Microsoft Azure AZ-800 — Section 14: Implement on-premises and hybrid name resolution Part 2
110. Create and manage zones and records
It’s now time to take a look at how we can create zones in the in essence, report it to you. You’ve kind of seen me already draw this out.
So, if you skipped over the drawing on all this, you probably should watch that. But I’m going to now go to start and I’m going to go to server manager here. And we’ve already got DNS installs or opening up server manager. We’re going to go take a look at the DNS tools now, a graphical tool for DNS. We’ll open that up. And then first things first, you’ll notice underneath your server, you have a couple of folders here. One is called for look up zones. The other is called reverse lit up zones.
So for to look up zones involve databases that are built for four lookups.
So what does a forward look off? A forward look up is when a machine is querying DNS for name two IP address, whereas a reverse lookup is IP address to name.
So generally speaking, the majority of what happens in DNS normally is for lookups.
So, when somebody is querying for something, they know the name of what they’re querying for, but they need to know the IP address of what they’re calling for is a reverse lookup is the opposite of that.
So with a reverse above, you know, the IP address to something, but you need to know the name that goes with it.
OK, so most importantly, office of your Active Directory, we absolutely have to have forward look up someone’s reverse lookup zone. You can live without fail to look up, something you absolutely must have. And of course, this database here is the one that’s named after my domain, which is absolutely important for DNS.
OK. Of course, as I’ve shown in my drawing earlier, I can right click forward, look up zones and I can create other other zones. In my drawing, I showed you that you can have what’s called an Active Directory integrated primary, and if you’re choosing that, then you’re choosing this first option and this bottom checkbox must be selected. That’s what makes it an Active Directory integrated primary. If you uncheck the box, then it becomes what we call a standard primary.
OK. And you can only have one standard primary for a database. Everything else would either have to be a secondary or stub architecture in your primary also requires you to be a domain controller as well, which my server is a domain controller, which means that’s why that is available. If this was not a domain controller, then it would be great out. Just like if I click secondary because there is no such thing as an Active Directory, integrated secondary secondaries or read only. There’s no ifs, ands or buts about that. Secondaries are always read only, so you can never make any updates to a secondary. The updates have to happen to a primary and then it replicates to a secondary. And then this how you could choose Stub if you’re going to a star.
OK, so. Hearing him, I’m going to go with the primary, and in a previous video, I showed setting up an air primary, let’s look at just setting up a standard primary. All right.
So, I’m going to click next and I’m just going to call this standard primary. I’m going to call it. Let’s see demo DNS name, .com. All right. And we’ll click next, and it’s going to create a file for DNS.
So this interesting when you create an API based database, then the database gets stored in Active Directory and replicated that way. But when you do a standard database like a standard primary secondary, then it stores it in a file.
So actually, this file will get stored. If I go on to File Explorer on my C drive here and I’ll go to windows and we’ll scroll down here and go to System32. I’ll show you where this all stored at, and then there is a folder called Dennis and this where it’s going to be stored is going to be stored in here.
OK? You’ll even see that the example I practiced JD.com databases here as well, but it’s actually the copy of the files here. But it’s actually stored in Active Directory, and that’s how it gets replicated. But with Stayner zones, it’s just going to use a text file, OK, and it’ll have a dark DNS extension so, we can click next there. And then right here, it’s going to ask if we want to do dynamic updates.
Now on the previous video, I explained a little bit about this. The ultimately what dynamic updates means is means that client computers can actually register their names automatically. Indians only air zones allow this first option allow only secure of any update, so that means that all computers have to authenticate in order to communicate, and that’s the best way to go. This option means any computer can register name. The downside of that, of course, again, is that a hacker could put that possibly put false information in the database, where she can also say do not allow dynamic updates, which by default, the standards don’t don’t, right? So, if we don’t want to allow dynamic updates, if we want everything to be static, we could do that. If this was a database, maybe that was going to be for identifying a web server or something like that, then that would be the way you would go with it.
OK, so, I’m going to choose no. And then I click finish, and I’m now officially created my database.
OK.
So, inside that database, I just got a couple of records, all DNS zone databases have records, OK? Records are the information that somebody is querying upon. There’s a couple of different records that are available just right out of the gates of a database. The first is called Start of Authority Record or essay. That is the only record that we have. I’m sorry that is the only one of those types of records you’ll ever have for a database. This record is what gets loaded when this database comes online.
So, when a DNS server boots up, it’s going to load that record first. It is a configuration record. It also has information in it, like the serial number. The serial number is how replication is decided.
