BlueCat acquires Men&Mice to boost its industry-leading DNS, DHCP, and IP address management (DDI) platform





Windows DNS and DNSSEC Hands-on Training

A private training course designed for administrators working in Microsoft and Windows-exclusive network environments.

General description

This 3 day training with lab exercises dives deep into the DNS protocol and prepares an Administrator who works with Microsoft DNS in the Internet or internal networks with the required knowledge to bring the DNS infrastructure into the future. The training explains the new DNS features of Windows 2012/2016, as well gives recommendations for future proof DNS designs. The training is based on Men&Mice 18 year experience with Microsoft DNS and Active Directory deployments.


—  Laptop with Windows 7/8/10 (can be virtualized)

—  Ethernet network card

—  basic knowledge of Windows Server Administration

Prerequisites (recommended)

The labs require working on the command-line in a Linux/Unix shell. Without familiarity with basics such as cd, ls, cp, cat, and using a text editor, a participant will face difficulties. While experience is strongly recommended, advanced command-line skills are not needed. For text editing, the labs offer a variety of text editors: nano, joe pico emacs mg and vi/vim are available.


—  History of Name services (HOSTS.TXT, NetBIOS, WINS)

—  DNS Glossary: Domain, Domain-Name, Label

—  DNS Hierarchy: delegation

—  DNS replication (full zone-transfer, incremental zone transfer, active directory replication)

—  DNS troubleshooting tools (nslookup, dig, drill, PowerShell)

—  DNS record types and how they work: A/AAAA, SOA, NS, MX, SRV, TXT

—  The SOA configuration values and the Time-To-Live value

—  Reading DNS zone files

—  The DNS protocol on the wire

—  The purpose of DNS caching

—  The two functions of DNS Server: hosting zones (authoritative) and looking up names (recursive)

—  Windows DNS Clients (XP, Vista, Windows 7, Windows 8)

—  Concepts: DNS suffix, search list, resolving DNS server

—  GUI configuration

—  Configuration from the commandline (ipconfig, netsh, PowerShell)

—  Windows server installation (Server Core and full GUI)

—  Creating and managing static zones

—  Creating and managing dynamic zones

—  Aging and Scavenging on DNS records in dynamic Zones

—  How to Monitor a Windows DNS server

—  Windows DNS Server maintenance

—  “Hidden Primary Master” setups

—  Separation of resolving and authoritative functions

—  DNS forwarding explained

—  How to use stub zones to augment the DNS namespace with private data

—  DNS server redundancy – the way to 100% service uptime

—  DNS server load balancing, Round-Trip-Time measurements

—  The SRV Records, and how Active Directory services are found using DNS

—  Dynamic auto-registration of DNS records in Active Directory

—  Naming a Domain – DNS and Active Directory best practices

—  Troubleshooting Active Directory issues in DNS

—  RFC standard DNS updates, how does it work?

—  DNS and DHCP interaction

—  The FQDN DHCP option

—  Registering the address records

—  Registering the pointer records (reverse resolution)

—  Dynamic update security (TSIG and GSS-TSIG)

—  The dangers to DNS: cache poisoning, denial-of-service attack, untrusted resolvers, unauthorized DNS changes

—  Common DNS misconfigurations

—  The DNS Security Extensions (DNSSEC)

—  How DNSSEC secures DNS data by signing resource record

—  Choose the correct DNSSEC signing parameters (Algorithm, Key-Length, Key-Rollover-Policies, NSEC/NSEC3)

—  Sign a DNS Zone using the Windows DNS server

—  Registering the delegation signer (DS) record in the parent zone

—  Performing a DNSSEC key rollover

—  DNS operator switch with DNSSEC signed zones

—  DNSSEC validation – how does it work

—  Enable DNSSEC validation on Windows DNS server

—  Making an Enterprise Windows client DNSSEC aware

—  Troubleshooting DNSSEC validation

—  DNSSEC application support

—  Securing TLS/SSL certificates with DNS

—  Use DNSSEC to secure Active Directory (private DNSSEC)

—  IPv6 based name resolution on Windows operating systems (DNS, LLMNR, PNRP)

—  The “” domain and literal IPv6 addresses in legacy applications

—  Windows DNS Server and IPv6 best practice

—  DNS64 and NAT64 in an Microsoft environment

Hands-on exercises

—  Installing the Windows DNS server on Windows server (core or full gui)

—  Basic configuration of a caching DNS Server

—  Creating a static zone

—  Troubleshooting delegation issues

—  Replicate a DNS zone to a offside DNS server

—  Creating a delegated child zone

—  Creating a dynamic zone, working with dynamic updates

—  Creating a stub zone for private data

—  Dynamic updates from the client machine

—  Enabling DNSSEC validation using the Internet root trust-anchor

—  Signing a DNS zone with DNSSEC

—  DNSSEC validation using a private trust anchor

—  Troubleshooting DNSSEC validation issues

—  Creating self-signed TLS certificates and secure them with DNSSEC