Module 7: Implementing DNS

Contents:
Module Overview
Lesson 1:

Name Resolution for Windows Clients and Servers

Lesson 2:

Installing a DNS Server

Lesson 3:

Managing DNS Zones

Lab:

Implementing DNS
Module Review and Takeaways

Module Overview
Name resolution is the process of software translating betwe
en names that users can read and understand, and numeric
al IPaddresses, which are necessary for TCP/IP communicatio
ns. Because of this, name resolution is one of the most impo
rtant conceptsof every network infrastructure. You can think
about DNS as being like the Internets phone book for compu
ters. Client computersuse the name resolution process when
locating hosts on the Internet and when locating other hosts
and services in an internalnetwork. Doman Name System
(DNS) is one of the most common technologies for name res
olution. Active Directory DomainServices
(AD DS) depends heavily on DNS, as does Internet traffic. Thi
s module discusses some basic name resolution concepts, a
ndinstalling and configuring a DNS Server service and its co
mponents.

Objectives

After completing this module, you will be able to:

Describe name resolution for Windows operating system clients and W
Install and manage a DNS Server.
Manage DNS zones.

Lesson 1 : Name Resolution for Wi

ndows Clients and Servers

You can configure a computer to communicate over a networ

k by using a name in place of an IP address. The computer t
hen usesname resolution to find an IP address that correspo
nds to a name, such as a host name. This lesson focuses on
different types ofcomputer names, the methods used to reso
lve them, and how to troubleshoot problems with name resol
ution.

Lesson Objectives

After completing this lesson you will be able to:

Describe computer names.
Describe DNS.
Describe DNS zones and records.
Describe how Internet DNS names are resolved.
Describe split DNS.
Describe Link-local Multicast Name Resolution.
Describe how a client resolves a name.
Troubleshoot name resolution.

What Are the Computer Names Assigned

to Computers?

The TCP/IP set of protocols identifies source and destination

computers by their IP addresses.
However, computer users are much better at using and rem
embering names than numbers.
Because of this, administrators usually assign names to com
puters. Administrators then link these names to computer IP

addressesin a name resolution system such as DNS. These n

ames are in either in host name format, for example dc1.con
toso.com, which isrecognized by DNS, or in NetBIOS name fo
rmat, for example DC1, which is recognized by Windows Inte
rnet Name Service (WINS).

Name Type

The type of name that an app uses, either host name or Net
BIOS name, is determined by the application developer. If th
e applicationdeveloper designs an application to request net
work services through Windows sockets, host names are use
d. If, on the other hand,the application developer designs an
application to request services through NetBIOS, a NetBIOS
name is used. Most current apps,including Internet apps, use
Windows socketsand thus use host namesto access netw
ork services.

Host Names

A host name is a user-friendly name that is associated with a

computers IP address to identify it as a TCP/IP host. The host
namecan be up to 255 characters long, and can contain alph
abetic and numeric characters, periods, and hyphens.
You can use host names in various forms. The two most com
mon forms are:
An alias
A fully qualified domain name (FQDN)
An alias is a single name that is associated with an IP addres
s, such as payroll. You can combine an alias with a domain n
ame tocreate an FQDN. An FQDN is structured for use on the
Internet, and includes periods as separators. An example of
an FQDN ispayroll.contoso.com.

Creating Host Names

When you select host names, you should create host names
that are intuitive and relatively easy-to-remember, yet still u
nique. Thefollowing lists some best practices to implement w
hen creating host names:
Select computer names that are easy for users to remember.
Identify the owner of a computer in the computer name. For example, jo

 Select names that describe the purpose of the computer. For example, a
erver stores information related to past accounts.
Do not use character case to convey the owner or purpose of a compute
Match the Active Directory domain name to the primary DNS suffix of the
Use unique names for all computers in your organization. Do not assign t
DNS domains.

What Is DNS?

DNS is a service that resolves FQDNs and other host names t

o IP addresses. All Windows Server operating systems includ
e a DNSServer service.
When you use DNS, users on your network can locate networ
k resources by typing in user-friendly names
(for example,www.microsoft.com), which the computer then
resolves to an IP address. The benefit is that IPv4 addresses
may be difficult toremember
(for example, 131.107.0.32), while a domain name typically i
s easier to remember. In addition, you can use host namesth
at do not change while the underlying IP addresses can be c
hanged to suit your organizational needs.
DNS uses a database of names and IP addresses, stored in a
file or in AD DS, to provide this service. DNS client software
performsqueries on and updates to the DNS database. For e
xample, within an organization, a user who is trying to locate
a print server canuse the DNS name printserver.contoso.com
, and the DNS client software resolves the name to a printer

s IP address, such as172.16.23.55. Even if the printers IP ad

dress changes, the user-friendly name can remain the same.
Originally, there was one file on the Internet that contained a
list of all domain names and their corresponding IP addresse
s. This listquickly became too long to manage and distribute.
DNS was developed to solve the problems associated with us
ing a single Internetfile. With the adoption of IPv6, DNS beco
mes even more important, because IPv6 addresses are even
more complex than IPv4addresses
(for example, 2001:db8:4136:e38c:384f:3764:b59c:3d97).
DNS groups information about network resources into a hier
archical structure of domains.
The hierarchical structure of domains is an inverted tree stru
cture beginning with a root domain at its apex, and descendi
ng intoseparate branches with common levels of parent dom
ains, and descending downward even further into individual
child domains.
As the Internet has grown, so has the number of domains fro
m different countries. All countries in DNS have top-level cou
ntry codes.The governing bodies in these countries can furth
er create second-level domains that reflect categories such a
s .com, .org, and .net.For example, the United Kingdom
(UK) has a top-level domain named
.uk, and has further broken this down to the second-level for
various activities. A commercial company in the UK may ther
efore have a FQDN of companyname.com.uk. This domain
would not bethe same as companyname.com, which is at an
entirely different level.
The representation of the entire hierarchical domain structur
e as shown in the following illustration is known as a DNS na
mespace.

