Windows Server Networking: DNS, DHCP, VPN, and Advanced Services
Introduction
Windows Server provides enterprise networking services for infrastructure management. This guide covers DNS Server configuration with zones and DNSSEC, DHCP Server with scopes and failover, VPN and DirectAccess for remote access, Network Policy Server for authentication, Software-Defined Networking, and performance tuning.
DNS Server Configuration
Installing DNS Server
# Install DNS Server role
Install-WindowsFeature -Name DNS -IncludeManagementTools
# Import DNS module
Import-Module DnsServer
# Verify DNS service
Get-Service DNS
Start-Service DNS
Set-Service DNS -StartupType Automatic
# View DNS server settings
Get-DnsServerSetting -All
Creating DNS Zones
# Create primary zone
Add-DnsServerPrimaryZone -Name "contoso.com" -ReplicationScope "Forest" -PassThru
# Create reverse lookup zone
Add-DnsServerPrimaryZone -NetworkId "192.168.1.0/24" -ReplicationScope "Forest"
# Create secondary zone
Add-DnsServerSecondaryZone -Name "partner.com" -ZoneFile "partner.com.dns" -MasterServers "10.20.30.40"
# Create stub zone
Add-DnsServerStubZone -Name "external.com" -MasterServers "8.8.8.8" -ReplicationScope "Domain"
# List all zones
Get-DnsServerZone | Select-Object ZoneName, ZoneType, IsDsIntegrated
Managing DNS Records
# Add A record
Add-DnsServerResourceRecordA -Name "web01" -ZoneName "contoso.com" -IPv4Address "192.168.1.10"
# Add AAAA record (IPv6)
Add-DnsServerResourceRecordAAAA -Name "web02" -ZoneName "contoso.com" -IPv6Address "2001:db8::1"
# Add CNAME record
Add-DnsServerResourceRecordCName -Name "www" -ZoneName "contoso.com" -HostNameAlias "web01.contoso.com"
# Add MX record
Add-DnsServerResourceRecordMX -Name "." -ZoneName "contoso.com" -MailExchange "mail.contoso.com" -Preference 10
# Add PTR record (reverse lookup)
Add-DnsServerResourceRecordPtr -Name "10" -ZoneName "1.168.192.in-addr.arpa" -PtrDomainName "web01.contoso.com"
# Add SRV record
Add-DnsServerResourceRecord -ZoneName "contoso.com" -SRV -Name "_ldap._tcp" `
-DomainName "dc01.contoso.com" -Port 389 -Priority 0 -Weight 100
# View all records in zone
Get-DnsServerResourceRecord -ZoneName "contoso.com"
# Remove record
Remove-DnsServerResourceRecord -ZoneName "contoso.com" -Name "oldserver" -RRType "A" -Force
Configuring DNS Forwarders
# Add forwarders
Set-DnsServerForwarder -IPAddress "8.8.8.8", "8.8.4.4"
# View forwarders
Get-DnsServerForwarder
# Add conditional forwarder
Add-DnsServerConditionalForwarderZone -Name "partner.com" -MasterServers "10.20.30.40"
# Remove forwarder
Remove-DnsServerForwarder -IPAddress "8.8.8.8" -Force
DNS Scavenging
# Enable scavenging on server
Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00 -RefreshInterval 7.00:00:00 -NoRefreshInterval 7.00:00:00
# Enable scavenging on zone
Set-DnsServerZoneAging -Name "contoso.com" -Aging $true -RefreshInterval 7.00:00:00 -NoRefreshInterval 7.00:00:00
# Start immediate scavenging
Start-DnsServerScavenging -Force
# View scavenging settings
Get-DnsServerScavenging
Get-DnsServerZoneAging -Name "contoso.com"
DNSSEC Configuration
# Enable DNSSEC on zone
Add-DnsServerSigningKey -ZoneName "contoso.com" -Type "KeySigningKey" -CryptoAlgorithm "RsaSha256"
Add-DnsServerSigningKey -ZoneName "contoso.com" -Type "ZoneSigningKey" -CryptoAlgorithm "RsaSha256"
