Windows DNS Zone Demonstration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to the IIT free training demonstration on how to create zones using Windows DNS this video will cover how to create primary/secondary stub zones reverse look up zones and how these zones can replicate changes with each other after you finish watching this video you will be able to create your own DNS zones in your own company and replicate these with external companies as required to do this I will change to my computer running Windows 8 to configure DNS zones I will use DNS manager installed as part of remote administration tools on Windows 8 to open DNS manager open charms and type DNS MGMT MSC in the search box and select the DNS icon when it appears when prompted I will enter in the computer name nydc1 which is my New York domain controller which is also running DNS server if I expand down through DNS to forward look up zones you can see the zone I t3 training dot local that was created automatically when the domain was created to see what type of zone file it is I will right click on the zone and select properties here you can see that this zone type is an Active Directory integrated zone this zone will automatically be replicated with the Active Directory database all domain controllers that have the DNS role installed on them will be able to access the data in this zone file using the Active Directory database even though the zone has already been created it can be changed at any time by pressing the button change it is possible to change the zone from a primary to secondary zone or a stub zone however the option that I will deselect in this case is store the zone in Active Directory once I press ok I will receive a warning message that this will remove the zone from Active Directory this will essentially remove the from Active Directory and store the data in a primary zone file which in this case is what I want in a production environment I would most likely leave it in Active Directory but for the sake of the demonstration I will uncheck this option which will move the data from Active Directory and store it in a text file on the server notice that once the change is made dynamic updates has been changed to none before it was configured to secure only secure only allowed clients to add their computer name to the zone as a host record secure dynamic updates use the secure Channel created when the computer is added to the domain thus secure dynamic updates are only possible for computers that are in the domain if I select dynamic updates notice that the only options that are available are none and non secure and secure by changing the zone type from Active Directory integrated the effect is to lose the ability to allow secure updates if you want to allow dynamic updates you also need to allow non secure updates non secure updates present a security risk as a hacker could insert their own records in the DNS zone in a later video I will look at how DHCP can be integrated into DNS to provide updates to clients that cannot use secure updates this provides a workaround of situations where you cannot use dynamic updates or the client does not support them for example clients that cannot be members of the domain I have another server on the domain that is a member server that is running DNS on this server I will add a secondary zone this server is running Windows however you could also create a secondary zone on a non microsoft system like Linux to connect to the other DNS server I will right click on DNS at the top and select the option connect to DNS server when prompted I will enter in the server name s rv1 now that the second server has been added I can administer it just like I can with the first DNS server to create a secondary zone on this server I will right click forward look up zone and select new zone to start the new zone wizard once I'm past the welcome screen I will select secondary zone on the zone type screen and move on the next screen will ask for the zone name the zone name is basically the DNS name that you want to replicate so in this case I will enter in IT free training dot local since this is the zone that I want to replicate on the next screen I need to enter in the name or IP address of the DNS server that this secondary zone will get information from it should be pointed out here that even though the server that I'm getting this information from holds a primary zone there is nothing stopping you from getting this information from a DNS server that holds a secondary zone the point to remember is that if there are multiple secondary zones then there is a chain of replication this will increase the time taken for a change in the primary zone to reach the last secondary zone notice that when I enter in nydc1 I get an error saying validation error please try again later in this case I know the problem is that the primary zone on nydc1 has not been configured to allow zone transfers a problem that I will fix in just a moment for the present I will ignore this in the wizard and move on to the last screen and press finish to complete the wizard and the secondary zone will be created notice that when I select the newly created secondary zone no data is available in the error message notice that it states the transfer of zone data from the master server failed to configure the primary zone to allow zone transfers right-click the primary zone on nydc1 and select properties once the properties are open select the tab zone transfers to enable zone transfers I need to tick the tick-box allow zone transfers by default the option to any server will be selected this can be a security risk as it effectively allows anyone who asks for it to receive a full copy of the zone data this includes a hacker attempting to create a footprint on your network I will change this to the second option only two servers listed on the name servers tab to see which servers are there I will select the tab name servers the DNS