FIGURE 7.1: DNS NAMESPACE

The Internet uses a single DNS namespace with multiple root
servers. To participate in the Internet DNS namespace, a do
main namemust be registered with a DNS registrar. This ens
ures that no two organizations attempt to use the same dom
ain name.
If hosts that are located on the Internet do not need to resolv
e names in your domain, you can host a domain internally, w
ithoutregistering it. However, you must still ensure that the d
omain name is unique from Internet domain names, or conn
ectivity toInternet resources might be affected. A common w
ay to ensure uniqueness is to create an internal domain in th
e .local domain. The
.local domain is reserved for internal use in much the same
way that private IP addresses are reserved for internal use.
In addition to resolving host names to IP addresses, DNS can
be used to:
Locate domain controllers and global catalog servers. This is used when
Resolve IP addresses to host names. This is useful when a log file contain
Locate a mail server for email delivery. This is used for the delivery of all

DNS Zones and Records

A DNS zone is the specific portion of a DNS namespace

(such as adatum.com) that contains DNS records. A DNS zon
e is hosted on aDNS server that is responsible for responding
to queries for records in a specific domain. For example, the
DNS server that isresponsible for resolving www.contoso.com
to an IP address would contain the contoso.com zone.
You can store DNS zone content in a file or in the AD DS data
base. When the DNS server stores the zone in a file, that file
is locatedin a local folder on the server. When the zone is not
stored in AD DS, only one copy of the zone is a writable copy
, and all the othercopies are read-only.
The most commonly used types of zones in Windows Server
DNS are forward lookup zones and reverse lookup zones.

Forward Lookup Zones

Forward lookup zones resolve host names to IP addresses an

d host common resource records, including:
Host (A) records
Alias (CNAME) records
Service (SRV) records
Mail exchanger (MX) records
Start of authority (SOA) records
Name server (NS) records
The most common record type is the host
(A) resource record.

Reverse Lookup Zones

Reverse lookup zones resolve IP addresses to domain names

. A reverse lookup zone functions in the same manner as a f
orwardlookup zone, but the IP address is part of the query an
d the host name is the returned information. Reverse lookup
zones are notalways configured, but you should configure th
em to reduce warning and error messages. Reverse lookup z
ones host SOA, NS, andpointer (PTR) resource records.

PTR Records

When you create host records in the DNS console, you also h
ave the option to make a PTR record at the same time, if an
appropriatereverse lookup zone exists. PTR records can be cr
eated automatically and added to a reverse lookup zone whe
n an A record iscreated in a forward lookup zone. These PTR
records are automatically deleted if the corresponding A reso
urce record is deleted. Youonly need to manually create a PT
R record once. Since it is not tied to an A resource record, it i
s not deleted if the A resource recordis deleted. Client comp
uters can create their PTR records when they dynamically up
date. A PTR record is in the format of IP Address,type of reco
rd (PTR) and hostname.
Many standard Internet protocols rely on reverse lookup zon
e lookup data to validate forward lookup zone information. F
or example,if the forward lookup indicates that training.cont
oso.com is resolved to 192.168.2.45, you can use a reverse l
ookup to confirm that192.168.2.45 is associated with trainin
g.contoso.com.
Note: In Windows Server 2008 R2 and Windows Server 2012
, you can also use DNSSec technology to perform similar typ
e ofverification. There are new enhancements to DNSSec in
Windows Server 2012 R2 in encryption key management; ho
wever,these enhancements are beyond the scope of this les
son.
Many email servers use a reverse lookup as one way of redu
cing spam. By performing a reverse lookup, email servers try
to detectopen Simple Mail Transfer Protocol (SMTP) servers
(open relays).

Having a reverse lookup zone is important if you have apps t

hat rely on looking up hosts by their IP addresses. Many app
s record thisinformation in security or event logs. If you see s
uspicious activity from a particular IP address, you can look
up the host name usingthe reverse lookup zone information.

Resource Records

The DNS zone file stores resource records. Resource records

specify a resource type and the IP address to locate the reso
urce. Themost common resource record is a host
(A) resource record. This is a simple record that resolves a h
ost name to an IP address. Thehost can be a workstation, ser
ver, or another network device, such as a router.
Resource records also help find resources for a particular do
main. For instance, when a Microsoft Exchange Server needs
to find theserver that is responsible for delivering mail for an
other domain, it requests the mail exchanger
(MX) resource record for thatdomain. This record points to th
e host
(A) resource record of the host that is running the SMTP mail
service.
Resource records also can contain custom attributes. MX rec
ords, for instance, have a Preference attribute, which is usef
ul if anorganization has multiple mail servers. The MX record
tells the sending server which mail server the receiving orga
nization prefers.SRV records also contain information about t
he port the service is listening to, and the protocol that you s
hould use to communicatewith the service.

How Internet DNS Names Are Resolved

When resolving DNS names on the Internet, an entire system

of computers is used rather than just a single server. There a
rehundreds of servers on the Internet, called root servers, w
hich manage the overall practice of DNS resolution. These se
rvers arerepresented by 13 FQDNs. A list of these 13 servers
is preloaded on each DNS server. When you register a domai
n name on theInternet, you are paying to become part of thi
s system.
To see how these servers work together to resolve a DNS na
me, look at the following name resolution process for the na
mewww.microsoft.com:
1. A workstation queries the local DNS server for the IP address www.micr
2. If the local DNS server does not have the information, it queries a root
3. The local DNS server queries a .com DNS server for the location of the
4. The local DNS server queries the microsoft.com DNS server for the IP a
5. The IP address of www.microsoft.com is returned to the workstation.
The name resolution process can be modified by caching or f
orwarding:
Caching. After a local DNS server resolves a DNS name, it caches the resu
(TTL)value in the SOA record for the DNS zone. The default TTL is one hou
ve DNS server that resolved thename from its zone. When the TTL expires
Forwarding. Instead of querying root servers, you can configure a DNS ser
der (ISP).

What is Split DNS?

In Microsoft operating systems, DNS has two major functions

: to resolve IP addresses to names
(and vice versa), and to facilitatedomain-level communicatio
ns and authentication for AD DS.
The ability to store service locator
(SRV) records allows domain-joined clients to find domain co
ntrollers
(DCs) for domainauthentication and security while load bala
ncing access to the various DCs using DNS round-robin func
tionality.
However, Internet-level untrusted users from outside the fire
wall should never be able to access the SRV records and oth
er sensitiveAD DS information from the internal DNS servers.
That data must remain separate and inaccessible from outsi
de the firewall. At thesame time, DNS records of servers and
services hosting Internet level resources, such as web, mail
and proxy servers, must remainaccessible.
Split DNS, also known as Splitbrain DNS, uses the same DN
S domain name for both Internet and internal, domain-joined
resources.However, the DNS server role is assigned to separ
ate servers: one or more servers for the Internet, and the ot
her server(s) for theAD DS domain. Deploying DNS in this m
anner requires extra steps to ensure the separation of sensiti
ve information found on the ADDS domain side from the Inte

