Microsoft Azure AZ-800 — Section 14: Implement on-premises and hybrid name resolution

Microsoft Azure AZ-800 — Section 14: Implement on-premises and hybrid name resolution

108. Visualizing DNS with AD DS

I don’t like to talk to you about the concept of how DNS and Active Directory domain services or relate to each other, so you’re probably aware of DNS domain name system. It is the naming services that we utilize for associating names and words with IP addresses so that, of course, we don’t have to type in IP addresses. We want to connect to things. Of course, DNS plays a major role in the functionality of Active Directory because your domain controllers are going to require DNS to be around for naming all the different services and computers that are in your environment.

So, if you if you think about this for a moment, if we look at, you know, a domain this, this being my domain, right? And then of course, I’ve got I’ve got domain controllers in my domain that are hosting Active Directory. These domain controllers have to register with DNS based on the name of the domain.

So, in my case, if I’ve named my domain. Let me just move this up here. If I’ve named my domain examlabpractice.com.

OK, then I have got to have a DNS server that can handle that. That naming.

OK, that DNS server is what we call a zone database server, although it will be hosting a what’s called a zone database. This little cylinder looking thing is going to represent my DNS zone database.

OK. And I’m just going to I’m just going to kind of also just kind of colaco that to indicate that the name matches.

So, we’ll make this the color red, and we will put that around this folder here just to indicate that the name matches that database.

OK, so that database would call the same light practice .com. And then so all of your client computers, all of your servers, all the different services that are in your environment.

OK, these being my client computers and maybe I’ve got, you know, some servers over here like a file server or something like that. They are all going to register their names dynamically into DNS. This why DNS is sometimes referred to as dynamic DNS. And then what happens is, is when computers want to communicate with each other, they will query DNS and ask what the IP address is for the name.

So, when a user typed in the name computer, that’s how they locate the IP addresses automatically when a client computer wants to authenticate the domain, or it’ll do the same thing to actually query DNS and say, Hey, DNS, what is the address of domain controllers? And the intellectual returned back a list of domain controllers that’ll put it in the order closest to where you’re at based on your IP address and site. And then the user will get authenticated with that to make sure using Kerberos. And so that is the general common way that this occurs.

OK, now let’s look at how DNS would work in multiple locations, multiple site environment. You could probably imagine that you probably are going to have more than one DNS server. In fact, another question that sometimes people look at with this they try to make a decision on whether or not your DNS server should also be integrated with your domain controller. And to be honest with you, the answer to that question is usually yes, you do want your DNS server to be a domain controller. You may not necessarily make every domain controller run DNS, but you definitely want your DNS servers to be domain controllers for a special reason that I’m going to explain here in just a moment.

So, I’m just going to go down here a little bit. We’re going to create some locations and we’ll talk about how all this going to work. All right.

So let’s create some sites. These are ovals or they’re going to represent sites here. All right. It’s kind of clean this up sites being geographic locations of your company. And maybe this going to be New York. Maybe, this going to be Dallas, Texas, maybe this going to be our Birmingham. Alabama location. All right. All right.

So maybe you’ve got your connections that connects these sites together, landlines or whatever, maybe New York is like our corporate headquarters. And so, we think about DNS, we’ll bring DNS in here. Hold on. Let’s copy this. We got one. Let’s say one DNS server here in New York, and of course, then we got computers in all of our locations.

So, we’ve got computers in New York, we got Piers in Dallas, we got computers in Birmingham. We might even have some servers in each one of these locations. And your clients need to be able to authenticate with Active Directory. You’ve also got the situation of your where your domain controllers are. You may have domain controllers in each one of your locations, and these computers have to authenticate now. There’s a problem in this diagram, and the problem is that there’s only one DNS server right now.

