In Windows Server 2016, management of DNS properties have been significantly enhanced IP Address Management (IPAM) feature. In 2012 R2, IPAM was limited to the discovery and display of DNS zone information and monitoring the availability of DNS zones. In the new version however, administrators can now manage DNS zones, conditional forwarders and resource records across multiple DNS servers using IPAM.
The following is a brief overview of new IPAM 2016 capabilities.
DNS Data Collection
IPAM runs a periodic task to collect DNS data every 6 hours from the domain joined Microsoft DNS servers that IPAM is managing. It fetches the properties of DNS zone and DNS conditional forwarders from these servers. It also fetches the resource records belonging to the zones. Since the same zone can be hosted on multiple DNS servers, it chooses one of the authoritative servers as the ‘preferred DNS server’ from which to collect resource records from the zone. Both the collection frequency and ‘preferred DNS server’ for the zones are configurable.
DNS Zone Management
IPAM now allows administrators to perform CRUD (Create, Read, Update, Delete) operations on DNS zones hosted on the DNS servers being managed by IPAM. It supports both file based and Active Directory integrated DNS zones and allows the management of both forward and reverse lookup zones. IPAM users are also able to create primary, secondary and stub zones.
The IPAM UI provides a hierarchal view of zones hosted on managed DNS servers. From this view IPAM users are able to view a zones resource records, as well as the DNS servers the zone is hosted on.
Figure 1: DNS Zone View
From this view IPAM users can set DNS zone properties like dynamic update settings, scavenging properties, zone transfer properties and notify settings as well as perform other operations such as:
- Zone reload
- Pause/Resume DNS zones
- Zone transfer
DNS Resource Record Management
Another new feature in IPAM 2016 is DNS resource record management. IPAM now allows CRUD operations on the DNS resource records. It supports the following types of resource records:
- AFS database
- ATM Address
- Host A or AAAA
- Host Information
- Name Servers
- Pointer (PTR)
- Responsible person
- Route Through
- Service Location
- Well Known Services
The IPAM UI provides a consolidated view of resource records of all the types for a particular DNS zone. Users can filter these resource records based on name, type, IP address etc.
Figure 2: Resource Records View
DNS Conditional Forwarder Management
IPAM now supports management of DNS conditional forwarders. Both file based and AD integrated conditional forwarders are supported.
Figure 3: DNS Conditional Forwarder
Role Based Access Control (RBAC) for DNS
IPAM’s role based access control feature enables administrators to delegate specific operations on specific objects to other users. New IPAM DNS operations have been added to this features for the Windows Server 2016 version. Administrators can choose to delegate operations using several in-box roles, or created granular sets of roles to suit specific needs. An example of the available operations includes the creating/editing of a DNS zone, the creation of resource records and more.
Figure 4: Role Based Control
Administrators can also set access scopes at both the DNS zone and resource record level. This means that they can now delegate permissions to users on specific DNS zones and resource records. A few potential scenarios include:
- Users can edit only specific DNS resource records
- Users can edit DNS resource records of a specific type, such as PTR or MX. For example, IPAM administrator can delegate a mail server administrator permissions to change only MX resource records.
- Users can edit DNS resource records for specific zones
In summary, the Windows Server 2016 version of IPAM adds some very compelling administration capabilities, so go download the latest public TP version and give it a test run!