rnet side, and to ensure that outside the firewall access only
goes to the DNS server deployed on theInternet side.
Because DNS is such a vital function for the AD DS, the DNS
server role is usually included with domain controllers when
they aredeployed. This role can be integrated into AD DS so
that DNS records are stored as Active Directory objects and
attributes. The DNSzone type in this instance is referred to a
s Active Directory Integrated
(ADI). ADI zones replace DNS zone transfers with AD DSrepli
cation and can ensure secure dynamic updates of client reco
rds to the zone. In a domain, using ADI DNS is considered a
bestpractice.
With Split DNS, internal clients are only configured with the I
P addresses of the ADI DNS servers, which are domain contr
ollers. Allclient DNS dynamic updates are written to the serv
ers. All DNS queries from internal clients go only to these DN
S servers. If anyresolutions for names are needed beyond th
e internal domain, such as for Internet web servers, the ADI
DNS servers forward theserequests to the Internet-facing DN
S server. The Internet-facing DNS servers are normally deplo
yed in the perimeter networkbetween the firewalls. Although
they have the same domain name as the ADI DNS servers, t
he Internet-facing DNS servers do notstore the same data. Al
l records in the Internet-facing DNS server zone are created
manually. Normally the Internet-facing DNSserver zone only
contains records for itself and other servers that are located
in the perimeter network and need to be accessed fromthe I
nternet.
When a query to the Internet-facing DNS server comes in fro
m the Internet requesting a resolution on any domain-level r
esource,such as an SRV record, the Internet-facing DNS serv
er rejects the query because it does not have any of the SRV
recordsthese areonly stored in the domain ADI DNS server
s. Because it considers itself authoritative for the zone, the I
nternet-facing DNS server doesnot make an iterative query t
o the ADI DNS servers.

To further enhance security, you can set a firewall rule on th

e inside firewall, that is, the firewall between the internal an
d perimeternetworks, to reject all DNS
(UDP port 53) queries from the perimeter to the internal net
work, while still allowing DNS replies.
Note: When using DirectAccess for portable clients, be awar
e that when the client is deployed outside of the internal net
work ituses the Name Resolution Policy Table
(NRPT) for continued access to internal resources. This sends
DNS name queries forinternal resources to the ADI DNS serv
ers. With split DNS and DirectAccess clients, you need to add
the Fully Qualified DomainNames (FQDN) of any Internetlevel web servers kept in the perimeter network to the NRPT
as a firewall exception rule.

What Is Link-local Multicast Name Resol

ution?

In Windows Server 2012, a new method for resolving names

to IP addresses is Link-local Multicast Name Resolution
(LLMNR).Because of various limitations that are beyond the s
cope of this lesson, LLMNR typically is used only on localized
networks. AlthoughLLMNR is able to resolve IPv4 addresses, i
t has been designed specifically for IPv6; therefore, if you wa
nt to use it, you must haveIPv6 supported and enabled on yo
ur hosts.
LLMNR is commonly used in networks where:
There are no DNS or NetBIOS services for

name resolution.
Implementation of these services is not practical for any reason.
These services are not available.
For example, you might want to set up a temporary network
for testing purposes without a server infrastructure.
LLMNR is supported on Windows Vista, Windows Server 20
08, and all newer Windows operating systems. It uses a simp
le systemof request and reply messages to resolve computer
names to IPv6 or IPv4 addresses. For a node to respond to a
LLMNR requestNetwork Discovery must be enabled, but Net
work Discovery is not needed just to make a request for nam
e resolution.
To use LLMNR, you need to turn on the Network Discovery fe
ature for all nodes on the local subnet. This feature is availab
le in theNetwork and Sharing Center. Be aware that Network
Discovery is usually disabled for any network that you desig
nate as Public.
If you want to control the use of LLMNR on your network, you
can configure it via Group Policy. To disable LLMNR via Group
Policy,set the following Group Policy value:
Group Policy = Computer Configuration\Administrative Templ
ates\Network\DNS Client\Turn off Multicast Name Resolution.
Set this value to Enabled if you do not want to use LLMNR, or
to Disabled if you want to use LLMNR.

How a Client Resolves a Name

Windows operating systems support a number of different m

ethods for resolving computer names, such as DNS, WINS, a
nd the hostname resolution process.

DNS

As previously discussed, DNS is the Microsoft standard for re

solving host names to IP Addresses.
For more information on DNS, refer back to second topic of t
his Lesson, What is DNS.

WINS

WINS provides a centralized database for

registering dynamic mappings of a networks NetBIOS name
s. Windows operating systems retain support for WINS to pro
videbackward compatibility.
You can resolve NetBIOS names by using:
Broadcast messages. Broadcast messages, however, do not work well on l
Lmhosts file on all computers. Using an Lmhosts file for NetBIOS name res
Hosts file on all computers. Similar to an Lmhosts file, you can also use a h
ames to IP addresses, on local network segment.
Note: The DNS server role in Windows Server 2008 R2 and Windows Serv
that are unique across an entire forest. Thiseliminates the need to use the

Host Name Resolution Process

When an app specifies a host name and uses Windows socke

ts, TCP/IP uses the DNS resolver cache and DNS when attem
pting toresolve the host name. The hosts file is loaded into t
he DNS resolver cache. If NetBIOS over TCP/IP is enabled, TC
P/IP also usesNetBIOS name resolution methods when resolvi
ng host names.
Windows operating systems resolve host names by performi
ng the following tasks in this specific order:
1
Checks whether the host name is the same as the local host name.
.
2
Searches the DNS resolver cache. In the DNS client resolver cache, entrie
.
3
Sends a DNS request to its configured DNS servers.
.
4 Searches the network using LLMNR, if it is enabled.

.
5
Converts the host name to a NetBIOS name and checking the local NetBIO
.
6
Contacts the hosts configured WINS servers.
.
7
Broadcasts as many as three NetBIOS name query request messages on
.
8 Searches the Lmhosts file.
. Note: You can control the order used to resolve names. For example, if yo
ngesthe order in which the NetBIOS name resolution methods are attemp
Additional Reading: To learn more about LLMNR, please se
e http://go.microsoft.com/fwlink/?LinkID=331077.

Troubleshooting Name Resolution

Like most of other technologies, name resolution sometimes

requires troubleshooting. Issues can occur when the DNS ser
ver, itszones, and its resource records are not configured pro
perly.
When resource records are causing issues, it can sometimes
be difficult to identify the issue because configuration proble
ms are notalways obvious.

