Cloud & Networking
Reader small image

You're reading from  Mastering Active Directory, Third Edition - Third Edition

Product typeBook
Published inNov 2021
PublisherPackt
ISBN-139781801070393
Edition3rd Edition
Tools
Active Directory Domain Services
Concepts
Networking
Right arrow
Author (1)
Dishan Francis
Dishan Francis
author image
Dishan Francis

Dishan Francis is an IT professional with over 15 years of experience. He was a six-time Microsoft MVP in enterprise mobility before he joined Microsoft UK as a security consultant. He has maintained the RebelAdmin technology blog over the years, with lots of useful articles that focus on on-premises Active Directory services and Azure Active Directory. He has also written for other Microsoft-managed blogs such as canitpro and ITopsTalk. When it comes to managing innovative identity infrastructure solutions to improve system stability, efficiency, and security, his level of knowledge and experience places him among the very best in the field.
Read more about Dishan Francis

Right arrow

Active Directory Domain Name System

We can't talk about Active Directory Domain Services (AD DS) without mentioning the Domain Name System (DNS). Since Windows Server 2003, DNS has become the primary name resolution service. Before that, Windows was using NetBIOS and the Windows Internet Name Service (WINS) for name resolution.

WINS and DNS are both TCP/IP network name resolution services. There are legacy systems that still use WINS instead of DNS.

DNS helps to locate resources on the internet and intranet. It can be a computer, server, service, or application. DNS can run as an independent server role on the intranet, perimeter network, or public network. There are different vendors who provide DNS solutions other than Microsoft; Linux/Unix Berkeley Internet Name Domain (BIND) is a good example of that. There are mainly two categories of DNS infrastructure. One category is organizations that host their own DNS servers to facilitate name resolution requirements for their...

What is DNS?

On mobile phones, we have phone books. If we need to save someone's phone number, how we do that? Do we just enter the number and save it? No. We save the number with the person's name or something we can remember, so the next time we open the contact list, we can easily find it. The same applies when you are dealing with IP addresses. I remember a few of the most commonly used IP addresses in my clients' infrastructure, but I do not remember most others. I remember lots of servers by their hostnames rather than their IP addresses. This is because hostnames are more user-friendly and are easier to remember than IP addresses. This is exactly what DNS does: it maps IP addresses to domain names or common terms that are user-friendly.

As I stated, there can be no functioning AD domain infrastructure without DNS. There are two main reasons why AD DS needs DNS:

  • Maintaining hierarchical infrastructure design: In the previous chapters, I talked about...

Hierarchical naming structures

In Chapter 1, Active Directory Fundamentals, we looked into domain trees and explored how they can be used to organize the domain structure in the hierarchical method. DNS allows us to translate this logical structure into the domain namespace. Similar to a tree, it starts from the root and is spread into different layers, such as branches and leaves. In the domain tree, the root is represented by a dot (.). A typical tree branch contains many leaves. In the domain tree, a branch represents a collection of named resources, and a leaf in a branch represents a single named entry. In a tree, branches and leaves depend on each other. Branches and leaves are part of one system until everything is attached together. When we describe a leaf or a branch, we explain it with the relationship to the tree. For example, if I need to show someone a leaf of an apple tree, I will call it an apple leaf. Then, the person knows it's a part of an apple tree.

In...

How DNS works

A few days ago, I posted a birthday card to my mother who lives in Sri Lanka. I posted it from the local post office in Kingston upon Thames, England. Once I put it inside the post box, the delivery process started, and now it was the postal service's responsibility to deliver it to the correct person. So, when the local post office worker picked up my letter, did they know my parents' exact house location? No, they didn't. But at the end of my address, it said the country was Sri Lanka. They then knew that if this letter goes to Sri Lanka, then the postal service there will be able to deliver it. So, the next stop of the mail was Sri Lanka. Once the card reached the main postal sorting facility in Sri Lanka, would the worker who picked up the letter know the exact address location? Maybe not, but if they didn't, they could look for the city that it should be delivered to. Then, the post office in that city would know what to do. Once the letter reached...

DNS infrastructure design

In the first chapter, I have mentioned how AD domain and forest represent the logical structure of AD setup. We also need to design DNS infrastructure to support the AD logical structure.

AD DS must require integration with DNS. Otherwise, the clients will not be able to locate domain controllers. The DNS infrastructure design mainly has two models:

  1. The organization already has existing DNS infrastructure and they'd like to keep it. If that is the case, we need to integrate the existing DNS infrastructure with AD namespace. This involves deploying new DNS servers and DNS delegation.
  2. The organization doesn't have DNS infrastructure at all. In such a situation, it's easier to implement new DNS infrastructure along with the new AD setup process. It simplifies the maintenance and administration process.

