70-411: Administering Windows Server 2012 Chapter 3 Configure Network Services and Access

Objective 3.1: Configuring DNS Zones

Understanding DNS Domain Name System (DNS) is a naming service used by TCP/IP networks and is an essential service used by the Internet. Translates URLs to IP addresses. Early TCP/IP networks performed name resolution using hosts files stored locally on each computer. © 2013 John Wiley & Sons, Inc.

Benefits of DNS © 2013 John Wiley & Sons, Inc. Ease of use and simplicity Scalability Consistency © 2013 John Wiley & Sons, Inc.

Understanding DNS Names and Zones Fully qualified domain names (FQDNs) map a host name to an IP address. Example: computer1.sales.microsoft.com represents an FQDN computer1 host is located in the sales domain, which is located in the Microsoft second-level domain, which is located in the .com top-level domain © 2013 John Wiley & Sons, Inc.

DNS Hierarchy © 2013 John Wiley & Sons, Inc.

DNS Terms Each node or leaf in the domain name tree is a resource record (RR), which holds information associated with the domain name. Top-level domains consist of generic top-level domains and international country codes. Second-level domains are registered to individuals or organizations. A host is a specific computer or other network device in a domain. © 2013 John Wiley & Sons, Inc.

Address Resolution Mechanism Using a recursive query to perform DNS forwarding, when needed © 2013 John Wiley & Sons, Inc.

Address Resolution Mechanism Performing an iterative query © 2013 John Wiley & Sons, Inc.

Primary and Secondary Zones Primary zone: Provides an authoritative, read-write copy of the zone. Secondary zone: Provides an authoritative, read-only copy of the primary zone. Forward lookup zone: Contains most of the resource records for a domain. Used primarily to resolve host names to IP addresses. Reverse lookup zone: Used to resolve IP addresses to host names. © 2013 John Wiley & Sons, Inc.

Primary and Secondary Zones A server can host all primary zones, all secondary zones, or a mix of primary and secondary zones as follows: Primary name servers: Servers that host primary zones. Secondary name servers: Servers that host secondary zones. © 2013 John Wiley & Sons, Inc.

Active Directory-Integrated Zones DNS can be stored in and replicated with Active Directory, as an Active Directory-integrated zone. By using Active Directory-integrated zones, DNS follows a multi-master model: Each server enables all DNS servers to have authoritative read-write copies of the DNS zone. A change made on one DNS server replicates to other DNS servers. © 2013 John Wiley & Sons, Inc.

Benefits of Using Active Directory to Store DNS Fault Tolerance Security Efficient Replication © 2013 John Wiley & Sons, Inc.

Configuring Zone Delegation A DNS subdomain is a child domain that is part of a parent domain and has the same domain suffix as the parent domain. Subdomains allow you to : Assign unique names to be used by a particular department, subsidiary, function, or service within the organization. Break up larger domains into smaller, more manageable domains. © 2013 John Wiley & Sons, Inc.

Stub Zones A stub zone: Is a copy of a zone that contains only necessary resource records in the master zone and acts as a pointer to the authoritative name server. Allows the server to forward queries to the name server that is authoritative for the master zone without going up to the root name servers and working its way down to the server. © 2013 John Wiley & Sons, Inc.

Caching-Only Servers A caching-only server does not host any zones and is not authoritative for any domain. It receives client requests, and as the DNS servers fulfill DNS queries, the server adds the information to its cache. © 2013 John Wiley & Sons, Inc.

Configuring Forwarding/ Conditional Forwarding When a client contacts a DNS server and the DNS server does not know the answer, it performs an iterative query to find the answer. DNS servers can be configured to be forwarded to another DNS server or a conditional forwarder based on the domain name queried. A forwarder controls name resolution queries and traffic. Can improve the efficiency of name resolution on a network. © 2013 John Wiley & Sons, Inc.

Zone Transfers Events that trigger a zone transfer: The initial transfer occurs when a secondary zone is created. The zone refresh interval expires. The DNS Server service is started at the secondary server. The master server notifies the secondary server that changes have been made to a zone. © 2013 John Wiley & Sons, Inc.