Windows Server 2012 R2 Cmdlets

Additionally, Windows Server 2012 R2 provides the following

functionality:
Step-DnsServerSigningKeyRollover. This cmdlet forces a Key Signing
(DS) update. If a server that is hosting a securely-delegated zone is unable

you to force a rollover. The server expects the DS record to be manually u

Add-DnsServerTrustAnchor -Root. The Root parameter set enables you
of the DNS server. This cmdlet has the following alias: Retrieve-DnsServ
RootTrustAnchorsURL. The Get-DnsServerSetting and Set-DnsServe
Windows PowerShell has extended functionality in Window
s Server 2012 R2 with enhanced zone-level statistics that ar
e accessiblethrough the Get-DnsServerStatistics cmdlet.
Additional Reading: For more information on the paramete
rs for the Get-DnsServerStatistics cmdlet, go t
ohttp://go.microsoft.com/fwlink/?LinkID=331076.
The following table details the ZoneTransferStatistics cmd
let, which returns information about full and incremental zon
e transfers.
Functionality Returns information about zone transfer requests:
RequestReceived

RequestSent

ResponseReceived

SuccessReceived

SuccessSent

Received when the DNS server is a primary server for a zone

Sent when the DNS server is a secondary server for a zone

Received when the DNS server is a secondary server for a zone

Successful and received when the DNS server is a secondary server for

Successful and received when the DNS server is a primary server for a z

The following table details the ZoneUpdateStatistics cmdlet.

Functionality
DynamicUpdateReceived

DynamicUpdateRejected

Dynamic update information:

Dynamic update requests that are received by the DNS server

Dynamic updates that are rejected by the DNS server

To get zone level statistics, type the following code at an ele

vated Windows PowerShell prompt:

PS C:\> $statistics = Get-DnsServerStatistics ZoneName

Adatum.com $statistics.ZoneQueryStatistics
$statistics.ZoneTransferStatistics

$statistics.ZoneUpdateStatistics
Command-Line Tools and Commands for Troubleshooti
ng
The command-line tools and commands that you use to trou
bleshoot these and other configuration issues are as follows:
Nslookup. Use this tool to query DNS information. The tool is flexible and
n test zone transfers,security options, and MX record resolution.
DNSCmd. Use this command-line tool to manage the DNS server role. Thi
ervers on your network.
Dnslint. Use this tool to diagnose common DNS issues. This tool diagnose
Reference Links: The Dnslint command can be downloaded from http://
Ipconfig. Use this command to view and modify IP configuration details th
cal DNS cache using thecommand ipconfig /displaydns, and you can cle
Monitoring on DNS server. Perform simple local queries and recursive quer
he DNS server Monitoringtab is available only in Windows Server 2008 and
In Windows Server 2012, there is a new set of Windows Powe
rShell cmdlets in that you can use for DNS client and server
management. Some of the most commonly used cmdlets are
as follows:
Clear-DNSClientCache. This cmdlet clears the client cache, similar to i
Get-DNSClient. This cmdlet displays the details of the network interface
Get-DNSClientCache. This cmdlet displays the content of the local DNS
Register-DNSClient. This cmdlet registers all of the IP addresses on the
Resolve-DNSName. This cmdlet performs a DNS name resolution for a
Set-DNSClient. This cmdlet sets the interface-specific DNS client config
Test-DNSServer. This cmdlet tests that a specified computer is a functio

The Troubleshooting Process

When you troubleshoot name resolution, you must understa
nd what name resolution methods the computer is using, an
d in whatorder the computer uses them. Be sure to clear the
DNS resolver cache between resolution attempts.

If you cannot connect to a remote host and suspect a name r

esolution problem, you can troubleshoot the name resolution
byperforming the following steps:
1 Open an elevated command prompt, and then clear the DNS resolver cac
. ipconfig /flushdns
Alternatively, you can open Windows PowerShell and type the equivalent

Clear-DNSClientCache
2 Attempt to ping the remote host by its IP address. This helps identify whe
. esolution.
3 Attempt to ping the remote host by using its host name. For accuracy, us
. Ping LON-dc1.contoso.com

4 If the ping is successful, the problem is probably not related to name reso
. ce, in theprevious Contoso, Ltd. example, you would add the following lin

10.10.0.10LON-dc1.contoso.com
5 Perform the Ping-by-host-name test once more. Name resolution should n
. type the following, oruse the equivalent Windows PowerShell cmdlet:
Ipconfig /displaydns

6
Remove the entry that you added to the hosts file, and then clear the res
.
7 At the command prompt, type the following command:
. Nslookup.exe -d LON-dc1.contoso.com. > filename.txt

Examine the contents of the filename.txt file to identify the failed stage in
Note: You should also know how to interpret the DNS resolv
er cache output so that you can identify whether the namere
solution problem is with the client computers configuration,
the name server, or the configuration of records within the n
ameserver zone database. Interpreting the DNS resolver cac
he output is beyond the scope of this lesson.

Demonstration: Troubleshooting Name R

esolution
In this demonstration, you will see how to use Windows Powe
rShell cmdlets and command-line tools to troubleshoot DNS.

Demonstration Steps Use Windows PowerShe

ll cmdlets to troubleshoot DNS
1.
2.

Sign in to LON-DC1 and LON-CL1 as Adatum\Administrator with a pa

On LON-CL1, open Windows PowerShell, run the following cmdlet, an

4.

Get-DnsClientServerAddress
In the Network and Sharing Center, record the static TCP/IP addre
omatic.
Switch back to Windows PowerShell and run the following cmdlet, an

5.
6.

Get-DnsClientServerAddress Clear-DnsClientCache
Write the Interface Index value of the Ethernet interfaces IPv4 row, he
Run the following cmdlet:

7.

Resolve-DnsName lon-dc1
Note that that the cmdlet issues the following error message: A DNS s
Run the following cmdlets, where X is the Interface Index value that yo

3.

Set-DnsClientServerAddress InterfaceIndex X ServerAddress 172.16.0

8.
9.

dc1
The error does not report back, and an address is returned.
Switch back to the Network and Sharing Center and enter the stati
In Windows PowerShell, use the following cmdlets:

Get-DnsClientCache Clear-DnsClientCache Get-DnsClientCache Get-D

10. Close both the Windows PowerShell and the Network and Sharing

Using Command-line tools to troubleshoot DN

S
1.
2.
3.
4.
5.
6.
7.
8.

9.

Run an elevated Command Prompt as Administrator and run ipcon

Run the nslookup command, and then search for the LON-CL1 addres
Switch to LON-DC1 and open an elevated Command Prompt as Adm
Run the dnscmd /? Command, and note the options.
Run ipconfig /displaydns and note the output values displayed.
Run the command ipconfig /flushdns and then run ipconfig /display
Run the ping command on LON-CL1.
Use the ipconfig /displaydns command to display the host record for
Although the request packets are ignored, note that the command retu
successful.
Close all open windows and then sign out from LON-CL1 and LON-DC1.

