Understand DNS and Microsoft’s DNS implementation.
- Domain Name System (DNS)
- • A TCP/IP application protocol that enables a DNS server to resolve (translate):
- ○ Domain and computer names to IP addresses
- ○ IP addresses to domain and computer names
- DNS servers provide the DNS namespace for an enterprise
- One of the requirements for using Active Directory on a Windows Server 2008 network is to have a DNS server on the network
What is Dynamic DNS?
- Microsoft DNS is also called Dynamic DNS (DDNS)
- ○ A modern form of DNS that enables client computers and DHCP servers to automatically register IP addresses
- DNS dynamic update protocol
- ○ Enables information in a DNS server to be automatically updated in coordination with DHCP
What are DNS Zones?
- DNS name resolution is enabled through the use of tables of information
- ○ That link computer names and IP addresses
- The tables are associated with partitions in a DNS server that are called zones
- ○ Contain resource records
- Forward lookup zone
- ○ The zone that links computer names to IP addresses
- ○ Holds host name records called address records
- In IP version 4, a host record is called a host address (A) resource record
- An IPv6 record is called an IPv6 host address (AAAA) resource record
- When you install DNS on a domain controller (DC) in a domain
- ○ A forward lookup zone is automatically created for the domain with the DNS server’s address record already entered
What are resource records (don’t need to memorize them).
- Founded in Zones
- Ex. Records that link a computer name to an IP address
- • In IP version 4, a host record is called a host address (A) resource record
- • An IPv6 record is called an IPv6 host address (AAAA) resource record
What is DNS replication?
- Primary DNS server
- ○ The DNS server that is the main administrative server for a zone and thus is also the authoritative server for that zone
- Secondary DNS server
- ○ Contains a copy of the primary DNS server’s zone database, but is not used for administration (is not authoritative)
- ○ Obtains that copy through a zone transfer over the network
- Vital services performed by secondary DNS servers:
- ○ To make sure that there is a copy of the primary DNS server’s data
- ○ To enable DNS load balancing among a primary DNS server and its secondary servers
- ○ To reduce congestion in one part of the network
- If you use Active Directory and have two or more DCs
- ○ Plan to set up Microsoft DNS services on at least two of the DCs
- The advantage of replicating DNS information is that if one DC that hosts DNS services fails, another DC is available to provide uninterrupted DNS services for the network. This is especially critical on a network that provides Internet access and Web-based e-mail services.
What is DNS forwarder?
- Designate one DNS server as a forwarder to reduce traffic
- For instance, when there are multiple sites (see Chapter 4) or when there is Internet connectivity, it is common to designate one DNS server to forward name resolution requests to a specific remote DNS server
- When one DNS server is set up as the forwarder, then all other DNS servers that have queries to send to an off-site DNS server send those queries to the single DNS forwarder server. By designating only one DNS forwarder server, you ensure that only one server is sending queries over a site link, instead of having multiple servers sending queries and creating extra traffic over the site link.
- DNS forwarding can be set up so that if the DNS server that receives the forwarded request cannot resolve the name, then the server that originally forwarded the request attempts to resolve it. This is called nonexclusive forwarding. When DNS forwarding is set so that only the DNS server receiving the request attempts resolution (and not the server that forwarded the request), this is called exclusive forwarding. In exclusive forwarding, the DNS server that initially forwards the request is called a slave DNS server.
- *A forwarder is a Domain Name System (DNS) server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network. You can also forward queries according to specific domain names using conditional forwarders.
- A DNS server on a network is designated as a forwarder by having the other DNS servers in the network forward the queries they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside of your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.
Stub zone has only the bare necessities for DNS functions, which are copies of the following:
- • SOA record zone
- • Name server (NS) records to identify authoritative servers
- • A record for name servers that are authoritative
- One common use for a stub zone is to help quickly resolve computer names
- • Between two different namespaces
- A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for that zone
Be familiar with DNS Implementation Plan.
