WS-011 Windows

Server 2019
Administration

© Copyright Microsoft Corporation. All rights reserved.

Module 3: Network
infrastructure services in
Windows Server
Module overview

Lessons:
 Deploying and managing DHCP
 Deploying and managing DNS services
 Deploying and managing IPAM
Lesson 1: Deploying and
managing DHCP
Lesson 1 overview

Topics:
 Overview of the DHCP role
 Install and configure the DHCP role
 Configure DHCP options
 Demonstration: Configure the DHCP role
 Configure DHCP scopes
 Demonstration: Create and configure a DHCP scope
 DHCP AD DS authorization
 High availability options for DHCP
 DHCP Failover
Overview of the DHCP role

DHCP simplifies management of IP configuration on clients

DHCP lease renewal is attempted at:
 50% of lease time
 87.5% of lease time
DHCP for IPv6 can be
1. DHCPDISCOVER
stateful or stateless

2. DHCPOFFER

3. DHCPREQUEST

4. DHCPACK
DHCP client DHCP server
 VLAN3
DH
CP

VLAN1 VLAN2
Install and configure the DHCP role

To install the DHCP role:

 Windows Admin Center > Roles and Features
 Server Manager
 Add-WindowsFeature DHCP -IncludeManagementTools
To manage a DHCP server by using Windows Admin Center, you must install the DHCP PowerShell tools
DHCP local security groups:
 DHCP Administrators
 DHCP Users
To create the DHCP local security groups:
 Server Manager > Post-Install Configuration Wizard
 Add-DhcpServerSecurityGroup -Computer DhcpServerName
Configure DHCP options

A DHCP lease can include options such as:

Option code Name

1 Subnet mask
3 Router
6 DNS servers
15 DNS domain name

DHCP options are applied in order:

1. Server level
2. Scope level
3. Class level
4. Reserved client level
Demonstration:
Configure the
DHCP role
 Install the DHCP Server role
 Install the DHCP PowerShell tools
 Configure a DHCP server option
Configure DHCP scopes

Properties of a DHCP scope: DHCP PowerShell cmdlets:

 Name (mandatory)  Add-DhcpServerv4Scope
 Description  Get-DhcpServerv4Scope
 IP address range (mandatory)  Get-DhcpServerv4ScopeStatistics
 Subnet mask (mandatory)  Set-DhcpServerv4Scope
 Exclusions Properties of a DHCP reservation:
 Delay  Reservation name
 Lease duration  IP address
 Options  MAC address
 Activation  Description
Demonstration:
Create and
configure a DHCP
scope
 Create a DHCP scope
 Create a DHCP reservation
DHCP AD DS authorization

A DHCP server on Windows Server must be authorized in AD DS to lease IP addresses:

 To authorize a DHCP server by using Windows PowerShell, run:
Add-DHCPServerinDC <name or IP address of DHCP server>
A standalone server with DHCP will not lease IP addresses if an authorized DHCP server is detected
Non-Windows DHCP servers function regardless of authorization
High availability options for DHCP (slide 1 of 2)

DHCP Failover:
 Newer method for high availability
 Strongly preferred to implement high availability for DHCP
DHCP clustering:
 Is configured to run in a failover cluster
 Install the DHCP Server role on cluster nodes
 DHCP configuration information is stored on shared storage
Split scopes:
 Involve two DHCP servers that are configured with non-overlapping scopes
 Control the primary server by configuring delay
High availability options for DHCP (slide 2 of 2)

DHCP cluster DHCP split scope

DHCP configuration
information
192.168.0.1 – 192.168.0.151 –
192.168.0.150 192.168.0.254

DHCP cluster Shared storage DHCP cluster DHCP DHCP

member 1 member 2 server A server B
DHCP Failover

Creates a partnership between two DHCP servers

Lease information is replicated between the partners
Configuration modes:
 Load balance
 Hot standby
Other configuration options:
 MCLT
 Auto state switchover interval
 Message authentication
Lesson 1: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 2: Deploying and
managing DNS services
Lesson 2 overview

Topics:
 DNS components
 What are DNS zones?
 What are DNS records?
 Demonstration: Install and configure the DNS role
 Manage DNS services
 Create records in DNS
 Configure DNS zones
 DNS forwarding
 DNS integration in AD DS
 Overview of DNS policies
 Overview of DNSSEC
DNS components