servers shown here are all the DNS servers in the zone file that contained NS records or a name server record since this zone file was Active Directory integrated originally to name server records have been created for the two domain controllers that exist on my network that have the DNS role installed these two domain controllers are el ABC one and nydc1 to understand how the name server records work consider this network on this network there are two DNS servers in the IT free training network that hold the IT three training zone IT free training also does some work for another company called high cost training and thus there is a secondary zone that has been created on the high cost training server if you have a third party that wanted to obtain the most up-to-date DNS records for IT free training which DNS server should the third party contact in order to determine this the name server record is used so the name server records should contain a DNS server that is considered to be an authority for that zone or to put it another way is considered to be the best source of information about that zone IT 3 training has complete control over the DNS servers that are holding the secondary zone and thus can ensure that the DNS records on the server are always up to date for this reason even though the DNS zone on the server is a secondary zone the DNS server is considered to have up-to-date data for this reason it would make sense to create a name server record for this DNS server if you consider the secondary zone on the highcosttraining dns server would you consider this data to be authority data and thus a name server record be created for it the answer in this case is no since the secondary zone is stored on a server that is managed by another company there is no guarantee that the data will be kept up to date for example if the company changed a rule in their firewall this rule may prevent the DNS server from getting updates I have seen this situation before where the company only realized there was a problem with DNS replication when a user reported they could not access a resource on the network since the DNS server already contains DNS records the user may be able to access everything they need it could be months before a problem is reported if at all in this case if I press add and add SRV one as a name server you will notice that when I add the server I will get the message stating that the server with this IP address is not authoritative for the required zone this is to be expected as since the server has not been added it is not authoritative after I add the server it will be so it is safe to ignore this message and move on once the DNS record is created if I go back to the secondary zone files stored on SRV one notice that there are still no DNS records shown this is because the zone file has not replicated yet if I right-click the zone and select the option transfer from master this will force a replication to occur once replication has occurred I need to press f5 to force a refresh to see the data the zone will automatically replicate from the primary zone if I go back to the forward look up zones on nydc1 I will open the properties on the primary zone file I can see how replication occurs by selecting the start of authority tab in the middle you can see the Refresh interval is set to 15 minutes under this is the retry interval of 10 minutes this means that the secondary zone will attempt to contact the primary zone every 15 minutes to see if there are any changes if it is not successful it will attempt again to contact the primary zone every 10 minutes for changes notice at the top is the serial number for zone each time a change is made to the zone file this number is incremented this is how the secondary zone knows if it has the most up-to-date copy of the zone all the DNS servers need to do is compare the serial numbers on the primary zone with the serial number on the secondary zone to see if any changes have been made it may confuse some viewers when making changes to zone files that changes are made to SOA records or NS records using the properties of the zone rather than modifying the record directly for example when you have a host record you can see the information that you are adding and also you can see the physical record appear in the zone file to show how these particular DNS records are stored in the zone I will open Windows Explorer and open the hidden administrative share on nydc1 this is created by default in Windows to help administrators perform maintenance on their servers if I now go to the directory windows system32 and then DNS you can see the file IT free training dot local this contains all the data for the IT free training dot local zone you will also notice in the zone file the NS records for SR v1 this was created by the DNS manager tool also above this is the SOA record for the zone although you will never see these records in the zone when you are looking in DNS manager they are essentially created in the zone file like any other DNS record if I scroll down the file you will notice all the DNS records that exist in the zone essentially what happens is the DNS manager interface modified the appropriate DNS records it essentially provides a user-friendly interface to modify the DNS records however regardless of which settings you are configuring it is essentially making changes to the appropriate DNS record if I now go back to the DNS manager the next zone that I want to look at is the stub zone to create a stub zone right click forward look up zone and select new zone once past the welcome screen select stub zone on the zone type screen a stub zone can be stored in Active Directory so I will leave the tick box store that zone in Active Directory ticked and move on since the zone is stored in Active Directory the next screen will ask which domain controllers I want to replicate the zone to in this case I will change the default option to domain only to the