- Creating a DNS Implementation Plan
- • Recommendations
- ○ Implement Windows Server 2008 DNS servers instead of other versions of DNS, and use Active Directory
- ○ Plan to locate a DNS server across most site links
- ○ Create two or more DNS servers to take advantage of the load balancing
- ○ Designate one DNS server as a forwarder to reduce traffic
- ○ The number of DNS servers that you set up can be related to your analysis of an organization
What is DHCP?
- Dynamic Host Configuration Protocol (DHCP)
- ○ Enables a Windows Server 2008 server with DHCP services to detect the presence of a new workstation
- ○ Assign an IP address to that workstation
- • The DHCP server has a pre-assigned range of IP addresses that it can give to a new client
- • Microsoft DHCP server can support the following:
- ○ Dynamic configuration of DNS server forward and reverse lookup zone records
- ○ Up to 1000 different scopes
- ○ Up to 10,000 DHCP clients
- • A Windows Server 2008 server can be configured in the role of a DHCP server using Microsoft DHCP services
- • The DHCP server automatically updates the DNS server at the time it assigns an IP address
- ○ Using dynamic DNS updates can significantly save time in creating DNS lookup zone records
- • A Microsoft DHCP server can also:
- ○ Reserve an IP address for a specific computer
- ○ Update all computers on a network for a particular change in DHCP settings
- ○ Provide DHCP services to multiple subnetworks
- ○ Omit certain IP addresses from a scope
How can DHCP be integrated with Dynamic DNS?
- The DHCP server automatically updates the DNS server at the time it assigns an IP address
- ○ Using dynamic DNS updates can significantly save time in creating DNS lookup zone records
- The DNS dynamic update protocol enables information in a DNS server to be automatically updated in coordination with DHCP.
What is IIS?
- Microsoft Internet Information Services (IIS)
- ○ Software included with Windows Server 2008 that enables you to offer a complete Web site
What are some additional components that can be installed with IIS?
- The Internet Information Services tool enables you to manage IIS components including the following:
- ○ Application pools
- ○ Sites
- ○ SMTP e-mail
- ○ Certificates
- • Application pools enable you to group similar Web applications into pools or groups for management
- • Sites is a folder used to manage multiple Web sites from one administrative Web server
- • The SMTP E-mail Page feature is used to manage Internet e-mail via e-mail programs
- ○ Takes advantage of the application programming interface, system.net.mail
- • Through the certificates feature, you can configure and monitor certificate security that is used with other Web sites
What is a Virtual Directory?
- • Virtual directory
- ○ A physical folder or a redirection to a Uniform Resource Locator (URL) that points to a folder
- § So that it can be accessed over the Internet, an intranet, or VPN
- • The reason for creating a virtual directory is to provide a shortcut path to specific IIS server content
- • When you set up a virtual directory, you give it an alias
- ○ A name to identify it to a Web browser
- • ---------------------
- • After a virtual directory is created, you can modify its properties in IIS Manager
- • You can set up the virtual directory to be shared
- ○ So that users who need access to add contents to the directory can do this over the network
What is RAS?
- • Routing and Remote Access Services (RRAS)
- ○ Enable routing and remote access through virtual private networking and dialup networking
RAS in VPN general overview.
- • Virtual private network (VPN)
- ○ Tunnel through a larger network that is restricted to designated member clients only
- • Implementing a Virtual Private Network
- • VPN
- ○ Uses LAN and tunneling protocols
- ○ Encapsulates data as it is sent across a public network
- • Benefits of using a VPN
- ○ Users can connect through a local ISP to the local network
- ○ Ensures that any data sent across a public network is secure
- ○ Encrypted tunnel
RAS in Dial-up general overview.
- • Dial-up networking
- ○ Using a telecommunications line and a modem to dial into a network or specific computers on a network
- • Turns server into a dial-up Remote Access Services (RAS) server capable of handling hundreds of simultaneous connections
What is Terminal Services
Enables clients to run services and software applications on Windows Server 2008 instead of at the client
Terminal Services' advantages?
- • Enables thin clients to perform most CPU-intensive operations on the server
- • Centralize control of how programs are used
Group Policy overview.
What are group policies?