DNS domain names:

 Are a portion of DNS namespace
 Can be public or private
DNS servers:
 Respond to requests from DNS resolvers
 Can access DNS information from a local database or other DNS servers
DNS zones and resource records:
 A zone is a local copy of a DNS namespace on a DNS server
 Resource records are created and stored in a zone
DNS resolvers:
 Request DNS information from DNS servers
 Cache results
What are DNS zones? (slide 1 of 2)

A DNS zone is the portion of a DNS namespace hosted on a DNS server:

 Forward lookup zones:
o Resolve names to IP addresses

o Can contain many other record types

 Reverse lookup zones:

o Resolve IP addresses to names
o Are in the in-addr.arpa namespace

 Primary zones:
o Are authoritative for a portion of a DNS namespace

o Are where resource records are created

 Secondary zones are read-only copies of primary zones

 Stub zones contain only the records required to locate and communicate with name servers
What are DNS zones? (slide 2 of 2)

DNS server authorized

for training Forward lookup zone -
training
client1 192.168.2.45
client2 192.168.2.46
client3 192.168.2.47

client2 IP is Reverse lookup zone –

client2 IP is ?
192.168.2.46
2.168.192.in-addr.arpa
192.168.2.45 client1
192.168.2.46 client2
192.168.2.47 client3
DNS client
What are DNS records?

Forward lookup and reverse lookup zones have these records:

 Start of authority (SOA)
 Name server (NS)
Forward lookup zones include:
 Host (A)
 Host (AAAA)
 Alias (CNAME)
 Service location (SRV)
Reverse lookup zones include pointer (PTR) records
Records are configured with a time to live (TTL)
Demonstration:
Install and
configure the DNS
role
 Install the DNS Server role
 Install the DNS PowerShell tools and create a
DNS zone
 Create and verify a host record
Manage DNS services

Delegate administration by using the DNS Admins group

DNS logging:
 DNS server event log
 Debug logging to text file
 Analytic logging to event log
Aging and scavenging:
 Needs to be enabled on the zone and one DNS server
 Only applies to dynamic DNS records
To backup a DNS zone:
 Export-DnsServerZone -Name <zone name> -Filename <zone backup file>
 Dnscmd.exe /ZoneExport <zone name> <zone backup file>
Create records in DNS

Manual creation methods:

 Windows Admin Center
 DNS manager
 Windows PowerShell
Dynamic creation:
 Clients register name and IP address in a zone
 DHCP Client service performs registration
 Requires communication with a primary zone
 DHCP server can register for clients that don’t support dynamic DNS
Configure DNS zones (slide 1 of 2)

Active Directory-integrated zones can be replicated to:

 All DNS servers running on domain controllers in the forest
 All DNS servers running on domain controllers in the domain
 All domain controllers in the domain
 All domain controllers in a custom scope of an application partition
You can allow zone transfers:
 To any server
 Only to servers listed as name servers
 Only to specific servers
Secure dynamic updates ensure that only the owner of a DNS record can update it
Configure DNS zones (slide 2 of 2)

Active Directory-integrated zones Traditional DNS zones

Zone
Replication
transfer

Primary zone Secondary zone

DNS forwarding

Forwarders:
 Receive DNS requests, and forward requests for zones for which it is not authoritative
 Are common for external name resolution
Conditional forwarders:
 Forward requests for a specific namespace
 Typical between partners and trusted organizations
Stub zones:
 Have a similar role to conditional forwarders
 Are useful when you expect name servers to be updated
 Are less useful when firewalls restrict communication
DNS integration in AD DS

SRV records:
 Are created in DNS by the NetLogon service running on domain controllers
 Are used by clients to find AD DS services
 Contain service information:
o Service name and port

o Protocol
o Host name
Benefits of Active Directory-integrated zones:
 Multi-master updates
 Replication managed by AD DS
 Secure dynamic updates
 Detailed security
Overview of DNS policies (slide 1 of 2)

Use DNS policies to manipulate how a DNS server handles queries based on different factors:
 Application high availability
 Traffic management
 Split-brain DNS
 Filtering
 Forensics
 Time-of-day based redirection
Identify elements with DNS policy objects:
 Client subnet
 Recursion scope
 Zone scope
Overview of DNS policies (slide 2 of 2)