Lesson 2: Installing a DNS Server

To use a DNS Server, you must first install it. Installing the D
NS Server service on a DNS server is a simple procedure. To
manageyour DNS Server service, it is important that you und
erstand the DNS server components and their purpose. In thi

s lesson, you willlearn about DNS components and how to in

stall and manage the DNS Server role.

Lesson Objectives
After completing this lesson, you will be able to:
Describe the components of a DNS solution.
Describe root hints.
Describe DNS queries.
Describe forwarding.
Explain how DNS server caching works.
Explain how to install the DNS server role.

What Are the Components of a DNS Solu

tion?

The components of a DNS solution include DNS servers, DNS

servers on the Internet, and DNS resolvers (or DNS clients).

DNS Server

A DNS server answers recursive and iterative DNS queries. D

NS servers also can host one or more zones of a particular d
omain.Zones contain different resource records. DNS servers
also can cache lookups to save time for common queries.

DNS Servers on the Internet

DNS servers on the Internet are accessible
publicly. These servers host information about public domain
s, such as common top-level domains (TLDs), for example,
.com, .net,and .edu.

DNS Resolver

The DNS resolver generates and sends iterative or recursive

queries to the DNS Server. A DNS resolver can be any compu
ter that isperforming a DNS lookup that requires interaction
with the DNS server. DNS servers also can issue DNS request
s to other DNSservers.

What Are Root Hints?

Root hints are a list of the 13 FQDNs on the Internet that you
r DNS server uses if it cannot resolve a DNS query by using i
ts ownzone data, a DNS forwarder, or its own cache. The roo
t hints list the highest servers in the DNS hierarchy, and can
provide thenecessary information for a DNS server to perfor
m an iterative query to the next lowest layer of the DNS nam
espace.
Root Servers are installed automatically when you install the
DNS role. They are copied from the cache.dns file that is incl
uded in theDNS role setup files. You also can add root hints t
o a DNS server to support lookups for non-contiguous domai
ns within a forest.
When a DNS server communicates with a root hint server, it
uses only an iterative query. To configure a server to use onl
y recursivequeries to a forwarder, configure the forwarder on
the DNS server properties. If you want to disable all iterative
queries, deselect theUse root hints if no forwarders are
available check box on the Forwarders tab. If you configure
the server to use only aforwarder, and you disable root hints,

it attempts to send a recursive query to its forwarding server

; if the forwarding server does notanswer this query, the first
server responds that the host could not be found.
It is important to understand that recursion on a DNS server
and recursive queries are not the same thing. Recursion on a
DNSserver means that the server uses its root hints to try to
resolve a DNS query, whereas a recursive query is a query th
at is made to aDNS server in which the requester asks the se
rver to assume the responsibility for providing a complete an
swer to the query.

What Are DNS Queries?

A DNS query is a name resolution query that is sent to a DNS

Server. The DNS server then provides either an authoritative
or a non-authoritative response to the client query.
Note: It is important to note that DNS
servers also can act as DNS resolvers, and send DNS queries
to other DNS servers.

Authoritative or Non-Authoritative Responses

The two types of responses are:

Authoritative. An authoritative response is one in which the server returns
e when it hosts a primary orsecondary copy of a DNS zone.
Non-authoritative. A non-authoritative response is one where the DNS serv
urate (because only theauthoritative DNS server for the given domain can

If the DNS server is authoritative for the querys namespace,

the DNS server checks the zone and then does one of the fol
lowing:
Returns the requested address.
Returns an authoritative No, that name does not exist.
Note: An authoritative answer can be given only by the server with direc
If the local DNS server is non-authoritative for the querys na
mespace, the DNS server does one of the following:
Checks its cache and returns a cached response.
Forwards the unresolvable query to a specific server, called a forwarder.
Uses well-known addresses of multiple root servers to find an authoritativ
nts.

Recursive Queries

In a recursive query, the requester asks the DNS server to o

btain a fully resolved IP address of the requested resource, b
eforereturning the answer to the requestor. The DNS server
may have to perform several queries to other DNS servers b
efore it finds theanswer. Recursive queries are generally ma
de by a DNS client to a DNS server, or by a DNS server that i
s configured to passunresolved queries to another DNS serve
r, in the case of a DNS server configured to use a forwarder.
A recursive query has two possible results:
The DNS server returns the IP address of the host requested.
The DNS server cannot resolve an IP address.
For security reasons, it sometimes is necessary to disable re
cursive queries on a DNS server so that the DNS server in qu
estion doesnot attempt to forward its DNS requests to anoth
er server. This is useful when you do not want a particular D
NS server tocommunicate outside its local network.

Iterative Queries
Iterative queries access domain name information that resid
es across the DNS system. You can use iterative queries to r
esolvenames across many servers quickly and efficiently. Wh
en a DNS server receives a request that it cannot answer usi
ng its localinformation or its cached lookups, it makes the sa
me request to another DNS server by using an iterative quer

y. When a DNS serverreceives an iterative query, it might an

swer with either the IP address for the domain name
(if known), or with a referral to the DNSservers that are resp
onsible for the domain being queried. The DNS server contin
ues this process until it locates a DNS server that isauthorita
tive for the queried name, or until an error or time-out condit
ion is met.

What Is Forwarding?

A forwarder is a network DNS server that forwards queries fo

r external names to DNS servers outside of its network. You
also cancreate and use conditional forwarders to forward qu
eries according to specific domain names.
Once you designate a network DNS server as a forwarder, ot
her DNS servers in the network forward the queries that they
cannotresolve locally to that server. By using a forwarder, yo
u can manage name resolution for names outside of your ne
twork, such asnames on the Internet. This improves the effici
ency of name resolution for your networks computers.
The forwarder must be able to communicate with the DNS se
rver that is located on the Internet. This means either you co
nfigure it toforward requests to another DNS server, or you c
onfigure it to use root hints to communicate.
Best Practice: Use a central forwarding DNS server for Inte
rnet name resolution. This can improve security because you
canisolate the forwarding DNS server in a perimeter network

, which ensures that no server within the network is commun

icatingdirectly to the Internet.

Conditional Forwarder
A conditional forwarder is a DNS server on a network that for
wards DNS queries according to the querys DNS domain na
me. Forexample, you can configure a DNS server to forward
all queries that it receives for names ending with corp.conto
so.com to the IPaddress of a specific DNS server, or to the IP
addresses of multiple DNS servers. This is useful when you h
ave multiple DNSnamespaces in a forest.
Conditional Forwarding in Windows Server 2008 R2 an
d Windows Server 2012
In Windows Server 2008 R2 and Windows Server 2012, the c
onditional forwarder configuration is in a node in the DNS co
nsole. Youcan replicate this information to other DNS servers
through Active Directoryintegrated DNS.
Best Practice: Use conditional forwarders if you have multi
ple internal namespaces. This results in faster name resoluti
on.