So, for example, if you had two different servers, one say, a primary one, the secondary, whatever the primary would, any time changes occur on DNS server, the serial number will get increment it up.
So, for example, if five new changes occurred on my database right now, that serial number will go up OK. And that just so, let’s say it goes up to the number five new changes. Let’s say it goes up to the number six. Well, the secondary database or the other DNS server, it would still have a serial number of one. And so that lets the other DNS server know that it needs to pull the last five changes.
So that’s how that’s what the serial numbers are going to do. This what allows your databases to know that they need to pull changes. This the primary servers list indicating the server that is in charge, which is, of course, the server. This responsible person isn’t really anything. You could put an email address there. People can query for who the responsible person of a of a DNS database is. This doesn’t really give anybody any power. And then these intervals here, these are for replication.
So, when the primary database replicates with another database, it’s going to do that every 15 minutes by default. If for some reason it can’t, it doesn’t work. If it if it can’t contact the secondary or the other database, can’t can’t contact the primary, it’ll retry every 10 minutes. Eventually, the database will expire on the other server.
So, if the database expires because it can’t talk to the primary, this guy here after a day, then that other database will expire and it will no longer serve his clients. Of course, you can change that interval as well. And then the title this the time to live. This the cache in a rule.
So, when computers query DNS, they’re allowed to remember the information that they get by default for an hour.
OK. And so you can set this for all records to an hour.
Now, this deal is just for this one record.
So each record has its own title, and then there’s a default TTL. The default title will be how long computers can cache the information for all records. But you can also change this interval for just this one record, and you can do that with other records as well. You can give them a different title, if you will. But that’s what the start of authority is. That’s what that record is. Then you got the name, server name, server record is a record that is identifying the DNS server, so all of your DNS servers will be identified using name servers and name server records.
OK, that’s how they identify each other. I’ve only got one DNS server in here. All right.
Now I could jump over to my N.Y.C. server too, and I could make it a secondary to this if I want.
So, if I want to make my other server be able to communicate and maybe even replicate this database, I I can create an NSS record that’s going to point to that other server.
So why don’t we do that? In fact, why don’t we make N.Y.C. where we’re currently sitting in NYC, DC one? Let’s say we want to make NYC Server one, be able to replicate this new database that I created.
So to do that, one to jump over to NYC server one, here I am on NYC Server one. As you can see, I don’t have DNS installed, so, I’m going to go to manage ADM’s and features next, next, next. And let’s go ahead and install DNS. By the way, if you have DNS installed from a previous lesson, you might want to uninstall it and reinstall it.
OK, if you need to do that, you can go back up to manage and then remove the role and then reboot the computer. Just because of some of the things we’ve done, we’ve installed things and uninstalled things. It’s just good to refresh DNS.
Now the other thing Walmart’s installing I want you to look at, we want to know what the IP address is of this machine. In my case, I’m not using static addresses, I’m using dynamic addresses. And since I’m sometimes on different networks, when I’m doing these videos, basically I can do it IP config and I can see that the address is there. The other thing I want to do is make sure that this computer is pointing to the. NYC D.C. won as its DNS server, so, If I do an IP config slash all in a little bit sluggish because I’m installing something and I don’t have a lot of memory on this virtual machine, but you can see that my DNS server is 180 160 at one point one eighty six.
OK, you can ignore all the IP version six stuff that doesn’t even matter. But as long as I’m pointing to my NYC DC one, I’m good. If you’re not, you would need to point your machine to that, reboot it and then before you continue on. All right.
So at that point, I am officially installing DNS on the machine. I’m going to jump back over to NYC DC one and we’re going to create a new in s record. We can do that by right clicking the database, go to properties and go up here to name servers. And we’re going to add, click, add and it’s going to be NYC SVR, one dot exam, lab practice, .com. And we’re going to say resolve, OK and no such IP address.
So, we’re just going to plug that in 192 168 one DOT 186.
OK, So, we’re going to go ahead and it checks to make sure this connectivity with it, which there is, we’re going to click OK. And we’ve now added the next record.
So, we’ve set the groundwork for allowing this server to replicate. Without that initial record, the server is not going to replicate. In fact, I can control that if I right click the database and can get entering its first on transfer, let me control who I’ll replicate with. I can say with any server only servers listed here that have that have an s record.
So, in other words, only these servers or I could do specific apps.
