Microsoft Official Course

Module 1

Implementing Advanced Network

Services
Module Overview

• Configuring Advanced DHCP Features

• Configuring Advanced DNS Settings
• Implementing IPAM
• Managing IP Address Spaces with IPAM
Lesson 1: Configuring Advanced DHCP Features

• DHCP Components Overview

• Configuring DHCP Interaction With DNS
• Configuring Advanced DHCP Scope Designs
• DHCP Integration With IPv6
• What Is DHCP Name Protection?
• What Is DHCP Failover?
• Demonstration: Configuring DHCP Failover
 DHCP components consist of:
Component Description
DHCP Server distribute IP addresses and other network configuration information to
service clients who request it
DHCP scopes A scope must consist of:
• A name and description
• A range of addresses that can be distributed
• A subnet mask
A scope can also define:
• IP addresses that should be excluded from distribution
• The duration of the IP address lease
• DHCP options
DHCP options Assigning many other network configuration parameters. The most common
DHCP options include:
• Default Gateway IP address
• DNS server IP address
• DNS domain suffix
• Windows Internet Name Service (WINS) server IP address
DHCP contains configuration data about the DHCP server, and stores information
database about the IP addresses that have been distributed
DHCP console It is the main administrative tool for managing all aspects of the DHCP server
DHCP Components Overview

• When you use DHCP:

• Clients request IP configuration through a broadcast
• IP addresses are leased to clients for a configurable period, and are
regularly renewed
• DHCP servers must be authorized in AD DS
Configuring DHCP Interaction With DNS

• The DHCP server creates resource records automatically

for DHCP clients in the DNS database.
• However, those records may not be deleted automatically
when the client DHCP lease expires.
• You can configure DHCP options to allow the DHCP server
to own and fully control the creation and deletion of those
DNS resource records.
Configuring DHCP Interaction With DNS

• By default, the DHCP server behaves in the following

manner:
• The DHCP server dynamically updates DNS address host (A)
resource records and pointer (PTR) resource records only if
requested by the DHCP clients. By default, the client requests that
the DHCP server register the DNS pointer (PTR) resource record,
while the client registers its own DNS host (A) resource record.
• The DHCP server discards the host (A) and pointer (PTR) resource
records when the client’s lease is deleted
Configuring DHCP Interaction With DNS

• You can change the Enable DNS dynamic updates

according to the setting options to always dynamically
update DNS records so that it instructs the DHCP server to
always dynamically update DNS host (A) and pointer (PTR)
resource records no matter what the client requests.
• In this way, the DHCP server becomes the owner of the
resource record because the DHCP server performed the
registration of the resource records.
• Once the DHCP server becomes the owner of the client
computer’s host (A) and pointer (PTR) resource records,
only that DHCP server can update the DNS resource
records for the client computer based on the duration and
renewal of the DHCP lease
 Configuring DHCP Interaction With DNS

Configuring option 081 allows the DHCP server to register

both A and PTR resource records for the client

Normal option 081 behavior Modified option 081 behavior

DNS 4. DNS DHCP DNS 3. DNS dynamic DHCP

Server dynamic update of Server Server update Server
pointer (PRT) name of host (A) name

4. DNS dynamic update of

2. IP lease pointer (PRT) name
acknow-
2. IP lease
ledgment
3. DNS acknow-
1. IP lease ledgment
dynamic update of request 1. IP lease
host (A) name request
DHCP DHCP
“HostName” “HostName”
Client Client
Configuring Advanced DHCP Scope Designs

• Advanced DHCP scope designs called superscopes.