How DNS Server Caching Works

DNS caching increases the performance of the organizations

DNS system by decreasing the time it takes to provide DNS l
ookups.
When a DNS server resolves a DNS name successfully, it add
s the name to its cache. Over time, this builds a cache of do

main namesand their associated IP addresses for most of the

domains that the organization uses or accesses.
The default time to keep a name in the cache is one hour. Th
e zone owner can change this by modifying the SOA record f
or theappropriate DNS zone.
A caching-only server is the ideal type of DNS server to use
as a forwarder. It does not host any DNS zone data; it only a
nswerslookup requests for DNS clients.
In Windows Server 2012, you can access the content of the
DNS server cache by selecting the Advanced view in the DN
S Managerconsole. In this view, cached content is displayed
as a node in DNS Manager. You can also delete single entries
(or the entire cache)from the DNS server cache. Alternativel
y, you can use the Windows PowerShell GetDNSServerCache cmdlet to view the cachecontent.
The DNS client cache is stored on the local computer by the
DNS client service. To view client-side caching, at a comman
d promptrun the ipconfig /displaydns command. This displ
ays the local DNS client cache. If you need to clear the local
cache, you can usethe Windows PowerShell GetDNSClientCache and Clear-DNSClientCache cmdlets, or t
he ipconfig /flushdns command.
To prevent DNS client caches from being overwritten, use th
e DNS Cache Locking feature available in Windows Server 20
08 R2 andWindows Server 2012. When enabled, the cached
records cannot be overwritten for the duration of the timeto-live
(TTL) value.Cache locking provides improved security agains
t cache poisoning attacks. This type of attack occurs when a
false name resolution isprovided by an attackers DNS server
. This false data is kept in the cache for as long as the attack
ers DNS server has set the TTLvalue for that record, and the
refore falsifies or poisons the cache.

How to Install the DNS Server Role

The DNS server role is not installed on Windows Server 2012

by default. Instead, you must add it in a role-based manner
when youconfigure the server to perform the role. You install
the DNS server role by using the Add Roles and Features Wiz
ard in ServerManager.
You can also add the DNS server role when you promote you
r server to a domain controller. You do this from the domain
controllerOptions page of the Active Directory Domain Servic
es Installation Wizard.
Once you install the DNS server role, the DNS
Manager snap-in becomes available to add to your administr
ative consoles. The snap-in is added automatically to the Ser
ver Managerconsole and to the DNS Manager console. You ca
n run the DNS Manager from the Start screen by typing dns
mgmt.msc.
When you install the DNS server role, the dnscmd.exe com
mand-line tool is also added. You can use the DNSCmd tool
to script andautomate DNS configuration. For help with this t
ool, at a command prompt, type dnscmd.exe /?
In Windows Server 2012, another method you can use to ma
nage a DNS server is to use Windows PowerShell. It is recom
mendedthat you use Windows PowerShell cmdlets for comm
and-line-based management of the DNS server. In addition, y
ou can use thecommand-line tools Nslookup, DNSCmd, Dn
slint, and Ipconfig in the Windows PowerShell environment.

To administer a remote DNS server, add the Remote Server

Administrative Tools to your administrative workstation, whic
h must berunning a Windows Vista Service Pack 1
(SP1) or newer Windows operating system.

Demonstration: Installing the DNS Serve

r Role
Many organizations now have or will want more than one DN
S server on their network. You can install additional DNS serv
ers byusing the Server Manager console. If you want to enab
le your DNS server to resolve Internet names, you will most l
ikely want toenable forwarding.
In this demonstration, you will see how to:
Install a second DNS server.
Create a forward lookup zone by using Windows PowerShell.
Configure forwarding.

Demonstration Steps Install a second DNS ser

ver
1.
2.
3.
4.

Sign in to LON-DC1 and LON-SVR1 as Adatum\Administrator with a p

On LON-SVR1, open Server Manager.
Start the Add Roles and Features Wizard.
Add the DNS Server role.

1.

In Windows PowerShell, run the following cmdlet:

2.

Add-DnsServerPrimaryZone Name fabrikam.com DynamicUpdate Sec

Go to the DNS Console and verify that the fabrikam.com forward look

Create a forward lookup zone by using Windo

ws PowerShell

Configure forwarding

Configure the DNS Server with a forwarder on IP address 172.16.0.10.

Note: Leave all virtual machines in their current state for the next demo

Lesson 3: Managing DNS Zones

The DNS server hosts zone data in an Active Directory datab
ase or in the zone file. Also, the DNS server can host several
types ofzones. In this lesson, you will learn about DNS zone t
ypes and about Active Directoryintegrated DNS zones.

Lesson Objectives

After completing this lesson, you will be able to:

Describe DNS zone types.
Describe dynamic updates.
Describe Active Directoryintegrated zones.
Explain how to create an Active Directoryintegrated zone.

What Are DNS Zone Types?

There are four DNS zone types:

Primary
Secondary
Stub
Active Directoryintegrated

Primary Zone
When the DNS server is both the host and the primary sourc
e for information about a zone, the zone is a primary zone. I
n addition,the DNS server stores the master copy of the zon
e data either in a local file or in AD DS. When the DNS server
stores the zone datain a file, the primary zone file by default
is named zone_name.dns, and is located on the server in the
%windir%\System32\Dnsfolder. When the zone is not stored i
n AD DS, the primary zone server is the only DNS server that
has a writable copy of thedatabase.

Secondary Zone
When the DNS server is the host, but is the secondary sourc
e for zone information, the zone is a secondary zone. The zo
neinformation at this server must be obtained from another

DNS server that also hosts the zone. This DNS server must h
ave networkaccess to the DNS server to receive updated zon
e information.
Because a secondary zone is a copy of a primary zone that a
nother server hosts, the secondary zone cannot be stored in
AD DS.Secondary zones can be useful if you are replicating d
ata from non-Windows DNS zones.

Stub Zone

A stub zone is a replicated copy of a zone that contains only

those resource records that are necessary to identify that zo
nesauthoritative DNS servers. A stub zone resolves names b
etween separate DNS namespaces, which might be necessar
y when acorporate merger requires that the DNS servers for
two separate DNS namespaces resolve names for clients in b
oth namespaces.
A stub zone consists of the following:
The delegated zones SOA resource record, NS resource records, and A re
The IP address of one or more master servers used to update the stub zo
The master servers for a stub zone are one or more DNS ser
vers that are authoritative for the child zone. Usually this is t
he DNSserver that is hosting the primary zone for the delega
ted domain name.