# Sign zone
Invoke-DnsServerZoneSign -ZoneName "contoso.com" -Force
# View DNSSEC settings
Get-DnsServerDnsSecZoneSetting -ZoneName "contoso.com"
# Verify DNSSEC
Resolve-DnsName -Name "contoso.com" -DnssecOk
DHCP Server Configuration
Installing DHCP Server
# Install DHCP Server role
Install-WindowsFeature -Name DHCP -IncludeManagementTools
# Authorize DHCP server in Active Directory
Add-DhcpServerInDC -DnsName "dhcp01.contoso.com" -IPAddress "192.168.1.5"
# Verify authorization
Get-DhcpServerInDC
# Complete post-install configuration
Set-ItemProperty โPath "HKLM:\SOFTWARE\Microsoft\ServerManager\Roles\12" โName "ConfigurationState" โValue 2
Creating DHCP Scopes
# Add DHCP scope
Add-DhcpServerv4Scope -Name "Main Office" `
-StartRange "192.168.1.100" `
-EndRange "192.168.1.200" `
-SubnetMask "255.255.255.0" `
-State Active `
-LeaseDuration 8.00:00:00
# Set scope options (gateway, DNS)
Set-DhcpServerv4OptionValue -ScopeId "192.168.1.0" `
-Router "192.168.1.1" `
-DnsServer "192.168.1.5", "192.168.1.6" `
-DnsDomain "contoso.com"
# Add exclusion range
Add-DhcpServerv4ExclusionRange -ScopeId "192.168.1.0" `
-StartRange "192.168.1.1" `
-EndRange "192.168.1.50"
# View scope
Get-DhcpServerv4Scope
Get-DhcpServerv4ScopeStatistics
DHCP Reservations
# Add reservation
Add-DhcpServerv4Reservation -ScopeId "192.168.1.0" `
-IPAddress "192.168.1.150" `
-ClientId "00-15-5D-01-02-03" `
-Name "Printer01" `
-Description "HP LaserJet 4050"
# View reservations
Get-DhcpServerv4Reservation -ScopeId "192.168.1.0"
# Remove reservation
Remove-DhcpServerv4Reservation -ScopeId "192.168.1.0" -IPAddress "192.168.1.150"
DHCP Failover Configuration
# Configure DHCP failover (load balance mode)
Add-DhcpServerv4Failover -ComputerName "DHCP01" `
-PartnerServer "DHCP02" `
-Name "DHCP-Failover" `
-ScopeId "192.168.1.0" `
-LoadBalancePercent 50 `
-MaxClientLeadTime 1:00:00 `
-AutoStateTransition $true `
-StateSwitchInterval 1:00:00 `
-SharedSecret "P@ssw0rd123!"
# Configure DHCP failover (hot standby mode)
Add-DhcpServerv4Failover -ComputerName "DHCP01" `
-PartnerServer "DHCP02" `
-Name "DHCP-Failover-HS" `
-ScopeId "192.168.2.0" `
-ServerRole Active `
-ReservePercent 10 `
-MaxClientLeadTime 1:00:00 `
-AutoStateTransition $true `
-StateSwitchInterval 1:00:00
# View failover status
Get-DhcpServerv4Failover
Get-DhcpServerv4ScopeStatistics | Select-Object ScopeId, AddressesFree, AddressesInUse, PercentageInUse
Monitoring DHCP
# View active leases
Get-DhcpServerv4Lease -ScopeId "192.168.1.0"
# View scope statistics
Get-DhcpServerv4ScopeStatistics -ScopeId "192.168.1.0" | Format-List
# View server statistics
Get-DhcpServerv4Statistics
# Export DHCP configuration
Export-DhcpServer -File "C:\Backup\DHCP-Backup.xml" -Leases
# Import DHCP configuration
Import-DhcpServer -File "C:\Backup\DHCP-Backup.xml" -BackupPath "C:\Backup\DHCP" -Leases
VPN Configuration
Installing VPN Server
# Install Remote Access role with VPN
Install-WindowsFeature -Name Routing, DirectAccess-VPN, RSAT-RemoteAccess -IncludeManagementTools
# Configure VPN server
Install-RemoteAccess -VpnType VpnS2S
Configuring VPN Settings
# Set VPN properties
Set-VpnServerConfiguration -TunnelType SSTP, IKEv2 `
-SstpPort 443 `
-IdleDisconnectSeconds 300
# Configure VPN authentication
Set-VpnAuthProtocol -UserAuthProtocolAccepted EAP, MSChapv2 `
-PassThru
