors.dns.
The Name Resolution Policy Table (NRPT) contains rules that control the
DNS client behavior for sending DNS queries and processing the responses from those queries
Group Policy is the preferred method of configuring the
Name Resolution Policy Table(NRPT)
Host (A) Record
Records used to resolve a name to an IPv4 address