Three Types of Zone Transfers Full Incremental DNS Notify © 2013 John Wiley & Sons, Inc.

Objective 3.2: Configuring DNS Records

DNS Records A DNS zone database is made up of a collection of resource records, which are used to answer DNS queries. Each resource record (RR) specifies information about a particular object. Each record has a type, an expiration time limit, and some type-specific data. © 2013 John Wiley & Sons, Inc.

DNS Records Many of the resource records are automatically created: Clients or the DHCP servers create the host and Pointer (PTR) records. When you install a DNS server, NS records are usually created. When you install domain controllers, Service Location (SRV) records are created. © 2013 John Wiley & Sons, Inc.

Creating and Configuring DNS Resource Records When you create a new zone, two types of records are automatically created: SOA Specifies authoritative information about a DNS zone NS Specifies an authoritative name server for the host © 2013 John Wiley & Sons, Inc.

Most Common Resource Records Host (A and AAAA) record: Maps a domain/host name to an IP address. Canonical Name (CNAME) record: Sometimes referred to as an Alias, maps an alias DNS domain name to another primary or canonical name. Pointer (PTR) record: Maps an IP address to a domain/host name. Mail Exchanger (MX) record: Maps a DNS domain name to the name of a computer that exchanges or forwards e-mail for the domain. Service Location (SRV) record: Maps a DNS domain name to a specified list of host computers that offer a specific type of service, such as Active Directory domain controllers. © 2013 John Wiley & Sons, Inc.

Name Server (NS) Records The Name Server (NS) resource record identifies a DNS server that is authoritative for a zone including the primary and secondary copies of the DNS zone. Because a zone can be hosted on multiple servers, there is a single record for each DNS server hosting the zone. The Windows Server DNS Server service automatically creates the first NS record for a zone when the zone is created. © 2013 John Wiley & Sons, Inc.

Host (A and AAAA) Records DNS Host records: A and AAAA The "A" stands for address. The A record maps a domain/host name to an IPv4 address. The AAAA record maps a domain/host name to an IPv6 address. © 2013 John Wiley & Sons, Inc.

Canonical Name (CNAME) Records The Canonical Name (CNAME) resource record is an alias for a host name. It used to hide the implementation details of your network from the clients that connect to it, particularly if you need to make changes in the future. Example: Instead of creating a Host record for www, you can create a CNAME that specifies the web server that hosts the www websites for the domain. If you need to change servers, you just point the CNAME to another server’s Host record. © 2013 John Wiley & Sons, Inc.

Pointer (PTR) Records The Pointer records (PTR) resolve host names from an IP address. Different from the Host record, the IP address is written in reverse. For example, the IP address 192.168.3.41 that points to server1.sales.contoso is: 41.3.168.192.in-addr.arpa. IN PTR server1.sales.contoso.com © 2013 John Wiley & Sons, Inc.

Mail Exchanger (MX) Records The Mail Exchanger (MX) resource record specifies an organization’s mail server, service, or device that receives mail via Simple Mail Transfer Protocol (SMTP). For fault tolerance, you can designate a second mail server. Although each external mail server requires an MX record, the primary server is designed with a lower priority number. © 2013 John Wiley & Sons, Inc.

Mail Exchanger (MX) Records For example, if you have three mail servers that can receive e-mail over the Internet, you would have three MX records for the contoso.com domain: @ IN MX 5 mailserver1.contoso.com. @ IN MX 10 mailserver2.contoso.com. @ IN MX 20 mailserver3.contoso.com. The primary mail server is the first one because it has a lower priority number. © 2013 John Wiley & Sons, Inc.

Service Location (SRV) Records SRV resource records are used to find specific network services. The format for an SRV record: Service_Protocol.Name [TTL] Class SRV Priority Weight Port Target © 2013 John Wiley & Sons, Inc.

Service Location (SRV) Records For example, to log in with Lightweight Directory Access Protocol (LDAP), you could have the following SRV records for two domain controllers: ldap._tcp.contoso.com. IN SRV 0 0 389 dc1.contoso.com. ldap._tcp.contoso.com. IN SRV 10 0 389 dc2.contoso.com. © 2013 John Wiley & Sons, Inc.