- • Group policy in Windows Server 2008
- ○ Enables you to standardize the working environment of clients and servers by setting policies in Active Director
- • Defining characteristics of group policy:
- ○ Group policy can be set for a site, domain, OU, or local computer
- ○ Group policy cannot be set for non-OU folder containers
- ○ Group policy settings are stored in group policy objects
- ○ GPOs can be local and nonlocal
- ○ Group policy can be set up to affect user accounts and computers
- ○ When group policy is updated, old policies are removed or updated for all clients
What is the difference between computer local policy and Active-Directory GPO?
- Active-Directory GPO apply to all accounts in a container
- Computer local policy apply to individual account
What can GPOs accomplish,
An Active Directory object that contains group policy settings (a set of group policies) for a site, domain, OU, or local computer. Each GPO has a unique name and globally unique identifier (GUID). When Active Directory is installed, one local GPO is created for every Windows Server 2008 server. A server can also be governed by Active Directory GPOs for sites, domains, and OUs.
what are GPOs' advantages?
- The GPOs can be important for access to the domain.
- Applies to multiple account in a container
What are 2 main sections within each GPO?
- Unique name
- Globally unique identifier (GUID)
Understand how GPOs are applied.
When Active Directory is installed, one local GPO is created for every Windows Server 2008 server. A server can also be governed by Active Directory GPOs for sites, domains, and OUs.
What is the default order of application (L-S-D-OU)
- (Local GPO, site GPO, default domain controller GPO, domain controller GPO, OU GPO)
- Highest number go first; lowest number go last: L S D2 D1 OU
Enforce policy in GPO
- Make sure policy is not overwritten
- Enforce prevail over blocked inheritance
What happens when there’s a conflicting setting in multiple GPOs?
What is the default policy inheritance?
Security related policy settings: min/max password length,
- • Some organizations require that all passwords have a minimum length
- • Minimum password length
- Some organizations require that all passwords have a minimum length, such as seven characters (for a “strong password” Microsoft recommends a minimum of seven characters). This requirement makes passwords more difficult to guess.
Security related policy settings: password complexity,
- Passwords must meet complexity requirements
- Enables you to create a filter of customized password requirements that each account password must follow
Security related policy settings: password history,
- One option is to set a password expiration period, requiring users to change passwords at regular intervals
- • Enforce password history
- • Maximum password age
- • Minimum password age
- Another option is to have the operating system “remember” passwords that have been used previously. For example, the system might be set to recall the last five passwords, preventing a user from repeating one of these. Password recollection forces the user to change to a different password instead of reusing the same one
Security related policy settings: settings related to account lockout.
- • The operating system can employ account lockout
- ○ To bar access to an account (including the true account owner) after a number of unsuccessful tries
- • The lockout can be set to release after a specified period of time
- ○ Or by intervention from the server administrator
- • A common policy is to have lockout go into effect after five to 10 unsuccessful logon attempts
- • Account lockout parameters
- ○ Account lockout duration
- ○ Account lockout threshold
- ○ Reset account lockout count after
- • Kerberos security
- ○ Involves the use of tickets that are exchanged between the client who requests logon and network services access
- § And the server or Active Directory that grants access
- • Enhancements on Windows Server 2008 and Windows Vista
- ○ The use of Advanced Encryption Standard (AES) encryption
- ○ When Active Directory is installed, the account policies enable Kerberos
What are user rights?
• User rights enable an account or group to perform predefined tasks
What are the 2 types of user rights?
- • The most basic right is the ability to access a server
- • More advanced rights give privileges to create accounts and manage server functions
What is the server monitoring?
- enables you to establish benchmarks or baselines to help identify areas that need improvement and to identify problem areas.
- • To become familiar with the server’s performance – typical behavior
- • Prevent problems before they occur
- • Diagnose existing problems or resource shortage
What is a baseline?
- • Normal server characteristics/patterns to diagnose problems and identify components to be upgraded
- • Acquired by generating statistics about the system during no user activity periods and during normal activity periods, as well as during slow, average and peak periods
- • Gather benchmarks, and then frequently monitor server performance
- • Provide a basis for comparing data collected during problem situations with data showing normal performance conditions
How is baseline collected?