Active DirectoryIntegrated Zone

If AD DS stores the zone data, DNS can use the multimaster
replication model to replicate the primary zone data. This en
ables you tosimultaneously edit zone data on more than one
DNS server.

What Are Dynamic Updates?

A dynamic update is an update to DNS in real time. Dynamic

updates are important for DNS clients that change locations,
becausethey can dynamically register and update their reso
urce records without manual intervention.
The Dynamic Host Configuration Protocol
(DHCP) client service performs the registration, regardless of
whether the clients IPaddress is obtained from a DHCP serve
r, or is fixed. The registration occurs during the following eve
nts:
When the client starts and the DHCP client service is started
When an IP address is configured, added, or changed on any network con
When an administrator executes the Windows PowerShell cmdlet Regist
mand prompt
The process of dynamic updates is as follows:
1 The client identifies a name server and sends an update. If the name serv
. e. If the zone is not an Active Directoryintegrated zone, the client may h
2 If the zone supports dynamic updates, the client eventually reaches a DN
. a. The primary server for a standard, file-based zone
b. Any domain controller that is a name server for an Active Directoryin
ecause it is writable
3
If the zone is configured for secure dynamic updates, the DNS server refu
.
In some configurations, you may not want clients to update t
heir records even in a dynamic update zone. In this case, yo
u canconfigure the DHCP server to register the records on th

e clients behalf. By default, a client registers that it is a

(host/address)record, and the DHCP server registers the PTR
(pointer/reverse lookup) record.
By default, Windows operating systems attempt to register t
heir records with their DNS server. You can modify this behav
ior in theclient IP configuration, or through Group Policy. Dom
ain Controllers also register their SRV records
(and their host records) in DNS.SRV records are registered au
tomatically each time the NETLOGON service starts.

What Are Active DirectoryIntegrated Zo

nes?

A DNS server can store zone data in the AD DS database pro

vided that the DNS server is an AD DS domain controller. Wh
en the DNSserver stores zone data in this way, this creates a
n Active Directoryintegrated zone.
The benefits of an Active Directoryintegrated zone are signi
ficant:
Multimaster updates. Unlike standard primary zones, which can only be m
replicated. This builds redundancy into the DNS infrastructure. In addition,
can update their DNSrecords without having to connect to a potentially ge
Replication of DNS zone data by using AD DS replication. One of the chara
us avoid replicating theentire zone file as in traditional DNS zone transfer
Secure dynamic updates. An Active Directoryintegrated zone can enforce
Granular security. As with other Active Directory objects, an Active Directo
Question: Can you think of any disadvantages to storing DNS information

Demonstration: Creating an Active Direc

toryIntegrated Zone
To create an Active Directory integrated zone, you must insta
ll a DNS server on a domain controller. All changes in an Acti
veDirectoryintegrated zone replicate to the other DNS serve
rs that are on domain controllers through the AD DS multima
sterreplication model.
In this demonstration, you will see how to:
Promote a server as a domain controller.
Create an Active Directoryintegrated zone.
Create a record.
Verify replication to a second DNS server.

Demonstration Steps
Promote a server as a domain controller
1. Install the AD DS server role on LON-SVR1.
2. Start the Active Directory Domain Services Configuration Wizard.
3. Install the DNS Server service.

Create an Active Directoryintegrated zone

1.
2.
3.
4.

On LON-DC1, open the DNS Manager console.

Start the New Zone Wizard.
Create a new Active Directoryintegrated forward lookup zone named C
Review the records in the Contoso.com zone.

Create a record
Create a New Host record in Contoso.com zone named www, and have

Verify replication to a second DNS server

Verify that new record is replicating to the LON-SVR1 DNS server.

Lab: Implementing DNS

Scenario
Your manager has asked you to configure the domain control
ler in the branch office as a DNS server. You have also been
asked tocreate some new host records to support a new app
that is being installed. Finally, you need to configure forwardi
ng on the DNSserver in the branch office to support Internet
name resolution.

Objectives

After completing this lab, you should be able to:

Install and configure DNS.
Create host records in DNS.
Manage the DNS server cache.

Lab Setup
Estimated Time: 40 minutes

Virtual machines

20410C-LON-DC1
20410C-LON-SVR1
20410C-LON-CL1

User name

Adatum\Administrato

Password

Pa$$w0rd

For this lab, you will use the available virtual machine enviro
nment. Before beginning the lab, you must complete the foll
owing steps:
1. On the host computer, click Start, point to Administrative Tools, and
2. In Hyper-V Manager, click 20410C-LON-DC1, and in the Actions pan
3. In the Actions pane, click Connect. Wait until the virtual machine start
4. Sign in using the following credentials:
o User name: Administrator
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 to 4 for 20410C-LON-SVR1 and 20410C-LON-CL1.

Exercise 1: Installing and Configuring DNS

Scenario
Contoso is a partner organization working closely with users
in the new branch office. In order to support name resolution
between ADatums branch office and Contoso, you decide to
enable DNS forwarding between the two DNS domains.
As part of configuring the infrastructure for the new branch o
ffice, you must configure a DNS server that provides name r
esolution forthe branch office. This includes the forwarding f

or Contoso.com The DNS server in the branch office will be a

domain controller. TheActive Directory integrated zones requ
ired to support logons will be replicated automatically to the
branch office.
The main tasks for this exercise are as follows:
1. Configure LON-SVR1 as a domain controller without installing the Doma
2. Create and configure Contoso.com zone on LON-DC1.
3. Review configuration settings on the existing DNS server to confirm roo
4. Add the DNS server role for the branch office on the domain controller.
5. Verify replication of the Adatum.com Active Directoryintegrated zon
6. Use Windows PowerShell commands to test non-local resolution.
7. Configure Internet name resolution to forward to the head office.
8. Use Windows PowerShell to confirm name resolution.
Task 1: Configure LON-SVR1 as a domain controller wi
thout installing the Domain Name System
(DNS) server role
1. Use Add roles and features in Server Manager to add the Active Di
2. Start the Add Roles and Features Wizard to promote LON-SVR1 to doma
3. Choose to add LON-SVR1 as an additional domain controller in Adatum
4. Do not install the DNS server.
Task 2: Create and configure Contoso.com zone on LO
N-DC1
1. On the LON-DC1 virtual machine, open the DNS Manager console.
2. Create new Forward Lookup Zone with the following parameters:
o Zone name: contoso.com
o Zone type: Primary Zone
o Store the zone in Active Directory: No
Task 3: Review configuration settings on the existing
DNS server to confirm root hints
1. In DNS Manager on LON-DC1, open the Properties dialog box for LON2. Review root hints and forwarder configuration.
Task 4: Add the DNS server role for the branch office
on the domain controller
Use Server Manager to add the DNS Server role to LON-SVR1.
Task 5: Verify replication of the Adatum.com Active Di
rectoryintegrated zone
1. On LON-SVR1, open the DNS Manager console.
2. Expand Forward Lookup Zones and verify that both the Adatum.co

3.