top option to all DNS servers running on domain controllers in this forest on the next screen I need to enter in the zone that I want to create the sub zone for in this case high cost training dot local on the next screen I need to enter in the IP address of the highcosttraining dns server notice that I get an error message stating validation error please try again later essentially what has happened is there is no security being configured on the DNS server to allow this DNS server to access any records as we will see in a moment no security is required the DNS server in order to use stubs owns all the DNS server needs access to is the SOA and NS records on the server these DNS records are generally publicly available on a DNS server so that should not be a problem once I press next and then select finish the wizard will be completed and the stub zone has been created you will notice that when I select the stub zones the required DNS records have been transferred from highcosttraining no special permissions were configured on highcosttraining dns server and in fact they are in a completely different domain which at this time does not have a trust relationship between IP free training and highcosttraining this essentially means that the DNS server could obtain these DNS records from highcosttraining dns server using only the default security setting configured when the DNS server was installed the last zone type that I will look at is the reverse lookup zone if you have the IP address and you want to find out the host name for that IP address the reverse lookup zone can be used to find out this information reverse look up zones are not needed for day-to-day activity but they are useful to have when troubleshooting to create one right click reverse look up zones and select the option new zone the procedure is much the same as creating a forward look up zone once past the welcome screen like a forward look up zone you can choose that the zone is a primary zone secondary zone stub zone and if it is to be stored in Active Directory in this case I will choose primary zone and leave the option tipped store the zone in Active Directory once I move to the next screen on that screen I need to decide which domain controller to replicate the zone data to in this case I will select to replicate the data to all domain controllers in the forest on the next screen I need to decide if the reverse lookup zone is for ipv4 or ipv6 I will go through creating both zones for this zone I will leave it on the default of ipv4 and move on on the next screen I need to decide which network ID this reverse lookup zone applies to for the network ID I can enter in something as short as 192 the new zone wizard will create the required Network mask based on the network ID you enter in this case I will create a reverse lookup zone for all the New York Network so I will enter in the network ID for New York on the next screen I need to decide which setting to use for dynamic updates if I had created a primary lookup zone and stored it in Active Directory I would have received to this option since the zones that I created earlier were not stored in Active Directory the wizard did not ask for this setting once I press next and then finish to finish the wizard the reverse lookup zone will be created as you can see there are no records in this zone as yet as new records are created the administrator will have the option to create the reverse lookup entry also when DNS records are created using dynamic updates the associated pointer record will be created and stored in the reverse lookup zone I will now create an ipv6 reverse lookup zone following the same procedure I used for the ipv4 zone like last time I will create a primary zone and store it in Active Directory and choose to have the zone replicated to all domain controllers in the forest so far the wizard has been the same except for choosing ipv6 reverse lookup zone rather than ipv4 on the next screen I need to enter in the address prefix the reverse lookup zone will work on in this case you need to enter in the full address including the number of bits used in the prefix Windows does not work out the number of bits in the prefix and will not allow you to continue until a complete address is entered in this case I will enter in the address FD with 64 as the number of bits the lookup zone will hold all IP addresses for the New York Network on the next screen I need to decide the settings for dynamic updates I will leave it on the default settings of allow only secure dynamic updates and then finish the wizard the reverse lookup zone is now created and ready for use that covers it for creating zones in Windows using Microsoft DNS this is only one of the free videos for DNS and other free courses from IT free training I hope you found this video useful and see you next time
Info
Channel: itfreetraining
Views: 70,329
Rating: undefined out of 5
Keywords: DNS Zones, ITFreeTraining
Id: f7bmOXCpkrg
Channel Id: undefined
Length: 20min 22sec (1222 seconds)
Published: Wed Nov 13 2013
Related Videos
DNS Time to live, aging and scavenging
itfreetraining
49K
Understanding DNS Zones
William Panek
75K
Don't Talk to the Police
Regent University School of Law
16M
DNS Zones
itfreetraining
151K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Understanding How DNS Works in Depth
ITdvds
244K
DNS Records
itfreetraining
327K
Introduction to DNS (Domain Name Services)
Eli the Computer Guy
549K
DNS Round Robin and Netmask Ordering
itfreetraining
35K
DNS Essentials - Understanding & Working With DNS
ittaster
127K
What is FSMO Role | Flexible Single Master Operation
iNetwork365
13K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
2.1 Implementing DHCP in Windows Server 2016 (Step by Step guide)
NLB Solutions
167K
Subnet Mask - Explained
PowerCert Animated Videos
406K
DNS Delegation Using Windows DNS
itfreetraining
52K
DNS Zones
itfreetraining
202K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.