So, in order for your computers to log on, they have to locate there to make sure that basically means no problem for New York because they’ve got a DNS server right there, right? So, they can query DNS and then they can go in query to make sure no problem. But in Dallas, they’ve got a perfectly good DNS server right here. They’re going to have to their connections are going to have to travel up to New York just to learn what the IP address is of the domain controller in Dallas. Same thing for Birmingham.

So that’s a concern. Most of the time, what you generally don’t want to do is you’re going to want to make sure that there is a DNS server in each one of your locations. That’s probably the most common way to do it. The next thing, though, or next question that comes up here is that when you have multiple DNS servers, what type of database? So there’s different types of databases, so you’ve got what is called an Active Directory integrated. Integrated primary. All right. That’s the first type of common one that we got. You got what is called a standard primary.

OK, you got what’s called a standard or just secondary, usually if you just called a secondary and then you’ve got what is called a stub. All right. Which can actually be Adeyeye or can be standard? I’ll get into that. What Stub is in a bit, but with Active Directory, the preferred database type is this one right here? You in a perfect world, you want all of your databases. These guys here. To be Active Directory integrated primary. And the reason is because if you choose this option, Active Directory will handle replicating your databases for you, it’ll also encrypt everything, everything it’s encrypted. It bases its replication on the same schedule that Active Directory handle things on. And this has been recommended since the year 2000 when Active Directory came out. However, you can go with the older format standard primary what are called secondaries, but I’ll explain that more minutes.

So, if we make every one of these in 80 primary, there’s a rule.

OK, there’s a rule, and the rule is that you can only have an air primary if all of your DNS servers are also domain controllers, so that basically means that each one of these would also have to be a DC.

So, when the question comes up, should I make my DNS servers to make jaws? The answer to that question is usually yes. And the reason that it’s usually yes is because if you don’t have your DNS servers, domain controllers, you cannot use this option here, which is the preferred.

OK, now what if you don’t want to do that? Or if you don’t have to make sure that every one, everyone you locations or whatever, could you do the standard method you could? The standard primary and secondary method is something that’s been out since the beginning of the science, it’s the original type of database with Standard Primary, though you can only have one primary if you go that route. And so that is one of the complaints about this. If you do a standard primary, you only get one primary. Everything else must be a standard secondary in this case or what’s called Staab. All right. No, I did not mean to do that. Hang on. I wanted to copy this, actually. All right.

So let’s get rid of that. Paste this right here.

OK. You see it down here. And then same thing here, if we make this secondary. All right, so, If we go that route, here’s the problem with that. Only New York is right about that point C, because you can only write to a primary primaries are readable, secondary or not.

So that means that whenever something changes, like if this DC changes something, it’s got to have that written up here and then that’s got to be replicated down here.

So, when things get changed, you end up, you can’t. This read only in so everything that changes must happen on the primary and it has to replicate now.

So that means that there can be a delay. If the IP address of this DC changes, it’s got to wrap it up here in there or it’s got to send the change up here. And then this guy has got to send it down here, just so these clients are going to know about it.

So that’s one of the main reasons why using a using standard, the standard method is not good, you know? Do you want to know a real reason why some people use it? It might be because they completely host their DNS with Linux or Unix, and so, they’re not using Microsoft servers for their DNS, and so, they’re using standard. And so that’s how you get away with that if you need to. But to be honest with you, almost no company and I’ve been working with Active Directory since it came out actually before it went live. Since the beta days in the 90s, I’ve been working with it and I’ve never seen a company really ever go that route. It’s generally always going to be a primary. That’s where most companies go with it. At least that’s been my experience.

OK, now the last type of database might switch these back back real quick, last type of database that you’ll see there is called a stub, and you’re not usually going to use a stub within the same domain stubs or generally stub zones are going to be used in situations where you have multiple domains.

So, for example, let me just draw another triangle over here smaller and we’ll call this all the domain .com.

OK. Just for lack of a better name, maybe we’ve got a trust relationship or something between the two domains.

OK, they’ve got domain controllers. Just like we do that they’re hosting and they’ve got a DNS server over there and the DNS server, we’re going to paint it blue.