Steps to resolve a host record differently for a user from a specific IP address range:
1. Create a DNS server client subnet for the IP address range
2. Create a DNS server zone scope for the zone containing the host record
3. Add a host record to the zone that is specific to the zone scope
4. Add a DNS server query resolution policy that allows the DNS server client subnet to query the zone
scope for the zone
You can configure the DNS policy by using Windows PowerShell
Overview of DNSSEC

DNSSEC secures responses to DNS requests by using digital signatures

• Signature allows clients to verify that DNS responses are legitimate
To deploy DNSSEC:
1. Sign the DNS zone

2. Configure the trust anchor distribution

3. Configure the name resolution policy table (NRPT) on client computers (typically via Group Policy)

DNSSEC resource record Purpose

RRSIG Signature for a set of records
DNSKEY Publishes the public key for a zone
NSEC Authenticates a non-response
NSEC3 Hash of the NSEC record
DS Supports delegation to a child zone
Lesson 2: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 3: Deploying and
managing IPAM
Lesson 3 overview

Topics:
 What is IPAM?
 IPAM deployment requirements
 Process for deploying IPAM
 Demonstration: Install the IPAM role
 Administer IPAM
 Configure IPAM options
 Manage DNS zones with IPAM
 Configure DHCP servers with IPAM
 Use IPAM to manage IP addressing
What is IPAM?

Use IPAM to:

 Discover, audit, and manage IP address space
 Monitor and administer DHCP
 Monitor and administer DNS
 Collect sign-in statistics from domain controllers and network policy servers
Data can be stored in:
 Windows Internal Database
 Microsoft SQL Server database
IPAM deployment requirements

The IPAM server:

 Performs data collection
 Hosts the data collection database
The IPAM client:
 Provides a user interface for management
IPAM topology can be centralized, distributed, or hybrid
IPAM server requirements include:
 Must be a domain member
 Should be a single-purpose server
 Must have sufficient data storage
Process for deploying IPAM

To install and configure IPAM servers after selecting a deployment topology:

1. Install the IPAM Server feature
2. Provision the IPAM servers
3. Configure and run server discovery
4. Choose and manage the discovered servers
Install the IPAM client from Remote Server Administration Tools
Demonstration:
Install the IPAM
role
 Install the IPAM Server feature
 Install the IPAM Client feature
 Provision the IPAM server
 Create the IPAM GPOs
 Add the server to IPAM and view IPAM data
Administer IPAM
IPAM uses role-based management composed of roles, access scopes, and access policies:
IPAM security group
IPAM Administrators
IPAM MSM Administrators
IPAM DNS Administrators
IPAM Record Administrators
IPAM ASM Administrators
IPAM Address Record Administrators
IPAM DHCP Administrators
IPAM DHCP Scope Administrators
IPAM DHCP Reservations Administrators
Description
View all IPAM data and manage all IPAM tasks
Manage DNS and DHCP servers
Manage DNS servers, zones, and resource records
Manage DNS resource records
Manage IP address spaces
Manage individual IP address records
Manage DHCP servers and scopes
Manage DHCP scopes
Manage DHCP reservations
Configure IPAM options

GPO provisioning simplifies the configuration of managed servers and uses these GPOs:
 <Prefix>_DHCP
 <Prefix>_DNS
 <Prefix>_DC_NPS
To create the GPOs, run the following command:
Invoke-IpamGpoProvisioning -Domain <domain> -GpoPrefixName <prefix>
-IpamServerFqdn <IPAMServer>
Adding a managed server modifies security filtering on the GPOs
Manage DNS zones with IPAM

Use IPAM to:

 View DNS servers and zones
 Create new zones
 Create DNS records
 Manage conditional forwarders
 Open the DNS console for a managed server
Configure DHCP servers with IPAM

Use IPAM to configure DHCP servers by:

 Editing server properties such as logging and MAC address filtering
 Configuring server options
 Configuring and activating DHCP policies
 Launching the DHCP Management Console
Use IPAM to configure DHCP scope details by:
 Editing scope properties
 Duplicating a scope
 Creating and managing reservations
 Configuring DHCP Failover
Use IPAM to manage IP addressing

Customize how you view and manage the IP address space by using any of the following views:

View
IP address blocks
IP address ranges
IP addresses
IP address inventory
IP address range groups
Description
IP subnets that you can use to allocate addresses to DHCP
Subcomponents of an IP address block that typically correlates with a DHCP
scope
Information about IP addresses from DHCP and DNS servers
A list of all IP addresses in the enterprise
Organizes IP address ranges into logical groups that your define
Lesson 3: Test your knowledge