If you do not see these zones, open Active Directory Sites and Services
hen repeat steps 1 and 2.
Task 6: Use Windows PowerShell commands to test no
n-local resolution
1. On LON-SVR1, make 127.0.0.1 the preferred DNS server for LON-SV
e X is the Interface Index number, which you can find in the Get-DnsCli
Set-DnsClientServerAddress InterfaceIndex X ServerAddress 0.0.0.0
2. Open a Windows PowerShell window on LON-SVR1, and try to resolve
DNSNamecmdlet.
You receive a negative reply (this is expected).
Task 7: Configure Internet name resolution to forward
to the head office
1. Type the following cmdlet, and then press Enter:
2.

Set-DnsServerForwarder IPAddress '172.16.0.10' PassThru

Type the following cmdlet, and then press Enter:

Restart-Computer
Task 8: Use Windows PowerShell to confirm name res
olution
1. Sign in to LON-SVR1 as Adatum\Administrator with the password P
2. In Windows PowerShell, type the following cmdlet, and then press Ente
nslookupwww.contoso.com
You should get a reply and an IP address.
Results: After completing this exercise, you should have inst
alled and configured DNS on 20410C- LON-SVR1.

Exercise 2: Creating Host Records in DNS

Scenario
Several new web-based apps are being implemented in the
A. Datum head office. Each app requires that you configure a
host recordin DNS. You have been asked to create the new h
ost records for these apps.
The main tasks for this exercise are as follows:
1. Configure a client to use LON-SVR1 as a DNS server.
2. Create several host records for web apps in the Adatum.com domain.
3. Verify replication of new records to LON-SVR1.
4. Use the ping command to locate new records from LON-CL1.
Task 1: Configure a client to use LON-SVR1 as a DNS s
erver

1. Sign in to LON-CL1 as Adatum\Administrator using the password Pa

2. Open Control Panel.
3. Open the Properties dialog box for the Ethernet adapter.
4. Configure the preferred DNS server to be 172.16.0.11.
Task 2: Create several host records for web apps in th
e Adatum.com domain
1. On LON-DC1, open DNS Manager.
2. Navigate to the Adatum.com forward lookup zone.
3. Create a new record named www with the IP address 172.16.0.200.
4. Create a new record named ftp with IP address 172.16.0.201.
Task 3: Verify replication of new records to LON-SVR1
1. On LON-SVR1, open DNS Manager.
2. Navigate to the Adatum.com forward lookup zone.
3. Ensure that records www and ftp display.
Note: If the www and ftp resource records do not display within sever
Task 4: Use the ping command to locate new records f
rom LON-CL1
1. On LON-CL1, open a Command Prompt window.
2. Ping www.adatum.com. Ensure that ping resolves this name to 172.1
3. Ping ftp.adatum.comand ensure that it resolves to 172.16.0.201.
Results: After completing this exercise, you should have con
figured DNS records.

Exercise 3: Managing the DNS Server Cache

Scenario
After you changed some host records in zones configured on
LON-DC1, you noticed that clients that use LON-SVR1 as thei
r DNSserver were still receiving old IP addresses during the n
ame resolving process. You want to determine which compon
ent is cachingthis data.
The main tasks for this exercise are as follows:
1. Use the ping command to locate an Internet record from LON-CL1.
2. Update an Internet record to point to the LON-DC1 IP address.
3. Examine the content of the DNS cache.
4. Clear the cache, and retry the ping command.
Task 1: Use the ping command to locate an Internet re
cord from LON-CL1
1. On LON-CL1, in the Command Prompt window, use ping to locate www

2. Ensure that the name resolves to an IP address, and then document th

Task 2: Update an Internet record to point to the LONDC1 IP address
1. On LON-DC1, open the DNS Manager console.
2. Navigate to the contoso.com forward lookup zone.
3. Change the IP address for the record www to 172.16.0.10.
4. From LON-CL1, ping www.contoso.com.
Note that this record is still resolved with the old IP.
Task 3: Examine the content of the DNS cache
1. On LON-SVR1, in the DNS Manager console, enable Advanced View.
2. Browse the content of the Cached Lookups container for the com nam
3. On LON-CL1, at a command prompt, type ipconfig /displaydns.
4. Examine the cached content and notice the IP address for the www re
Task 4: Clear the cache, and retry the ping command
1. Clear the cache on the LON-SVR1 DNS server, by using the Clear-DNS
2. Retry the ping to www.contoso.com on LON-CL1.
The result still returns the old IP address.
3. Clear the client resolver cache on LON-CL1 by typing ipconfig /flushd
4. On LON-CL1, retry ping to www.contoso.com. (The result should wor
Results: After completing this exercise, you should have exa
mined the DNS server cache.
Prepare for the next module
After you finish the lab, revert the virtual machines to their i
nitial state.
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20410C-LON-DC1, and then c
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20410C-LON-SVR1 and 20410C-LON-CL1.
Lab Review Questions
Question: Can you install the DNS server role on a server th
at is not a domain controller? If yes, are there any limitations
?
Question: What is the most common way to carry out Inter
net name resolution on a local DNS?
Question: How can you browse the content of the DNS resol
ver cache on a DNS server?

Module Review and Takeaways

Module Review Questions

Question: You are troubleshooting DNS name resolution fro

m a client computer. What must you remember to do before
eachtest?
Question: You are deploying DNS servers into an Active Dire
ctory domain, and your customer requires that the infrastruc
ture isresistant to single points of failure. What must you con
sider when planning the DNS configuration?
Question: What benefits do you realize by using forwarders
?

Best Practices

When implementing DNS, use the following best practices:

Always use host names instead of NetBIOS names.
Use forwarders rather than root hints.
Be aware of potential caching issues when troubleshooting name resolut
Use Active Directoryintegrated zones instead of primary and secondary

Common Issues and Troubleshooting Tips

Common Issue
Clients sometimes cache invalid DNS records.

DNS Server performs slowly.

Tools
Tool

Use

DNS Manager console

Manage DNS server role

Nslookup

Troubleshoot DNS

Ipconfig

Troubleshoot DNS

Windows PowerShell cmdlets

Manage and troubleshoot DNS