Acquired by generating statistics about the system during no user activity periods and during normal activity periods, as well as during slow, average and peak periods
What are Server Services?
- • Accessing Server Services
- • You can access server services through Server Manager or the Computer Management tool
- • Check the status of running services
- • Start, stop, pause and restart services
- • Check service dependencies
- Servers are always running a number of services. The exact number of services depends on the number and types of components you have installed.
How can you use Services tool for troubleshooting?
What are Task Manager functions?
- • To monitor processes/applications
- • To view CPU/memory/networking stats
- • To view logged on users
Performance Monitor functionality, objects,
A Performance Monitor object may be memory, the processor, or another part of the computer. Other objects are added as you install services and applications.
Performance Monitor functionality, instances,
An instance exists when there are different elements to monitor, such as individual processes when you use the Process object, or when a process contains multiple threads or runs subprocesses under it for the Thread object. Other examples are when it is possible to monitor two or more disks or multiple processors. In many cases, each instance is identified by a unique number for ease of monitoring.
Performance Monitor functionality, counters,
- A counter is an indicator of a quantity of the object that can be measured in some unit, such as percentage, rate per second, or peak value, depending on what is appropriate to the object. For example, the % Processor Time counter for the Processor object measures the percentage of processor time that is in use by nonidle
Performance Monitor functionality, data collector sets
- A data collector set is a collection of diagnostic and performance information in the form of a report or log. There are three basic types of data collection tools and formats:
- • Performance counters and performance counter reports
- • Traces and trace reports
- • System configuration data
Performance Monitor functionality, reports.
- Three reporting formats:
- Performance counter reports
- Trace reports
Be familiar with Reliability Monitor.
Reliability Monitor tracks the combined hardware and software reliability of a system from the time the system was installed. Using the Reliability Monitor helps you to judge the overall system reliability while taking into account multiple factors. It presents a running System Stability Chart that enables you to view the overall reliability over the last month to many months at a glance.
Know the main counters mentioned in the book/lecture notes.
- Memory Pages/sec
- Paging File % Usage and %Usage Peak
- Page Faults/sec
- Processor % Processor Time
- PhysicalDisk %Disk Time
- Physical Disk Current Disk Queue Length
- LogicalDisk %Free Space
indicates a number of 4K pages transferred in/out of the paging file in one second. The number consistently higher than 2-3 indicates lack of physical RAM.
Paging File % Usage and %Usage Peak
show how much of the page file is currently occupied. Neither should frequently exceed 99%, but look at this info in relation to Memory Pages/sec. If the values are frequently over 99%, increase the page file size.
hard page fault occurs when a program doesn’t have enough physical memory to execute a given function. If there’s frequently over 5 hard page faults/sec, this is another strong indication of a memory bottleneck. Increase RAM.
Processor % Processor Time
indicates percentage of total time the processor spends not idle, in use at the present time.
PhysicalDisk %Disk Time
show the amount of activity on a disk
Physical Disk Current Disk Queue Length
shows the number of waiting requests to access the disk.
LogicalDisk %Free Space
indicates what percentage of space on the logical drive is still available. The low or rapidly decreasing number indicates a problem, need to add more space.
What is SNMP Service?
- Implementing the SNMP Service
- • Used for network management on TCP/IP-based networks
- • Provides administrators with a way of centrally managing workstations, servers, hubs, and routers from a central computer running management software
- • SNMP can be used for the following:
- ○ Configuring network devices
- ○ Monitoring the performance of a network
- ○ Locating network problems
- ○ Monitoring network usage
- • SNMP provides network management services through agents and management systems
- • SNMP management system (a computer running management software)
- ○ Sends and requests information from an SNMP agent
- • SNMP agent (any computer or network device running SNMP agent software)
- ○ Responds to the management system’s request for information
- • Microsoft operating systems and components compatible with SNMP:
- ○ Windows Server 2008
- ○ Windows Server 2003
- ○ Windows 2000 Server
- ○ Windows 2000, XP, and Vista
- ○ WINS servers
- ○ DHCP servers
- ○ Internet Information Services servers
- ○ Microsoft RAS and IAS servers