OK, I put a little blue border around it here. All right, and at that point, you know, they’ve got their own clients, they’ve got their own servers and occasionally all were, let’s say that our clients occasionally have to connect to servers that are over in that other domain.

So this file server here? OK, so so, we’ll call this. I’ll call this file server to dot other domain. Dot com, that’s going to be the name of that file server.

OK, so the problem right now is if a client sits down here in our domain and they type, in fact, two other domain .com, it’s going to query our DNS server and the DNS server is going to reply back with, you know, a message saying, Sorry, I can’t help you. I don’t know the address of that.

OK.

So how do we deal with that? All right. One option is we can do something called conditional forwarding. Conditional forwarding means we can add a name here. That’s for other domain Akam. Just send everything over to this the IP address of this DNS server.

So, I could put that over here and I can take forward anything involving that name from here here. But if this address ever changes, then this server is not going to know what the new address is.

So the best way to handle that is to do something called a stub zone.

OK. And so let me just I’m going to make my DNS server a little bit bigger here. DNS.

OK.

So. Make it bigger. And so now what we’re going to do is we’re going to copy and paste this here and there, and then we’ll copy this in there. All right.

Now when we do this, we could do a full blown secondary and they would replicate with each other. But you’d be replicating the whole database. You don’t really need the whole database. What you can do is a stop.

So this right here would be an API primary.

OK. But the stub this guy here would be a stub. All right. If he did a stub, then all that does is that just replicates information about what his address is all the time. If his address ever changes, his IP address ever changes. He’s always going to let the stub know.

So now what would happen is this computer could say, I need to go to EF-S to dot other domain. RT.com The stub would know this DNS servers address it would reply back the client machine can then connect over as long as there’s connectivity, can connect over the DNS and say, Hey, what’s the IP address of to the other domain rt.com he would reply back and then at that point, the client would know the address of that followsr.

So that’s what the stuff is going to be.

So a stub is a partial database of that. Others own database.

So there’s not a full copy, it’s just a partial copy. And it is used so that if you’ve got multiple domains in the mix, it allows one domain to find the other domain, the other domains information, and you can do the same thing over here. I can create a stub of this database over here. I’m going to draw that out, but you could if you want to. All right. All right, so hopefully that now gives you a decent visualization of how the Microsoft dance can kind of kind of correspond across in a single domain with multiple sites, as well as the concept of having multiple domains.

109. Integrate DNS with AD DS

So here I am on my in my CDK1, this my domain controller, and I want to make sure that I have DNS set up now when you install Active Directory, which I’ve already done. Active Directory, ask you if you would like to go ahead and have DNS installed as well as have the database created for Active Directory distorts information. What I want to show you right now is what if we didn’t allow Active Directory do that when we installed it? How would we integrate DNS with Active Directory if we had not gone through that process? So the first thing we’d have to do is we’d have to install DNS on a domain controller.

So, we would do that by going into server manager, manage our roles and features when you click Next, Next, next and we would install DNS.

So this how you install it. The next thing you would do is you go to server manager tools, open up DNS. And you would create a database. You would create a database named after your domain. I’ve already got it, so, If I was going to do this myself, I would right click and say, Configure.

Sorry, I would right click for lookup zones and click New Zone. I would click next. And this would be an Active Directory, a primary primary and store in zone and directory that makes it an Active Directory integrated primary zone so that I would click next. All right. And it says, OK, do you? How do you want to replicate? You want to upgrade to all DNS servers in the entire forest? Do you want it to just replicate to DNS servers that are domain chores in the domain? Or you want to do all domain controllers in the domain, regardless of whether or not they have DNS or this was an old feature for Windows 2000. You could also create something called an application directory partition, and you could pick and choose which DNS servers it’s going to replicate to. This features great out because we have to actually use the command prompt to create one of these partitions, which I’m not getting into right now, but I’m going to choose this option here. I’m going to click next, and then I would give it the zone a name.