# Set VPN IP address range
Set-VpnIPAddressAssignment -IPAddressRangeStart "192.168.10.1" `
-IPAddressRangeEnd "192.168.10.100" `
-IPAssignmentMethod StaticPool
# View VPN configuration
Get-VpnServerConfiguration
Get-RemoteAccessConnectionStatistics
Creating VPN Client Profiles
# Add VPN connection on client
Add-VpnConnection -Name "Contoso VPN" `
-ServerAddress "vpn.contoso.com" `
-TunnelType IKEv2 `
-AuthenticationMethod MachineCertificate `
-SplitTunneling $true `
-RememberCredential $true `
-PassThru
# Configure VPN connection properties
Set-VpnConnection -Name "Contoso VPN" `
-SplitTunneling $true `
-UseWinlogonCredential $true `
-IdleDisconnectSeconds 600
# Connect to VPN
rasdial "Contoso VPN" username password
# Disconnect from VPN
rasdial "Contoso VPN" /disconnect
# View VPN connection status
Get-VpnConnection -Name "Contoso VPN"
DirectAccess Configuration
Deploying DirectAccess
# Install DirectAccess prerequisites
Install-WindowsFeature -Name DirectAccess-VPN, Routing -IncludeManagementTools
# Configure DirectAccess using wizard or PowerShell
# Requirements:
# - Two consecutive public IPv4 addresses
# - PKI certificate for IP-HTTPS
# - Network Location Server certificate
# Basic DirectAccess setup
Install-RemoteAccess -VpnType VpnS2S -DirectAccess
# Configure DirectAccess client settings
Set-DAClient -OnlyRemoteComputers "Laptops" `
-Downlevel Enabled `
-ForceTunneling Disabled
# Configure DirectAccess server
Set-DAServer -InternalIPv6Prefix "fd00::/64" `
-InternetInterface "Ethernet" `
-InternalInterface "Ethernet 2"
# View DirectAccess status
Get-DAConnectionStatus
Get-RemoteAccessHealth
Network Policy Server (RADIUS)
Installing NPS
# Install Network Policy Server
Install-WindowsFeature -Name NPAS -IncludeManagementTools
# Import NPS module
Import-Module NPS
Configuring RADIUS Clients
# Add RADIUS client
New-NpsRadiusClient -Name "Wireless-AP-01" `
-Address "192.168.1.50" `
-SharedSecret "RadiusSecret123!" `
-VendorName "Standard"
# View RADIUS clients
Get-NpsRadiusClient
# Remove RADIUS client
Remove-NpsRadiusClient -Name "Wireless-AP-01"
Creating Network Policies
# Export NPS configuration
Export-NpsConfiguration -Path "C:\Backup\NPS-Config.xml"
# Import NPS configuration
Import-NpsConfiguration -Path "C:\Backup\NPS-Config.xml"
# Example: Configure 802.1X authentication policy
# Use NPS console (npsmmc.msc) to:
# 1. Create Connection Request Policy
# 2. Create Network Policy with conditions (Windows Groups, Authentication Method)
# 3. Set constraints (authentication methods, encryption)
# 4. Configure settings (VLAN assignment, bandwidth limits)
Software-Defined Networking (SDN)
Network Controller Deployment
# SDN requires:
# - Windows Server Datacenter edition
# - Hyper-V hosts
# - Service Fabric cluster
# Install Network Controller feature
Install-WindowsFeature -Name NetworkController -IncludeManagementTools
# Configure Network Controller
# Note: Full SDN deployment requires multiple servers and complex configuration
# Example: Create Network Controller cluster
New-NetworkControllerNodeObject -Name "NC01" `
-Server "NC01.contoso.com" `
-FaultDomain "fd:/rack1" `
-RestInterface "Ethernet"
Install-NetworkControllerCluster -Node $nodes `
-ClusterAuthentication Kerberos `
-ManagementSecurityGroup "CONTOSO\Network Admins" `
-LogLocation "\\fileserver\NCLogs"
Install-NetworkController -Node $nodes `
