Microsoft Official Course

Module 1

Implementing Advanced Network

Services
Module Overview

Configuring Advanced DHCP Features

Configuring Advanced DNS Settings
• Implementing IPAM
Lesson 1: Configuring Advanced DHCP Features

Overview of DHCP Components

Configuring DHCP Interaction With DNS
Configuring Advanced DHCP Scope Designs
DHCP Integration With IPv6
What Is DHCP Name Protection?
What Is DHCP Failover?
• Demonstration: Configuring DHCP Failover
Overview of DHCP Components

DHCP components consist of:

• The DHCP server service
• DHCP options
• DHCP console
• DHCP scopes
• DHCP database

When you use DHCP:

• Clients request IP configuration through a broadcast
• IP addresses are leased to clients for a configurable period, and are
regularly renewed
• DHCP servers must be authorized in AD DS
Configuring DHCP Interaction With DNS

Configuring option 081 allows the DHCP server

to register both A and PTR resource records for
the client

Normal option 081 behavior Modified option 081 behavior

Configuring Advanced DHCP Scope Designs

LAN A DHCP Server LAN B

Scope A and Scope B

LAN A DHCP Server LAN B

Scope A Scope B
DHCP Integration With IPv6

DHCPv6 supports stateful and stateless configurations

DHCPv6 also supports scopes that you can configure
with the following properties:
• Name and description
• Preference
• Valid and Preferred lifetimes
• Prefix
• Exclusions
• DHCP options
What Is DHCP Name Protection?

DHCP Name Protection:

• Prevents Windows operating systems from having their
DNS name registrations overwritten by non-Windows
operating systems that have the same name
• Uses a DHCID resource record to track the machines
that originally requested the DNS names
• Is configurable at the network adapter level and at the
scope level
What Is DHCP Failover?

DHCP failover:
• Enables two DHCP servers to provide IP addresses and
optional configurations to the same subnets or scopes
• Requires failover relationships to have unique names
• Supports the Hot Standby mode and the Load Sharing mode

When you use DHCP failover:

• The MCLT determines when a failover partner assumes
control of the subnet or scope
• The auto state switchover interval determines when a failover
partner is considered to be down
• Message authentication can validate the failover messages
• Firewall rules are autoconfigured during DHCP installation
Lesson 2: Configuring Advanced DNS Settings

Managing DNS Services

Optimizing DNS Name Resolution
What Is the GlobalNames Zone?
Options for Implementing DNS Security
How DNSSEC Works
New DNSSEC Features for Windows Server 2012
• Demonstration: Configuring DNSSEC
Managing DNS Services

To manage DNS services:

• Delegate DNS administration through membership in
the DNS Admins group
• View DNS logs in Event Viewer
• Enable DNS debug logging in the DNS server properties
• Enable aging and scavenging to remove stale records

Backup methods for the DNS database depend on how

the database is deployed:
• Back up Active Directory-integrated zones through
system state backups, by using dnscmd, or by using
Windows PowerShell
• Nonintegrated primary zone are single files that you can
copy or back up
Optimizing DNS Name Resolution

Option Description

Forwards DNS requests that cannot be

Forwarding resolved locally to other specific DNS
servers
Forwards queries for specific DNS
Conditional forwarding
suffixes to specific DNS servers
A regularly replicated copy of certain
resource records that identify
Stub zones
authoritative DNS servers for specific
DNS domains
Responds with addresses of hosts that
Netmask ordering are close in proximity based in IP address
information of the client to DNS queries
What Is the GlobalNames Zone?

The GlobalNames zone allows single label names

to be resolved in multiple DNS domain
environments

2
1
3
GlobalNames
Zone 6
4
5

DNS Server DNS Client

Forward Lookup
Zone
Options for Implementing DNS Security

Option Description

Prevents entries in the cache from

DNS cache locking being overwritten until a percentage
of the TTL has expired
Randomizes the source port for
issuing DNS queries
DNS socket pool
Enabled by default in Windows Server
2012
Enables cryptographically signing
DNSSEC DNS records so that client computers
can validate responses
How DNSSEC Works

DNSSEC functions as follows:

• If a zone has been digitally signed, a query response will
contain digital signatures
• DNSSEC uses trust anchors, which are special zones that
store public keys associated with digital signatures
• Resolvers use trust anchors to retrieve public keys and
build trust chains
• DNSSEC requires trust anchors to be configured on all
DNS servers participating in DNSSEC
• DNSSEC uses the NRPT, which contains rules that
control the requesting client computer behavior for
sending queries and handling responses
New DNSSEC Features for Windows Server 2012

DNSSEC enhancements for Windows Server 2012 include:

• Simplified DNSSEC implementation
• A DNSSEC Zone Signing Wizard that steps you through
the process of signing and configuring signing
parameters for zones
• The following new resource records:
• DNSKEY
• DS
• RRSIG
• NSEC
Lesson 3: Implementing IPAM

What Is IPAM?
IPAM Architecture
Requirements for IPAM Implementation
Managing IP Addressing Using IPAM
Demonstration: Installing and Configuring IPAM
IPAM Management and Monitoring
• Considerations for Implementing IPAM
What Is IPAM?

IPAM facilitates IP management in organizations with complex

networks by enabling administration and monitoring of DHCP
and DNS
IP administration area Description

Reduces the time and expense of the

Planning planning process when changes occur in the
network

Provides a single point of management and

Managing assists in optimizing utilization and capacity
planning for DHCP and DNS

Enables tracking and forecasting of IP

Tracking
address utilization

Assists with compliance requirements and

Auditing provides reporting for forensics and change
management
IPAM Architecture

IPAM architecture consists of:

• Four main modules
• IPAM discovery
• IPAM address space management
• Multiserver management and monitoring
• Operational auditing and IP address tracking
• A server component and a client component

You can deploy IPAM in the following topologies:

• Distributed
• Centralized
• Hybrid
Requirements for IPAM Implementation

Hardware and software

Prerequisites
requirements
• IPAM server must belong to • CPU – dual core 2.0 GHz or
the domain higher
• IPAM server cannot be a • Windows Server 2012
domain controller • 4 GB of RAM
• IPv6 must be enabled in order • 80 GB free disk space
to manage IPv6
• Log on with a domain account
• You must be in the correct IPAM
local security group
• Logging account logon events
must be enabled for IP
address tracking and auditing
Managing IP Addressing Using IPAM

You can view and manage the IP address space using the
following views:
• IP address blocks
• IP address ranges
• IP addresses
• IP inventory
• IP address range groups

You can monitor the IP address space using the following views:
• DNS and DHCP servers
• DHCP scopes
• DNS zone monitoring
• Server groups
IPAM Management and Monitoring

With IPAM, you can:

• Monitor IP address space utilization
• Monitor DNS and DHCP health
• Configure many DHCP properties and values from
the IPAM console
• Use the event catalog to view a centralized
repository for all configuration changes
Considerations for Implementing IPAM

Considerations for IPAM implementation include:

• Installation considerations
• Functional considerations
• Administrative considerations
• Migrating existing IP data into IPAM