Refer to the Student Guide for lesson-review questions

Instructor-led labs: Implementing
and configuring network
infrastructure services in
Windows Server
 Deploying and configuring DHCP
 Deploying and configuring DNS
Lab: Implementing and configuring network infrastructure services in
Windows Server
Exercise 1: Deploying and configuring DHCP
Exercise 2: Deploying and configuring DNS
Sign-in information for the exercises:
 Virtual machines:
o WS-011T00A-SEA-DC1

o WS-011T00A-SEA-ADM1

o WS-011T00A-SEA-SVR1

o WS-011T00A-SEA-CL1

 Username: Contoso\Administrator
 Password: Pa55w.rd
Lab scenario

Contoso, Ltd. is a large organization with complex requirements for network services. To help meet these
requirements, you will deploy and configure DHCP so that it is highly available to ensure service availability.
You will also set up DNS so that Trey Research, a department within Contoso, can have its own DNS server
in the testing area.
Module-review questions (slide 1 of 4)

1. Which network infrastructure service in Windows Server allows you to monitor and manage IP address
ranges for the entire organization?
a. Domain Name System (DNS)
b. NPS
c. IP Address Management (IPAM)
d. Remote access services
2. Which of the following are true about DHCP Failover? (Select two.)
a. IP address ranges must split 80:20 between servers.
b. A failover relationship can have up to four partners.
c. A failover relationship can have only two partners.
d. Load balance mode configures one server as primary to service all requests.
e. The necessary firewall rules are configured automatically when the DHCP role is installed.
Module-review questions (slide 2 of 4)

3. Which of the following options are required when configuring a DHCP reservation? (Select three.)
a. MAC address
b. Description
c. IP address
d. Reservation name
e. Computer name
4. Which type of DNS zone automatically replicates to all domain controllers in a domain that have the
DNS role installed?
a. Primary
b. Secondary
c. Stub
d. Active Directory–integrated
Module-review questions (slide 3 of 4)

5. Which service running on domain controllers creates the SRV records used by clients to locate the
domain controller?
a. Netlogon
b. DNS client
c. Workstation
d. DHCP Client
6. Which feature of DNS can you use to resolve a host record to different IP addresses depending on user
location?
a. DNSSEC
b. Stub zone
c. Conditional forwarder
d. DNS policies
Module-review questions (slide 4 of 4)

7. How do you create the Group Policy Objects (GPOs) used to configure a server that is managed by
IPAM?
a. Run the Install-WindowsFeature cmdlet
b. Run the Invoke-IpamGpoProvisioning cmdlet
c. Select Group Policy provisioning in the configuration wizard
d. Run the New-GPO cmdlet
Module-review answers (slide 1 of 2)

1. Which network infrastructure service in Windows Server allows you to monitor and manage IP address
ranges for the entire organization?
c. IP Address Management (IPAM)
2. Which of the following are true about DHCP Failover? (Select two.)
c. A failover relationship can have only two partners.
e. The necessary firewall rules are configured automatically when the DHCP role is installed.
3. Which of the following options are required when configuring a DHCP reservation? (Select three.)
a. MAC address
c. IP address
d. Reservation name
4. Which type of DNS zone automatically replicates to all domain controllers in a domain that has the DNS
role installed?
d. Active Directory–integrated
Module-review answers (slide 2 of 2)

5. Which service running on domain controllers creates the SRV records used by clients to locate the
domain controller?
a. Netlogon
6. Question: Which feature of DNS can you use to resolve a host record to different IP addresses
depending on user location?
d. DNS policies
7. Question: How do you create the Group Policy Objects (GPOs) used to configure a server that is
managed by IPAM?
b. Run the Invoke-IpamGpoProvisioning cmdlet
References

For more information, refer to the following links:

 Manage Servers with Windows Admin Center
 DhcpServer
 DNS Policy Scenario Guide
 Publishing Applications with SharePoint, Exchange and RDG
Thank you

© Copyright Microsoft Corporation. All rights reserved.

 Web Application
Load Balancer

x x x
Front End Front End
Web Server (IIS) Front End Web Server (IIS)
Web Server (IIS)

Virtual IP
Virtual Host