- Install Ansible on Windows - Thu, Jul 20 2023
- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring DNS zone transfers and delegation.
What we will do here is cover each of the aforementioned bullet points by providing (a) very brief definitions of each technology; and (b) links to relevant Microsoft resources to foster your certification study.
Microsoft Exam 70-640 - Configuring DNS zone transfers and replication
DNS replication scope
One of many benefits of storing DNS zone data in Active Directory is that we can leverage application directory partitions to control the scope of Active Directory and DNS zone replication. For instance, we may not want every domain controller in a domain to host a copy of our zone data. The zone replication scope options in Windows Server 2008 are (1) All DNS servers in the forest; (2) All DNS servers in the domain; (3) All domain controllers in the domain; and (4) All domain controllers in a specified application directory partition.
DNS Zone Replication Scope
Relevant Links:
Incremental zone transfer
With standard DNS, incremental zone transfers save network bandwidth and reduce load on your DNS servers. Incremental zone transfer involves a secondary DNS server sending incremental zone transfer (IXFR) queries to its configured primary server instead of full zone transfer (AXFR) queries. Thus, only delta (or changed) resource record data is replicated from the primary to the secondary DNS server.
Relevant Links:
DNS Notify
DNS Notify, formally defined in Request for Comments (RFC) 1996, is a technology whereby primary DNS servers can proactively, well, notify any configured secondary DNS servers of zone changes. The secondary DNS server then “gets the message,” so to speak, and initiates a full or incremental zone transfer from its configured primary.
Relevant Links:
Secure zone transfer
Because an attacker can fingerprint your entire network by capturing DNS zone data, Windows Server 2008 DNS enables administrators to apply confidentiality and integrity to DNS zone transfer data streams by using the industry standard IPsec protocols. Note that this option pertains to standard DNS zone transfers and not AD-integrated zone transfers.
Relevant Links:
Configuring name servers
The actual installation of the DNS Server server role is pretty easy: we can use The Server Manager graphical utility or Windows PowerShell 2.0. Managing a DNS server can be performed with the DNS Server console, with PowerShell, or with a variety of DNS-related command-line tools.
Relevant Links:
Application directory partitions
As previously mentioned, application directory partitions are “compartments” within Active Directory that enterprise applications and services can use for data replication among selected or all domain controllers. For instance, we can store DNS zone data in an application directory partition to tightly control which forest DNS servers receive that zone information.
Relevant Links:
Conclusion
If you studied all of the material in 70-640 domain 1, then you should be pretty cognitively “tight” regarding DNS in Windows Server 2008. Microsoft has, for good reason I think, placed a lot of emphasis on DNS in all of their IT pro certification exams. In my next post in this series I will discuss the DNS zone transfers and replication sample practice question.