From these two models, integration with existing DNS infrastructure can be challenging. Let's go ahead and...

DNS essentials

In a Windows Server environment, the DNS service can be run as an individual service or as an AD-integrated service. Either way, core DNS components, technology, and terms will be the same for both scenarios.

DNS records

The DNS database holds various types of resource records. In an AD-integrated DNS setup, most of these records will be created automatically when adding resources to the domain, changing settings in resources, or promoting/demoting domain controllers (SRV records, A records, and AAAA records). However, in an infrastructure, some resource records may still need to be created manually in DNS servers (static).

Start of authority record

Each DNS zone must have a start of authority (SOA) record, and it is created when a zone is created for the first time. This record provides lots of general information for the DNS zones, such as:

  • Primary server: The best DNS source for the zone.
  • Responsible person: The email address of the...

Conditional forwarders

In DNS servers, we use DNS "forwarders" to forward DNS queries to external DNS servers when it can't resolve them internally. Usually it will be the ISP's public DNS servers. We also can use public DNS servers from a third party such as Google as a forwarder:

Figure 4.9: DNS forwarders

If the forwarders are not responding, the DNS server will use "Root Hints" to resolve the query.

Forwarders and Root Hints are used to resolve external DNS queries in general. But if we need to point DNS queries for a specific domain to a specific DNS server/s we can do that using "conditional forwarders." As an example, there is a partner company with the rebeladmin.net domain name. Their DNS server is 10.0.0.5. These two organizations are connected together via a VPN connection. So if any user in the rebeladmin.com domain tries to resolve the hostname in rebeladmin.net, it should forward to 10.0.0.5. To do that we can...

DNS policies

DNS policies were first introduced with Windows Server 2016 and are also available on Windows Server 2022. DNS policies mainly have the following capabilities:

  1. Geo-location based traffic routing – Let's assume Rebeladmin Inc. uses two web servers to host its website rebeladmin.com. One of the web servers is located in Canada and the other one is located in the UK. Most of the website visitors are coming from these two regions and by maintaining the local datacenter, Rebeladmin Inc. is expecting to improve the user experience. By using a DNS policy, Rebeladmin Inc. can point USA/Canada clients to the Canada web server and Europe users to the UK web server.

    We also can do this using Azure Traffic Manager. More details about its configuration is available on https://bit.ly/30QoPr8.

  2. Application load balancing – The rebeladmin.com website has four web servers in four different datacenters in Canada. Each server...

Secure DNS client over HTTPS (DoH)

DNS queries between DNS server and DNS client are normally in plain text format. But starting from Windows Server 2022, DNS queries can pass through secure HTTP (HTTPS) connections. This prevents someone from modifying/accessing DNS data in transit. Please note this setting is only for DNS clients. Windows DNS Server does not support DoH queries. Therefore, you should not enable DoH in domain-joined computers. If there is DNS traffic between a domain-joined computer and the AD domain server, we need to consider securing IPSec connections. At the moment, Google and Cloudflare DNS servers support DoH queries.

DNS server operation modes

There are three types of DNS server operation modes. These modes are not something we can choose during the setup process. They are listed based on their characteristics:

  • Dynamic: AD DS directory-integrated DNS uses Dynamic DNS by default. Dynamic DNS allows hosts and users to register, update, and remove DNS records from DNS servers. Let's assume we have an AD environment with 200 computers. It uses Dynamic Host Configuration Protocol (DHCP) to maintain the IP assignment; so every three days, each device will renew its IP allocation. Some may have the same IP address, but some may receive a new one. But if the system uses static DNS every three days, administrators will need to update the DNS list to match IP allocations. Also, AD will not be able to find the devices to establish authentication or handle resource access requests. However, thanks to Dynamic DNS, this is no longer manual work, and it allows the environment to maintain up-to...

Zone transfers

Healthy DNS replication is a key requirement for service and infrastructure integrity. In the previous section, I explained the different zones. I also mentioned how to set the zone transfer permissions. Now, it is time to look into DNS replications.

There are two types of zone file replications:

  • Asynchronous Full Transfer Zone (AXFR): When setting up a new secondary zone, the system will replicate a full copy of the zone file from the master server. It is not just for the secondary zone; it's applicable to other zones, too. In the event of DNS replication issues, the administrator may need to request a full zone transfer (aka complete zone transfer) from its master server from time to time.
  • Incremental Zone Transfer (IXFR): After the initial full zone transfer, the system will only replicate the records that have been modified. It reduces the replication traffic as well as providing faster replication.