Configuring Record Options The DNS console provides a GUI interface for managing resources for Windows servers. Before you can create resource records, you need to first create the appropriate: Forward lookup zones Reverse lookup zones © 2013 John Wiley & Sons, Inc.

Configuring Round Robin Round robin is a DNS balancing mechanism that distributes network load among multiple servers by rotating resource records retrieved from a DNS server. By default, DNS uses round robin to rotate the resource records returned in a DNS query where multiple resource records of the same type exist for a query’s DNS host name. Round robin can be enabled or disabled by opening the server properties within the DNS Manager console. © 2013 John Wiley & Sons, Inc.

Configuring Secure Dynamic Updates DNS supports dynamic updates, where resource records for the clients are automatically created and updated at the host’s primary DNS server. For Active Directory-integrated zones, these records are automatically replicated to the other DNS servers. Because standard dynamic updates are insecure, Microsoft added secure dynamic updates. © 2013 John Wiley & Sons, Inc.

Configuring Secure Dynamic Updates Standard dynamic updates are not secure because anyone can update a standard resource record. If you enable secure dynamic updates, only updates from the same computer can update a registration for a resource record. © 2013 John Wiley & Sons, Inc.

Configuring Zone Scavenging By default, Windows updates its own resource record at startup time and every 24 hours after startup. As some records become stale and are not removed or updated, the DNS database becomes outdated. To help with stale data, you can configure zone scavenging to clean up the stale records. Aging in DNS is the process of using timestamps to track the age of dynamically registered resource records. Scavenging is the mechanism to remove stale resource records. © 2013 John Wiley & Sons, Inc.

Configuring Zone Scavenging To enable aging and scavenging: Resource records must either be dynamically added to zones or manually modified to be used in aging and scavenging operations. Scavenging and aging must be enabled both at the DNS server and on the zone. © 2013 John Wiley & Sons, Inc.

DNS Troubleshooting Tools IPConfig command NSLookup command DNS Console © 2013 John Wiley & Sons, Inc.

IPConfig ipconfig /all displays the full TCP/IP configuration for all adapters including host name, DNS servers, and the physical address (or MAC address). ipconfig /flushdns flushes and resets the contents of the DNS client resolver cache. ipconfig /displaydns displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local hosts file and any recently obtained resource records for name queries resolved by the computer. © 2013 John Wiley & Sons, Inc.

IPConfig ipconfig /registerdns initiates manual dynamic registration for the DNS names and IP addresses that are configured at a computer. © 2013 John Wiley & Sons, Inc.

Objective 3.3: Configuring VPN and Routing

Routing and Remote Access (RRAS) Terms Remote access server (RAS): A server that enables users to connect remotely to a network, even across the Internet, using various protocols and connection types. Routing and Remote Access (RRAS): A Microsoft application programming interface that provides remote access. © 2013 John Wiley & Sons, Inc.

RRAS Functionality A virtual private network (VPN) gateway where clients can connect to an organization’s private network using the Internet. Connect two private networks using a VPN connection using the Internet. A dial-up remote access server, which enables users to connect to a private network using a modem. © 2013 John Wiley & Sons, Inc.

RRAS Functionality Network address translation (NAT), which enables multiple users to share a single public network address. Provide routing functionality, which can connect subnets and control where packets are forwarded based on the destination address. Provide basic firewall functionality and allow or disallow packets based on addresses of source and/or destination and protocols. © 2013 John Wiley & Sons, Inc.

Configuring Routing and Remote Access Options for configuring RRAS: Remote access (dial-up or VPN) Network address translation (NAT) Virtual private network (VPN) access and NAT Secure connection between two private networks Custom configuration © 2013 John Wiley & Sons, Inc.

Configuring RRAS for Dial-Up Remote Access Dial-up remote access enables remote computers to connect to a network via a modem. Remote computers act as though connected locally. Dial-up connections have much slower transfer speeds compared to DSL, cable technology, and other forms of networking. To support multiple dial-users that connect simultaneously, you must have a modem bank that supports multiple modem connections over the phone lines. © 2013 John Wiley & Sons, Inc.