• A superscope is a collection of individual scopes that are grouped
together for administrative purposes.
• This allows client computers to receive an IP address from multiple
logical subnets even when the clients are located on the same
physical subnet.
• Superscope can be only createed if there are two or more IP scopes
already created in DHCP.
• The New Superscope Wizard can be used to select the scopes that
need to combine to create a superscope.
Multicast Scope

• is a collection of multicast addresses from the class D IP

address range of 224.0.0.0 to 239.255.255.255
(224.0.0.0/3).
• used when applications need to communicate with numerous
clients efficiently and simultaneously.
• It is commonly known as a Multicast Address Dynamic Client
Allocation Protocol (MADCAP) scope. Applications that request
addresses from these scopes need to support the MADCAP
application programming interface (API).
• WDS is an example of an application that supports multicast
transmissions.
Configuring Advanced DHCP Scope Designs

LAN A DHCP Server LAN B

Scope A and Scope B

DHCP Server LAN B

LAN A

Scope A Scope B
DHCP Integration With IPv6

• By using DHCP for IPv6 (DHCPv6), an IPv6 host can obtain

subnet prefixes, global addresses, and other IPv6
configuration settings.
• DHCPv6 supports stateful and stateless configurations
• Stateful configuration. Occurs when the DHCPv6 server assigns the
IPv6 address to the client along with additional DHCP data.
• Stateless configuration. Occurs when the subnet router and client
agree on an IPv6 automatically, and the DHCPv6 server only assigns
other IPv6 configuration settings. The IPv6 address is built by using
the network portion from the router, and the host portion of the
address, which is generated by the client.
DHCP Integration With IPv6

• DHCPv6 also supports scopes that you can configure

with the following properties:
Property Use

Name and
identifies the scope
description

informs DHCPv6 clients which server to use if you have

Preference
multiple DHCPv6 servers

Prefix defines the network portion of the IP address

defines single addresses or blocks of addresses that fall

Exclusions
within the IPv6 prefix but will not be offered for lease

Valid and Preferred

defines how long leased addresses are valid
lifetimes
DHCP options has many available options
What Is DHCP Name Protection?

• DHCP Name Protection:

• Prevents Windows operating systems from having their
DNS name registrations overwritten by non-Windows
operating systems that have the same name
• Name squatting is the term used to describe the conflict
that occurs when one client registers a name with DNS
but that name is already used by another client
• Uses a DHCID resource record to track the machines that
originally requested the DNS names
• Is configurable at the network protocol level and at the
scope level
What Is DHCP Failover?

• DHCP failover:
• Enables two DHCP servers to provide IP addresses and optional
configurations to the same subnets or scopes
• Requires failover relationships to have unique names
• Supports 2 modes
Mode Characteristics
Hot One server is the primary server and the other is the secondary
standby server. The primary server actively assigns IP configurations for the
scope or subnet. The secondary DHCP server only assumes this role
if the primary server becomes unavailable. A DHCP server can
simultaneously act as the primary for one scope or subnet, and be
the secondary for another.

Load This is the default mode. In this mode both servers supply IP
sharing configuration to clients simultaneously. The server that responds to
IP configuration requests depends on how the administrator
configures the load distribution ratio. The default ratio is 50:50.
What Is DHCP Failover?

• When you use DHCP failover:

• The MCLT parameter determines when a failover partner
assumes control of the subnet or scope
• The Auto State Switchover Interval determines when a
failover partner is considered to be down
• Message Authentication can validate the failover
messages
• Firewall rules are auto-configured during DHCP
installation (DHCP uses TCP port 647 to listen for failover
traffic)
Lesson 2: Configuring Advanced DNS Settings

• Managing DNS Services

• Optimizing DNS Name Resolution
• What Is the GlobalNames Zone?
• Options for Implementing DNS Security
• How DNSSEC Works
• New DNSSEC Features for Windows Server 2012
• Demonstration: Configuring DNSSEC
Managing DNS Services

1. Delegating DNS administration

• By adding user or global group to the DNS Admins
group as membership
2. Configuring logging for DNS
• DNS maintains a DNS server log in the Event Viewer.
• It records common events such as:
• Starting and stopping the DNS service.
• Background loading and zone signing events.
• Changes to DNS configuration settings.
• Various warnings and error events.
Managing DNS Services

3. Enable DNS debug logging in the DNS server properties

• Debug logging options include the following:
• Direction of packets and Contents of packets
• Transport protocol
• Type of request
• Filtering based on IP address
• Specifying the name and location of the log file
• Log file maximum size limit
4. Aging and scavenging
• stale records are resource records which be added to DNS
database but not deleted automatically when they are no
longer required
• Enable aging and scavenging to remove stale records
Managing DNS Services

