Designing name resolution strategy

You need to keep several things in mind when designing a complex name resolution strategy at the enterprise level. These include prioritizing security while at the same time providing a reliable and robust infrastructure for the organization. Several features of Windows Server 2012 can be used to create this robust and reliable design.
In addition to the features you can use to create a robust and reliable design, you should also be intimately familiar with DNS for the exam. This includes being familiar with the DNS protocol as well as the tools and concepts surrounding implementation of DNS in an enterprise.
Many of these tools and concepts have existed for quite some time and aren’t directly called out as objectives on the exam. As an enterprise administrator, you are expected to have the prerequisite knowledge of a primary protocol such as DNS.


---------------------------------


Note: ADDITIONAL REFERENCES
Table 2-2 provides links to additional reference information for these concepts, but you’re encouraged to pursue supplemental DNS information beyond that which is listed here and on the exam objectives.


----------------------------------


70-413-fm4


[wpspoiler name="Secure name resolution and DNSSEC and DNS socket pool"]
[post-content post_name="secure-name-resolution-and-dnssec-and-dns-socket-pool"]
[/wpspoiler]
[wpspoiler name="Cache locking and Disjoint namespaces and DNS interoperability"]
[post-content post_name="cache-locking-and-disjoint-namespaces-and-dns-interoperability"]
[/wpspoiler]
[wpspoiler name="Migration to application partitions and IPv6"]
[post-content post_name="migration-to-application-partitions-and-ipv6"]
[/wpspoiler]
[wpspoiler name="Single-label DNS name resolution and Zone hierarchy and zone delegation"]
[post-content post_name="migration-to-application-partitions-and-ipv6"]
[/wpspoiler]

Design a name resolution solution strategy

Name resolution typically involves Domain Name System (DNS) but can also include Windows Internet Name Service (WINS). This objective concentrates on design of the solution rather than its implementation.


Following  points will give brief summary of this lesson


- The DNS service supports configurations to enhance security including DNSSEC, DNS socket pool, and cache locking.
- DNS socket pool randomizes the source port for DNS queries, and cache locking prevents cached entries from being overwritten for a certain percentage of their Time to Live (TTL) value.
- Microsoft’s DNS implementation supports disjoint namespaces, in which the DNS name suffix varies from the Active Directory Domain Services (AD DS) domain name suffix.
- Zone delegation enables a different server to be authoritative for a given zone. This, coupled with zone hierarchy and application partitions, enables complex name service architectures for an organization.


[pt_view id="7a50358ac4"]

Maintaining a DHCP database

Maintenance of a DHCP database involves backing up and restoring the database. The location of the database and its backup location can be configured at the server level within its Properties sheet, as shown in Figure 2-8.


70-413-fm3


FIGURE 2-8 Configuring the location of the DHCP database, as well as its backup location.


You can back up and restore the DHCP database through Actions at the server level in DHCP Manager. Also, to change an automated backup that runs every 60 minutes, set the BackupInterval value in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters.


At times you may need to reconcile the database due to inconsistencies in client addressing between summary and detailed information. To do so, select Reconcile All Scopes from the address level (IPv4 or IPv6) or at the scope level by clicking Reconcile.

Implementing and configuring a DHCP Management Pack

The DHCP Management Pack, part of the Operations Manager component of Microsoft System Center 2012, enables advanced logging and monitoring of the DHCP environment. For example, the DHCP Management Pack enables monitoring of the availability of the DHCP service, the filtering status, and the status of scopes to help prevent scope exhaustion.
Implementing a DHCP Management Pack requires Microsoft System Center 2012. The DHCP Management Pack is imported into Operations Manager. Creating a new management pack is recommended to incorporate any changes to the DHCP Management Pack without affecting the original configuration.
Table 2-1 outlines several scenarios for monitoring a DHCP infrastructure.