Virtual Private Networks Virtual private networks (VPNs) link two computers or network devices through a wide-area network (WAN) such as the Internet. The data sent between the two computers or devices across a VPN is encapsulated and encrypted. © 2013 John Wiley & Sons, Inc.

VPN Connections © 2013 John Wiley & Sons, Inc. Encapsulation Authentication Data encryption Data integrity © 2013 John Wiley & Sons, Inc.

Tunneling Protocols © 2013 John Wiley & Sons, Inc. Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IKEv2 Secure Socket Tunneling Protocol (SSTP) © 2013 John Wiley & Sons, Inc.

VPN Authentication © 2013 John Wiley & Sons, Inc. User-level Uses Point-to-Point Protocol (PPP) authentication. Is usually username and password Computer-level Uses IKE to exchange certificates or pre-shared key Is performed only for L2TP/IPsec connections © 2013 John Wiley & Sons, Inc.

Windows 8/Server 2012 VPN Authentication Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft CHAP version 2 (MS-CHAP v2) Extensible Authentication Protocol (EAP-MS-CHAPv2) © 2013 John Wiley & Sons, Inc.

Configuring Split Tunneling Can route a client's Internet browsing through a home Internet connection rather than going through the corporate network. Disable the Use Default Gateway on Remote Network option. Disabling this option is called using a split tunnel. © 2013 John Wiley & Sons, Inc.

Troubleshooting Remote Access Problems Check connectivity and network name resolution. Check logs. Use ipconfig, ping, tracert, and nslookup. © 2013 John Wiley & Sons, Inc.

Network Address Translation (NAT) Enables a LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. As a result, you can: Provide a type of firewall by hiding internal IP addresses. Enable multiple internal computers to share a single external public IP address. © 2013 John Wiley & Sons, Inc.

Network Address Translation (NAT) The private network addresses as expressed in RFC 1918: 10.0.0.0–10.255.255.255 172.16.0.0–172.31.255.255 192.168.0.0–192.168.255.255 © 2013 John Wiley & Sons, Inc.

Demand-Dial Routing Demand-dial routing is a connection to a remote site that is activated when data is sent to the remote site and disconnected when there is no more data to be sent. Can reduce connection costs. © 2013 John Wiley & Sons, Inc.

DHCP Relay Agent DHCP requires a range of IP addresses that can be distributed. A scope defines a single physical subnet on a network to which DHCP services are offered. DHCP server has to be physically connected to the subnet, or you have to install a DHCP Relay Agent or DHCP Helper on the subnet that relays the DHCP requests to the DHCP server. © 2013 John Wiley & Sons, Inc.

Objective 3.4: Configuring DirectAccess

DirectAccess Overcomes limitations of VPNs Automatically establishes a bi-directional connection from client computers to the network using IPsec and IPv6 Transition mechanisms for IPv6: 6to4 Teredo Intra-Site Automatic Tunnel Addressing (ISATAP ) © 2013 John Wiley & Sons, Inc.

DirectAccess Server Requirements The server must be part of an Active Directory domain. The server must be running Windows Server 2008 R2 or Windows Server 2012. If the DirectAccess server is connected to the intranet and published over Microsoft Forefront Threat Management Gateway (TMG) or Microsoft Forefront Unified Access Gateway 2010 (UAG), a single network adapter is required. If the DirectAccess server is connected as an edge server, it will need two network adapters (one for the Internet and one for the intranet). © 2013 John Wiley & Sons, Inc.

DirectAccess Server Requirements Implementation of DirectAccess in Windows Server 2012 does not require two consecutive static, public IPv4 addresses as was required with Windows Server 2008 R2. To achieve two-factor authentication with a smart card or Operational Data Provider (OTP) deployment, DirectAccess server still needs two public IP addresses. © 2013 John Wiley & Sons, Inc.

DirectAccess Server Requirements You can deploy Windows Server 2012 DirectAccess behind a NAT support, which avoids the need for additional public addresses. Only IP over HTTPS (IP-HTTPS) is deployed, allowing a secure IP tunnel to be established using a secure HTTP connection. With Windows Server 2012, you can use Network Load Balancing (up to eight nodes) to achieve high availability and scalability for both DirectAccess and RRAS. © 2013 John Wiley & Sons, Inc.