5. Backup methods for the DNS database depend

on how the database is deployed:
• Back up Active Directory-integrated zones through
system state backups, by using dnscmd, or by using
Windows PowerShell
• Non-integrated primary zone are single files that you
can copy or back up
 Optimizing DNS Name Resolution
Option Description

Forwarding Forwards DNS requests that cannot be resolved locally to other

specific DNS servers

Conditional Forwards queries for specific DNS suffixes to specific DNS servers
forwarding

Stub zones A regularly replicated copy of certain resource records that identify
authoritative DNS servers for specific DNS domains. It consists of the
following:
• The delegated zone’s start of authority (SOA) resource record,
name server (NS) resource records, and host (A) resource records
• The IP address of one or more master servers that you can use to
update the stub zone
Netmask Responds with addresses of hosts that are close in proximity based in
ordering IP address information of the client to DNS queries.
Addresses of hosts that are on the same subnet as the requesting
client will have a higher priority in the DNS response to the client
computer.
What Is the GlobalNames Zone?

The GlobalNames zone allows single label names to

be resolved in multiple DNS domain environments

GlobalNames
Zone
2

3 1
6
4

5 DNS Client
DNS Server
Forward
Lookup Zone
Options for Implementing DNS Security

Option Description

DNS cache Prevents entries in the cache from being overwritten

locking until a percentage of the TTL has expired

DNS socket
Randomizes the source port for issuing DNS queries
pool
Enabled by default in Windows Server 2012

DNSSEC
protects clients that are making DNS queries from
accepting false DNS responses

Enables a DNS zone and all records in the zone to be

signed cryptographically so that client computers can
validate the DNS response
How DNSSEC Works

DNSSEC functions as follows:

• If a zone has been digitally signed, a query response will
contain digital signatures
• DNSSEC uses trust anchors, which are special zones
that store public keys associated with digital signatures
• Resolvers use trust anchors to retrieve public keys and
build trust chains
• DNSSEC requires trust anchors to be configured on all
DNS servers participating in DNSSEC
• DNSSEC uses the Name Resolution Policy Table
(NRPT), which contains rules that control the requesting
client computer behavior for sending queries and
handling responses
New DNSSEC Features for Windows Server 2012

• DNSSEC enhancements for Windows Server 2012

include:
• Simplified DNSSEC implementation
• A DNSSEC Zone Signing Wizard that steps you through
the process of signing and configuring signing
parameters for zones
• Support for DNS dynamic updates in DNSSEC signed
zones.
• Automated trust anchor distribution through AD DS.
• Windows PowerShell-based command-line interface for
management and scripting
• The following new resource records:
New DNSSEC Features for Windows Server 2012

Resource record Purpose

DNSKEY This record publishes the public key for the zone.
Delegation Signer is a delegation record that contains the hash of the
(DS) public key of a child zone. This record is signed by the
parent zone’s private key. If a child zone of a signed
parent is also signed, the DS records from the child must
be manually added to the parent so that a chain of trust
can be created.

Resource Record This record holds a signature for a set of DNS records. It
Signature (RRSIG) is used to check the authority of a response.
Next Secure (NSEC) When the DNS response has no data to provide to the
client, this record authenticates that the host does not
exist.

NSEC3 is a hashed version of the NSEC record that prevents

alphabet attacks by enumerating the zone.
Lesson 3: Implementing IP Address Management
(IPAM)

• What Is IPAM?
• IPAM Architecture
• Scenarios for Using IPAM
• Requirements for IPAM Implementation
• Demonstration: Implementing IPAM
• Virtual Address Space Management in IPAM
• IPAM RBAC
What Is IPAM?