So that’s fine. I can choose whatever, whichever those I want. Obviously, if I do any server, I’m basically just saying I’ll rip with anybody, right? So that point, I’m going to click, OK, and let’s jump back over to the server, and it looks like it’s done.
So, we’re going to go to ols and we’re going to go to DNS now. I’m going to go over here to the server and expand that out for look up sounds. As you can see, we have no databases, So, we’re going to right click, we’re going to click New Zone next, and we could either choose the secondary or stub. Notice that this not allowing me to choose Active Directory integrated. That’s because I removed Active Directory or in in an earlier lesson, I uninstalled Active Directory.
So this machine you might remember earlier might have been a to make sure it’s not a back door anymore.
OK.
So, if I wanted to do a stub just for the fun of it, then this how I would do that. Click next. Specify the database and if we go back over, we can remember the database is called demo DNS name .com. That’s what I call it.
OK, So, we’re going to call it demo DNS name, .com, click next.
OK, and it’s going to create his own database file next. And this OK, what’s the master DNS server? So that is our NYC -DC one dot exam lab. Practice .com.
OK, if it’s not able to find the address, it’s because of the crazy network that I’m on right now, I can put in the address of that, which is 192, 168 one dot one eighty six eighty five. And let me just double check that. Coming back over here, 186, sorry, had it right the first time.
So let’s change that to 186.
OK, and it did find it, so, we’ll click, we’re going to select that and. We’ll delete this and delete these the wrong. Hey, we’re going to click next now and finish. And this may take just a moment, but right now, says zone, not loaded by DNS server, DNS encounter and error attempting to load the zone to transfer the zone.
OK, so this will sometimes take just a moment to refresh it here in just a minute, though, and it will transfer.
Sometimes you’ll get this error right when you click it.
OK, so refresh here and it’s working. Also, one thing I forgot to mention just because if you if you’ve been doing some of the previous lessons that I’ve done, I’ve had a lot of IP changes and things. What we want to do is make sure that our DNS server is only working on the IP network we want it to communicate on. We can manage that. All right, clicking the NYC server one going to properties, choosing only the following addresses, and that’s the address that I want this to operate on. That’s the domain controller is NYC DC one, which is 192 168 one point 186. We want this to be 187.
So, we would we would allow DNS to only communicate on that one address. And at that point I could refresh and my information has been transferred and I now have what’s called a stub that has shown up.
Now I can do the same thing with the second year. If I wanted the whole database to replicate, I could do a secondary.
So let me show you how to do a secondary real quick. We’re going to right click news Newsom. Next, we’re going to do a secondary. Next.
OK. And. Demo DNS named Akam. 192.168.1.1 86.
OK, next and finish. All right. And there’s a little air that we get may have to give it just a moment to transfer from M.. All right. We love Dennis back up here.
OK. Dennis Nakon. Let’s also try to close it out, reopening, sometimes that’ll speed it up a little bit. All right. All right, So, we’re still waiting on it to replicate, but it should should replicate here in just a moment. Dennis demo DNS name .com, which is what we named it over here. Demo DNS name becomes. It’ll take just a moment and replicate now, while while that’s happening, I want to come back over here real quick. I want to show you some other records so, I can right click here and I can. I have various records I can go with, for example, I can say a new host record, a record as a host record that’s going to be the name of a machine. Or if you’re going to do like a WWE record you could like, I’ll just say I’m going to create a new record called web server, and we’ll just give it an IP address of 192.168.1.1 200. Let’s say that’s our web server.
OK, how? You let’s say the what you called the Web server, it’s called Web server, but you also want to associate other names with the web server. Maybe, the web server is an FTP server. BW server, an email server, and you want to have multiple names that correspond to this name right here. You can do that. That’s that’s known as aliasing. Aliasing is where you have a bunch of names that are associated to a single record, and you can do that by creating what’s called a see name record that stands for canonical name.
So watch this and create a WW W and I can point that. To. The Web server. I can create another one called Oops, I can create another one called FTP if this was an FTP server as well. And pointed to the Web server.
OK. If it was also your email server. You could you could call it email if you want or a lot of people just call it the word mail. And identify it that way.
So now I’ve got three different names, the great thing about this if the IP address was to ever change, you would only have to change this. One record in all these records would still reflect that IP address, whatever it is.
OK, so that’s a really cool feature as well. Let me just. Deactivate all of that now. This also means I can go to command prompt and I should be able to resolve those names.
So let’s go to see.
