1
00:00:01,240 --> 00:00:02,490
In this demonstration,

2
00:00:02,490 --> 00:00:06,750
let's take a look at some select Windows Server DNS features. Now,

3
00:00:06,750 --> 00:00:10,900
full disclosure, this Windows Server 2022 machine that we're on right now,

4
00:00:10,900 --> 00:00:15,980
it's a domain controller named dc10.contoso.com, it is in fact

5
00:00:15,980 --> 00:00:19,300
running in Azure. But we can just disregard that at this point

6
00:00:19,300 --> 00:00:21,140
while we take a look at what's going on.

7
00:00:21,140 --> 00:00:23,910
Now of course I've installed the DNS server role on

8
00:00:23,910 --> 00:00:26,340
this machine. And you might wonder, well,

9
00:00:26,340 --> 00:00:29,790
what do you do in terms of DNS for the server itself?

10
00:00:29,790 --> 00:00:34,780
I'm going to open up good old ncpa.cpl, and I'm sure you're well

11
00:00:34,780 --> 00:00:39,580
familiar with this routine of modifying the TCP/IP configuration of

12
00:00:39,580 --> 00:00:42,860
your server. And so looking at the properties of our Ethernet

13
00:00:42,860 --> 00:00:44,590
connection, now again I'm in Azure,

14
00:00:44,590 --> 00:00:50,710
so I'm not setting a hard coded static IP here, nor am I doing a hard coded

15
00:00:50,710 --> 00:00:54,880
DNS, but on‑prem, of course, you want to make sure that your DNS server

16
00:00:54,880 --> 00:00:58,250
addresses start with the IP of the local server.

17
00:00:58,250 --> 00:00:58,530
Again,

18
00:00:58,530 --> 00:01:01,820
things change in Azure because, as I always recommend, you

19
00:01:01,820 --> 00:01:05,000
should do your TCP/IP configuration from Azure,

20
00:01:05,000 --> 00:01:08,530
not within the guest OS of the Azure virtual machine.

21
00:01:08,530 --> 00:01:08,830
Now,

22
00:01:08,830 --> 00:01:13,930
what do we need to review in terms of DNS management in Windows Server for our

23
00:01:13,930 --> 00:01:16,920
AZ‑800 exam? Well there's a couple things. As you can see,

24
00:01:16,920 --> 00:01:19,920
I have dc10 and dc11 loaded in here.

25
00:01:19,920 --> 00:01:24,670
These are both domain controllers in the same domain. And speaking of

26
00:01:24,670 --> 00:01:27,850
which, we've got our forward and reverse lookup zones.

27
00:01:27,850 --> 00:01:29,510
And if we create a new zone,

28
00:01:29,510 --> 00:01:31,880
let's just take a look at this for a moment, some of the

29
00:01:31,880 --> 00:01:34,610
options, we can do primary, secondary,

30
00:01:34,610 --> 00:01:38,470
this is old‑school DNS where we're not integrating or we're not

31
00:01:38,470 --> 00:01:41,770
replicating our zone with Active Directory where you've got a

32
00:01:41,770 --> 00:01:45,940
primary/secondary relationship between replicated servers.

33
00:01:45,940 --> 00:01:50,770
Note that you can combine primary and secondary with Azure AD integration,

34
00:01:50,770 --> 00:01:54,750
but normally with domain controllers we want to be authoritative for the zone.

35
00:01:54,750 --> 00:01:56,760
Secondaries are not authoritative.

36
00:01:56,760 --> 00:02:01,310
Stub is just a way to create a shortcut name resolution path.

37
00:02:01,310 --> 00:02:05,950
This is relevant, for example, when you have a complicated multidomain,

38
00:02:05,950 --> 00:02:09,860
multidomain tree hierarchy in your forest and you want to

39
00:02:09,860 --> 00:02:13,750
create stub zones for some of those remote domains just to

40
00:02:13,750 --> 00:02:16,450
shorten the name resolution iteration.

41
00:02:16,450 --> 00:02:16,870
And again,

42
00:02:16,870 --> 00:02:19,500
here's the Active Directory integration. And then

43
00:02:19,500 --> 00:02:21,490
we choose our replication scope.