Network Infrastructure for DirectAccess An Active Directory domain Group policy One domain controller Public Key Infrastructure (PKI) IPsec policies © 2013 John Wiley & Sons, Inc.

Network Infrastructure for DirectAccess Internet Control Message Protocol Version 6 (ICMPv6) Echo Request traffic IPv6 and transition technologies such as ISATAP, Teredo, or 6to4 (Optional) Network Access Protection (NAP) © 2013 John Wiley & Sons, Inc.

DirectAccess Client Requirements Operating system Windows 7 Enterprise Edition, Windows 7 Ultimate Edition, Windows 8, Windows Server 2008 R2, or Windows Server 2012 Client must be joined to an Active Directory domain © 2013 John Wiley & Sons, Inc.

Implementing Client Configuration DirectAccess Connectivity Assistant (DCA) Window 7 and Windows Server 2008 R2 Network Connectivity Assistant (NCA) Windows 8 © 2013 John Wiley & Sons, Inc.

Implementing Infrastructure Servers DirectAccess clients use the network location server (NLS) to determine their locations. To configure an NLS: Install IIS on a Windows server. For a website, bind a name and associate a NLS DNS name to the IP address. Make sure the server is highly available. Ensure that DirectAccess clients can correctly detect when they are on the Internet. © 2013 John Wiley & Sons, Inc.

Configuring DNS for DirectAccess DirectAccess requires internal and external DNS. DirectAccess requires two external DNS A records: DirectAccess server, such as directaccess.contoso.com Certificate Revocation List (CRL), such as crl.contoso.com Internally, DNS needs the DNS records for the NLS server and one for the CRL. © 2013 John Wiley & Sons, Inc.

Configuring DNS for DirectAccess ISATAP provides a transition between networks that are based on IPv4 to IPv6. If you need to use ISATAP, remove ISATAP from the DNS global query block list by executing this command: dnscmd /config /globalqueryblocklist isatap © 2013 John Wiley & Sons, Inc.

Configuring Certificates for DirectAccess The DirectAccess server requires these certificates: The IP-HTTPS listener on the DirectAccess server requires a Web site certificate The DirectAccess client must be able to contact the server hosting the CRL for the certificate. The DirectAccess server requires a computer server to establish the IPsec connections with the DirectAccess clients. © 2013 John Wiley & Sons, Inc.

Troubleshooting DirectAccess The DirectAccess client computer must run Windows 8, Windows 7 Ultimate, or Windows 7 Enterprise edition. The DirectAccess client computer must be a member of an Active Directory Domain Services (AD DS) domain and its computer account must be a member of one of the security groups configured with the DirectAccess Setup Wizard. The DirectAccess client computer must have received computer configuration Group Policy settings for DirectAccess. The DirectAccess client must have a global IPv6 address, which should begin with a 2 or 3. © 2013 John Wiley & Sons, Inc.

Troubleshooting DirectAccess The DirectAccess client must be able to reach the IPv6 addresses of the DirectAccess server. The DirectAccess client on the Internet must correctly determine that it is not on the intranet. You can type the netsh dnsclient show state command to view the network location displayed in the Machine Location field (outside corporate network or inside corporate network). Use the netsh namespace show policy command to show the NRPT rules as configured on the group policy. Use the netsh namespace show effectivepolicy command to determine the results of network location detection and the IPv6 addresses of the intranet DNS servers. © 2013 John Wiley & Sons, Inc.

Troubleshooting DirectAccess The DirectAccess client must not be assigned the domain firewall profile. The DirectAccess client must be able to reach the organization’s intranet DNS servers using IPv6. You can use Ping to attempt to reach the IPv6 addresses of intranet servers. The DirectAccess client must be able to communicate with intranet servers using application layer protocols. If File and Printer Sharing is enabled on the intranet server, test application layer protocol access by typing net view \\IntranetFQDN. Use the DirectAccess Connectivity Assistant on computers running Windows 7 and Network Connectivity Assistant on computers running Windows 8 to determine the intranet connectivity status and to provide diagnostic information. © 2013 John Wiley & Sons, Inc.