OK, so, If I was to paint WW W Dot demo DNS named ICOM, look what it says. It’s pinging, it’s pinging 192 168, one dot 200. Same thing would happen if I pinged. F2P or the word mail, I would also like to point out, if you were actually setting up an email server, you would want to also consider another record. It’s called an Emacs record, and it makes records are going to point to SMTP servers for email rerate relay. Remember that email servers are going to query DNS to locate other email server, so, I would want to go up there and do that as well. And so when I do create an email record email exchange record, you would usually leave this first field blank unless this was like a child domain name. It’s not my case. It’s a it’s a parent name. And so, I might put, you know, mail dot demo, DNS name, .com and then you put whatever your priority, the priority being. Priorities like a weight, if you had multiple email servers, you could have one email server that’s a primary server, one that’s like a secondary if the mail server priority of the first one was 10 and the second rule was 20, then the lower the number, the higher the priority. If you put two mail servers with the same priority level on the record, then it would just load balance between the email.
So some someone go to one of some email, will go to the other and then be kind of back and forth.
OK, so that’s a mixed record. All right, and so those are your main records that you’ve got in the U.S, you obviously you can create there’s other types of records I’m not getting into here. You could create as well. Active Directory also uses in its database the service location records to identify things in Active Directory identifies the name of a service, as well as the port number that it uses.
So that’s what a service record is used for. All right.
So let’s jump back over and look at NYSE Server one now.
OK, so back over here on NYSE Server one, we refreshed and you can see that the database’s is there and all the records that are created over on NYC DC two, I’m sorry, DC one are also there now. As a side note, I could have saved myself some trouble having to jump between computers by simply just right clicking and saying connect to a DNS server so you could actually, you know, connect to that server by doing that right there as well. And that way to have them both all on this console.
So that makes life a little easier when it comes to controlling multiple servers at the same time. All right. But all in all, that is how we can create our zones and connect the different servers together and make them communicate.
111. Configure DNS forwarding/conditional forwarding
Let’s talk now about a feature that we have Indians known as forwarding now, there’s two different ways you can use forwarding. You can do what is known as just regular forwarding, or you can use what is called conditional forwarding. Forwarding is used whenever somebody queries DNS and DNS does not exactly know the answer to the question. DNS can send that question that query to another DNS server.
So, for example, if NYC DC one was our main DNS server, for example, in a certain site or something like that, and we want our people to be able to query the internet, your clients are pointing to your DNS server, which is an internal DNS server. They need to query for things that are on the internet. Well, ultimately your DNS server, if you go to ols and you go to DNS, your DNS server supports this thing called Route Hintz, which basically means that your DNS server knows about the root DNS servers on the internet and can send request to them. However, it actually slows your DNS server down when it has to do its own queries to the internet.
So what a lot of companies will do is they’ll go right here. If you right click the server, you go to properties, they’ll click on folders here and they’ll forward to an outside DNS server that can handle the processing load of handling external name resolution. As you can see here. In my case, I actually did that with Google’s public DNS server, where you could point to your ISP’s DNS server if you know what that is as well. But this an example that I just clicked edit here and I put an 8.8.8.8, which is Google’s data server, and I’m forwarding to Google for all external based naming queries.
Now here’s the other thing, though what if you wanted to forward to some other companies DNS server for certain names? Now we talked. I talked about stub zones in an earlier lesson how I could use Stub Zone for that. Stub zones, though, require replication and all that. What if you just wanted to forward to another company’s DNS server, for example,? Let’s say that we have a relationship with another companies domain and maybe the other companies name is other company .com just for lack of a better name. What I could do is I could write CLI, or I could click on my server here, go down here to conditional folders and I could right click conditional folders and click new conditional folder put in the name other company .com. And then you would need to put in the IP address of that other companies DNS server.
So whatever the IP address is, if it’s a public address or private address or whatever it may be, you would. You would put in the address of that other server, which of course, I don’t really have another server, so, I’m just going to pretend like I do. I’ll put 205 or pretend that was the server. That point I would click OK, and I’m now set up conditional form.
So the main difference is regular forwarding thoughts, all queries that your DNS server cannot answer. It’ll try to forward all queries to a regular for. Conditional orders or make it where it only queries. It only sends request or forge requests to this other server if it is somebody who’s calling for anything with this name on it.
OK, so the order would be with the NSA. Whenever a query comes in, DNS will always check its forward look up zones and reverse lookup zones first. That’s the highest priority. If that doesn’t work, it’ll look for a conditional order if that doesn’t work. The last, but not least, it will use regular force, and that is how foreigners work in Microsoft DNS.