44
00:02:21,490 --> 00:02:26,130
Notice that the options are To all DNS servers that are domain

45
00:02:26,130 --> 00:02:30,120
controllers in the forest, all DNS servers that are domain

46
00:02:30,120 --> 00:02:33,910
controllers in the domain, and then if you've created custom

47
00:02:33,910 --> 00:02:38,470
application directory partitions, you can specify that as a last option.

48
00:02:38,470 --> 00:02:42,750
We give the zone a name, and then we can choose our dynamic updates.

49
00:02:42,750 --> 00:02:45,430
And if you're doing AD integrated, as I mentioned,

50
00:02:45,430 --> 00:02:49,510
you want to allow only secure dynamic updates so that your client

51
00:02:49,510 --> 00:02:53,790
devices need to be domain members in order to register,

52
00:02:53,790 --> 00:02:57,540
modify, and unregister the resource records in the zone.

53
00:02:57,540 --> 00:03:02,160
So, just wanted to review that. In my contoso.com zone I have just

54
00:03:02,160 --> 00:03:05,010
the standard issue records, start of authority.

55
00:03:05,010 --> 00:03:07,540
Let's take a look. If we go to zone properties, we

56
00:03:07,540 --> 00:03:09,190
can browse some of those things.

57
00:03:09,190 --> 00:03:13,280
For example, on the General tab we can change the replication scope.

58
00:03:13,280 --> 00:03:17,420
This is that same dialog we saw before. We have our Dynamic

59
00:03:17,420 --> 00:03:20,150
updates setting here, None, Nonsecure, and Secure,

60
00:03:20,150 --> 00:03:23,480
or Secure only. We have our Start of Authority that gives you

61
00:03:23,480 --> 00:03:26,160
your authoritative primary server, your refresh,

62
00:03:26,160 --> 00:03:29,090
these are just your metadata, your client metadata.

63
00:03:29,090 --> 00:03:32,540
Here's our authoritative Name Servers list. And then I think

64
00:03:32,540 --> 00:03:34,420
that's all we need to worry about for that.

65
00:03:34,420 --> 00:03:36,650
In terms of creating a new resource record,

66
00:03:36,650 --> 00:03:39,450
we can right‑click and create any of those records.

67
00:03:39,450 --> 00:03:43,530
I'm going to create an alias called app that actually maps to, I

68
00:03:43,530 --> 00:03:47,670
can browse the zone file, the dc10.contoso.com.

69
00:03:47,670 --> 00:03:50,860
Let me select that record. And this is going to allow me to

70
00:03:50,860 --> 00:03:55,330
contact dc10 using the hostname app or I could just do

71
00:03:55,330 --> 00:03:58,970
app.contoso.com. That's just an example of that.

72
00:03:58,970 --> 00:04:01,390
Let's take a quick look at the server properties.

73
00:04:01,390 --> 00:04:03,720
If we right‑click the server itself,

74
00:04:03,720 --> 00:04:09,770
we can modify cache, aging, and scavenging of orphaned or old records.

75
00:04:09,770 --> 00:04:12,960
If we go to Properties, this has some important options actually,

76
00:04:12,960 --> 00:04:17,260
particularly we can make sure that the interface IPs that we

77
00:04:17,260 --> 00:04:19,930
want associated with that zone are enabled.

78
00:04:19,930 --> 00:04:26,130
I have my private IPv4 and IPv6 addresses. Forwarders, this is critical in

79
00:04:26,130 --> 00:04:29,570
Azure particularly, so I don't want to say too much of it now,

80
00:04:29,570 --> 00:04:34,590
but because this machine is an Azure VM, notice that I have the Azure

81
00:04:34,590 --> 00:04:39,710
wire server endpoint, 168.63.129.16, as my forwarder.

82
00:04:39,710 --> 00:04:43,010
This is critical because I want the server to be able to

83
00:04:43,010 --> 00:04:47,740
resolve IPs from outside contoso.com, my private zone.

84
00:04:47,740 --> 00:04:51,720
I still can use the root hints if no forwarders are available, and

85
00:04:51,720 --> 00:04:57,000
you can even customize the root hints as such. All right.