70-413-fm2


Implementing DHCP filtering

DHCP filtering, sometimes called link-layer filtering, enables you to configure how the DHCP server responds to requests for address and network information. DHCP filtering enables the DHCP server to send information only to known clients or deny information to specific clients.
This is especially important in a data-center scenario in which you likely want to control the devices allowed on the network.
DHCP filtering works with Media Access Control (MAC) addresses, which are sent by the DHCP client along with a DHCP request. Windows Server 2012 has two types of filters: Allow and Deny. An Allow filter sends network information only to those clients listed in the filter. A Deny filter excludes specific clients from obtaining information from the DHCP server.
In an Allow scenario, each authorized MAC address needs to be specifically entered into the filter; otherwise, it can’t obtain information from the DHCP server. Of course, this isn’t an issue if the client is using an address that’s statically assigned on the client itself.
Windows Server 2012 enables filtering with the full MAC address or by using wildcards. For example, these are all valid filters:
- 00-11-09-7c-ef-57
- 00-11-09-7c-ef-*
- 00-11-09-*-*-*
- 0011097cef57
Using wildcards enables you to configure a group of the same devices or devices from the same manufacturer as being allowed or denied. This saves the effort of entering each MAC address individually if a group of devices share the same MAC prefix.
DHCP filtering is configured with the DHCP MMC snap-in. Adding a filtered address is accomplished by right-clicking either Allow or Deny (depending on which type you want to set up) and then entering the MAC address details, as shown in Figure 2-7.


70-413-fm1


FIGURE 2-7 Creating a DHCP filter.
You also need to enable filters at the overall filter (Allow or Deny) level rather than at the individual MAC address level. To enable the Allow or Deny filter, right-click Allow or Deny in the DHCP MMC snap-in and select Enable. You can also enable filters at the scope level.

Configuring Hash Publication

You configure Hash Publication in the Group Policy Object Editor, within the Computer Configuration | Administrative Templates | Network | Lanman Server hierarchy.
Double-clicking Hash Publication For BranchCache in the details pane opens the Hash Publication for BranchCache dialog box, as shown in Figure 5-9.
70-413-fm52


FIGURE 5-9 Configuring Hash Publication For BranchCache.
Select Enabled to choose one of three settings:
- 0 = Allow hash publication only for shared folders on which BranchCache is enabled
- 1 = Disallow hash publication for all shared folders
- 2 = Allow hash publication for all shared folders

Configuring Password Replication Policy

The Password Replication Policy can be configured when the AD DS role is being configured or afterward through Active Directory Users and Computers, within the Password Replication Policy tab of the RODC’s Properties sheet, shown in Figure 5-6.


70-413-fm51


FIGURE 5-6 The Password Replication Policy tab in an RODC’s Properties sheet.


You can add accounts to be cached by clicking Add. You can allow the accounts to have their credentials cached by clicking Allow Passwords For The Account To Replicate To This RODC or deny by clicking Deny Passwords For The Account From Replicating To This RODC, as shown in Figure 5-7.


Configuring Password Replication Policy


FIGURE 5-7 Adding a security principal to the Password Replication Policy.


Clicking Advanced in the Properties sheet brings up the Advanced Password Replication Policy dialog box, as shown in Figure 5-8.


Configuring Password Replication Policy


FIGURE 5-8 Advanced properties for Password Replication Policy.


The accounts shown in Figure 5-8 are stored on the RODC. You can clear this list with the following command, run as a Domain Admin:
repadmin /prp delete <server> auth2 /all


The Resultant Policy tab shows whether an account is allowed to cache its password at the RODC.


------------------


NOTE: WORKAROUND FOR PASSWORD CACHING
If the Allowed list contains more than 1,500 accounts (users, computers, or groups), the RODC stops caching passwords for all security principals. To work around this, add the security principals to a group and then add that group to the Allowed List.


------------------


A best practice related to RODCs is to create a separate group for each RODC, grant each group the right to cache passwords only on that RODC, and then prepopulate the RODC with the appropriate accounts.