IPAM facilitates IP management in organizations with complex

networks by enabling administration and monitoring of DHCP
and DNS
IP administration
Description
area

Reduces the time and expense of the planning process

Planning
when changes occur in the network

Provides a single point of management and assists in

Managing optimizing utilization and capacity planning for DHCP and
DNS

Tracking Enables tracking and forecasting of IP address utilization

Assists with compliance requirements and provides

Auditing
reporting for forensics and change management
IPAM Architecture

IPAM architecture consists of 4 main modules:

Module Description
IPAM discovery Discovering servers that are running Windows Server and
that have DNS, DHCP, or AD DS installed. Adding servers
manually.
IP address space Viewing, monitoring, and managing the IP address space.
management Issuing dynamically or assigning statically addresses.
Tracking address utilization and detecting overlapping
DHCP scopes.
Multi-server You can manage and monitor multiple DHCP servers. You
management and can also monitor multiple DNS servers.
monitoring
Operational Tracking potential configuration problems. Collecting,
auditing and IP managing, and viewing details of configuration changes
address tracking from managed DHCP servers. Collecting address lease
tracking from DHCP lease logs, and collecting logon event
information from NPS and domain controllers.
IPAM Architecture

• IPAM can be deployed in one of three topologies:

1. Distributed: deploy an IPAM server to every site in the forest
2. Centralized: deploy only one IPAM server in the forest
3. Hybrid: deploy a central IPAM server together with a dedicated
IPAM server in each site
• IPAM has two main components:
1. IPAM server: Performing the data collection from the managed
servers. Managing the Windows Internal Database and provides
role-based access control (RBAC).
2. IPAM client: Providing the client computer user interface.
Interacting with the IPAM server, and invoking Windows
PowerShell to perform DHCP configuration tasks, DNS
monitoring, and remote management.
• Provisioning for IPAM can be either manually or through
GPO
Scenarios for Using IPAM

Virtualized
Network
Automation
(manage the IP
addresses for hybrid
cloud solution)

IPAM

Granular RBAC Infrastructure

Administration Server
Management
(manage the
(DNS and DHCP
specified areas)
servers)
Requirements for IPAM Implementation

Hardware and software

Prerequisites
requirements

• IPAM server must belong to the • CPU – dual-core 2.0 GHz or

domain higher
• IPAM server cannot be a domain • Windows Server 2012 4 GB of
controller RAM
• IPv6 must be enabled in order to • 80 GB free disk space
manage IPv6
• Log on with a domain account
• You must be in the correct IPAM
local security group
• Logging account logon events
must be enabled for IP address
tracking and auditing
Lesson 4: Managing IP Address Spaces with
IPAM

• Using IPAM to Manage IP Addressing

• Adding Address Spaces to IPAM
• Importing and Updating Address Spaces
• Finding, Allocating, and Reclaiming IP Addresses
• Maintaining IP Address Inventory in IPAM
• Demonstration: Using IPAM to Manage IP
Addressing
• IPAM Monitoring
• Demonstration: Using IPAM Monitoring
Using IPAM to Manage IP Addressing

You
IP can view and
address manage
space the IPinto
is divided address space
blocks, using the
subnets, ranges
following views: addresses:
and individual
• IP address blocks

• IP address ranges

• IP addresses

• IP inventory

• IP address range groups

You can monitor the IP address space using the following views:
• DNS and DHCP servers

• DHCP scopes

• DNS zone monitoring

• Server groups
 Using IPAM to Manage IP Addressing

• You can view and manage the IP address space using the following
views:
• IP address blocks
• IP address ranges
• IP addresses
• IP inventory: Viewing a list of all IP addresses in the enterprise along with their
device names and type.
• IP address range groups: organizing IP address ranges into logical groups

• You can monitor the IP address space using the following views:
• DNS and DHCP servers
• DHCP scopes
• DNS zone monitoring
• Server groups
Importing and Updating Address Spaces
• Use a text file to import individual IP addresses
• The mandatory fields for IP address import are:
• IP Address
• Managed by Service
• Service Instance
• Device Type
• IP Address State
• Assignment Type
• Use a text file to import or update IP address ranges
• The mandatory fields for IP address block import are:
• Network
• Start IP address
• End IP address
• regional Internet registry (RIR)
IPAM Monitoring

With IPAM, you can:

• Monitor IP address space utilization
• Monitor DNS and DHCP health
• Configure many DHCP properties and values from the
IPAM console
• Use the event catalog to view a centralized repository
for all configuration changes