When there is a change in the...

DNS delegation

In the previous chapter, when we were looking at the AD DS design, I explained child domain controllers and how they can be used to organize the company's AD hierarchy. When you create a child domain in a forest, it also creates its own DNS namespace. In a DNS infrastructure, sometimes, it is required that you divide the DNS namespace to create additional zones for better management. DNS delegation allows organizations to achieve this without the need to change the domain structure.

In AD-integrated DNS, you are allowed to create any DNS zone, and it will be replicated to other domain controllers. But there are situations where this can lead to administrative overhead. Rebeladmin Corp. uses rebeladmin.com as its AD DS domain name. They have a software development department that develops web-based applications.

In order to test their applications, they have to use a web URL. Every time they need to test something, they open a support ticket and the IT team...

DNS service providers

In this chapter, we mainly talked about how DNS works in AD environments. However, this is not the only way to use DNS. If we need to manage DNS for external URLs such as websites, we need to configure DNS servers in a different way. This type of DNS server mainly works with public IP addresses. In order to set up an external-facing DNS server, first we need to register NS records. Then, via a domain registrar, we need to point the domain DNS to NSes. After that, we can set up the required DNS records for the domain using our own DNS servers. As with any other server role, DNS also requires maintenance from time to time. Also, we need to maintain the high availability of the DNS servers. Instead of all this additional maintenance overhead, we can also use a DNS service provider to do the same thing. Azure DNS, GoDaddy, Dotster, 1&1, and DynDNS are some of the most well-known DNS service providers. All we need is a valid subscription and within minutes, we...

Summary

In an infrastructure, we can't talk about AD DS without mentioning DNS. In this chapter, we covered the basics of DNS and you learned why it's important. Then, we moved on to the hierarchical naming structure and saw how it helps translate an organization's logical structure to the domain namespace. We also learned exactly how DNS works behind the scenes. Then, we looked at DNS records and DNS zones. This also included some explanation of how to create different zones. We also learned about DNS policies, which were first introduced with Windows Server 2016. At the end of the chapter, you learned about different DNS operation modes and replications. I hope this information helps you understand the importance of DNS in an infrastructure and how to use it properly.

In the next chapter, we will look at the AD FSMO roles and explore how to place them correctly in an infrastructure.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 5 of 22
Next Chapter
You have been reading a chapter from
Mastering Active Directory, Third Edition - Third Edition
Published in: Nov 2021Publisher: PacktISBN-13: 9781801070393
© 2021 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Dishan Francis

Dishan Francis is an IT professional with over 15 years of experience. He was a six-time Microsoft MVP in enterprise mobility before he joined Microsoft UK as a security consultant. He has maintained the RebelAdmin technology blog over the years, with lots of useful articles that focus on on-premises Active Directory services and Azure Active Directory. He has also written for other Microsoft-managed blogs such as canitpro and ITopsTalk. When it comes to managing innovative identity infrastructure solutions to improve system stability, efficiency, and security, his level of knowledge and experience places him among the very best in the field.
Read more about Dishan Francis

Personalised recommendations for you

Based on your interests and search pattern

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.

BookAug 2023524 pages
Microsoft 365 Security, Compliance, and Identity Administration

Microsoft 365 Security, Compliance, and Identity Administration

The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.

BookAug 2023630 pages
Zero Trust Overview and Playbook Introduction

Zero Trust Overview and Playbook Introduction

Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.

BookOct 2023240 pages
The Self-Taught Cloud Computing Engineer

The Self-Taught Cloud Computing Engineer

This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.

BookSep 2023472 pages
Technology Operating Models for Cloud and Edge

Technology Operating Models for Cloud and Edge

This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.

BookAug 2023228 pages
Azure Architecture Explained

Azure Architecture Explained

Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.

BookSep 2023446 pages
Pentesting Active Directory and Windows-based Infrastructure

Pentesting Active Directory and Windows-based Infrastructure

This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.

BookNov 2023360 pages
Practical Ansible

Practical Ansible

In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.

BookSep 2023420 pages
Windows 11 for Enterprise Administrators

Windows 11 for Enterprise Administrators

Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.

BookOct 2023286 pages
The Linux DevOps Handbook

The Linux DevOps Handbook

This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.

BookNov 2023428 pages2