So examlabpractice.com, which I’ve already got, so, I can’t actually put that name in, right? So, instead, I’ll put the word dot net just for the heck of it. We’ll click next and it says, All right, you won’t allow dynamic updates.

So dynamic updates means that it’s going to replicate with Active Directory. It’s going to do. It’s going to replicate. If you had multiple DNS servers, if you got this database installed on other domain controllers, it’s going to just replicate with Active Directory. And that’s what an Active Directory a great primary does. Every machine that it is going that is going to support the replication of the zone whenever a computer dynamically registers with the database. That computer must authenticate.

Now, if you choose, allow both secure and not secure. It means that computers that are not part of the domain that don’t authenticate the domain can also replicate. Also, add their name into the into the database, which of course, essentially means that, you know, if there’s hackers in your domain, they could technically register information in there. That was false. But you may have to do that if you’re going to do like Linux machines and things like that that are going to register their names do not allow dynamic updates, just turns off dynamic DNS altogether now in a Microsoft Active Directory database. If this database is going to be used for Active Directory purposes, you cannot do that. You need to have this turned on. Active Directory requires dynamic DNS, so dynamic updates is going to be a requirement.

So, we’re going to click next there and we’re going to click finish, and we’ve now officially created that database. The next thing we would do if we really if were doing this manually without the help vectors. And remember, Active Directory created that database for us when we installed Active Directory earlier, but in fact, the directory nine, we had created it ourselves. The next thing you would want to do is either a just reboot your domain controller, make sure that your domain controller is pointing to itself.

OK, and then reboot, which I can show you if I go to local server here, go to my IP address settings. Load this up.

OK, Roland, it’s this.

OK, go to properties, and I would basically need to point to myself, which I’m going to do, I’m going to put one 20 seven zero zero one, meaning basically I’m disappointed myself. That’s the lubeck address.

OK? And then I hit close and then the next thing you want to do. You can either reboot the domain controller, which is one way to do it. Another way to do is to stop and restart the net log on servers so, I can right click start. I can go to computer management here and then I’m going to pull up my services and I’m just going to basically go through and we will restart the net log on servers and that log on servers. If records are missing, then that log on servers is going to create any records that are missing.

OK. And at that point, it’s restarting. And so you could reboot a point is you could reboot into the same thing, but it’s a slower process if you just start, restart the logging service. This going to fix, fix any kind of DNS issues at that point. You would go in here to DNS and you would go to the database and you will look for these little folders right here that say underscores those are going to have service records and server records, which are records that are needed for Active Directory. Active Directory will handle those itself. You don’t have to manage those. It’ll do it itself. And that’s how you’re going to tell, though that Active Directory is database. Is DNS databases working correctly? OK, that’s what that’s going to do for you. Are in a case, in my case I created this one is a it’s kind of a dummy one, but were just kind of pretending if Active Directory had not created this database, that’s how we’ve done it.

So, all right. And so that is the process forgetting all that working. The only other thing that I will mention here is that any other servers you got like N.Y.C, server one and all that. If if this the only DNS server, you need to make sure that N.Y.C. Server one is pointing to this server’s IP address. As the DNS server, you do not want it to be pointing to one two seven zero zero one.

OK. You’d want it to point to whatever the IP addresses. In my case, because I’m using dynamic, I’m using DHCP, which in the real world, normally a server would have a static address, but I use DHP here. I would want to make sure that my other server is pointing to this address for its for its DNS. And then I would I could reboot that server and everything should communicate properly with DNS. All right.

So at that point, we’ve now we’ve now learned how we can set up the initial DNS again. Normally you would have to go through that process. I just showed you if when you installed Active Directory, you let Active Directory handle it. But sometimes people make the mistake of telling it no when they go through the install and then all of a sudden Active Directory is incredibly slow and things don’t work right.

So that should now help you with getting everything integrated.