-ClientAuthentication Kerberos `
-ClientSecurityGroup "CONTOSO\Network Users" `
-RestIPAddress "192.168.100.10/24"
Software Load Balancer
# Create load balancer configuration
$lbConfig = New-Object Microsoft.Windows.NetworkController.LoadBalancerConfiguration
$lbConfig.LoadBalancingRules = @()
# Add load balancing rule
$rule = New-Object Microsoft.Windows.NetworkController.LoadBalancingRule
$rule.Properties = New-Object Microsoft.Windows.NetworkController.LoadBalancingRuleProperties
$rule.Properties.Protocol = "TCP"
$rule.Properties.FrontendPort = 80
$rule.Properties.BackendPort = 80
# Apply load balancer configuration via Network Controller REST API
Network Performance Tuning
Receive Side Scaling (RSS)
# View current RSS settings
Get-NetAdapterRss
# Enable RSS
Enable-NetAdapterRss -Name "Ethernet"
# Set RSS parameters
Set-NetAdapterRss -Name "Ethernet" `
-NumberOfReceiveQueues 4 `
-Profile Closest
# View RSS processor affinity
Get-NetAdapterRss -Name "Ethernet" | Select-Object -ExpandProperty IndirectionTable
Network Adapter Optimization
# Enable Jumbo Frames (for storage networks)
Set-NetAdapterAdvancedProperty -Name "Ethernet" `
-DisplayName "Jumbo Packet" `
-DisplayValue "9014"
# Disable unnecessary protocols
Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6 # Disable IPv6 if not used
# Set network adapter power settings
Set-NetAdapterPowerManagement -Name "Ethernet" `
-DeviceSleepOnDisconnect Disabled `
-NSOffloadNICActiveOnBattery Disabled `
-WakeOnMagicPacket Enabled
# View adapter statistics
Get-NetAdapterStatistics -Name "Ethernet"
TCP/IP Optimization
# Optimize TCP settings for high-bandwidth networks
netsh int tcp set global autotuninglevel=normal
netsh int tcp set global chimney=enabled
netsh int tcp set global dca=enabled
netsh int tcp set global netdma=enabled
netsh int tcp set global ecncapability=enabled
netsh int tcp set global timestamps=enabled
# Set TCP window scaling
Set-NetTCPSetting -SettingName InternetCustom `
-AutoTuningLevelLocal Normal `
-ScalingHeuristics Enabled `
-Timestamps Enabled
# View TCP statistics
Get-NetTCPConnection | Group-Object State | Select-Object Count, Name
Get-NetTCPSetting
Network Monitoring
# Monitor network performance
$networkMonitor = @"
while (`$true) {
Clear-Host
Write-Host '========================================' -ForegroundColor Cyan
Write-Host 'Network Performance Monitor' -ForegroundColor Cyan
Write-Host '========================================`n' -ForegroundColor Cyan
# Network adapter statistics
Get-NetAdapterStatistics | Format-Table Name, ReceivedBytes, SentBytes, ReceivedUnicastPackets, SentUnicastPackets
# TCP connections by state
Write-Host '`nTCP Connections:' -ForegroundColor Yellow
Get-NetTCPConnection | Group-Object State | Select-Object Name, Count | Format-Table
# Top processes by network usage
Write-Host '`nTop Network Processes:' -ForegroundColor Yellow
Get-NetTCPConnection | Group-Object OwningProcess | ForEach-Object {
[PSCustomObject]@{
ProcessName = (Get-Process -Id `$_.Name -ErrorAction SilentlyContinue).ProcessName
Connections = `$_.Count
}
} | Sort-Object Connections -Descending | Select-Object -First 10 | Format-Table
Start-Sleep -Seconds 5
}
"@
$networkMonitor | Out-File "C:\Scripts\NetworkMonitor.ps1"
Key Takeaways
- DNS provides name resolution with zones, records, and DNSSEC
- DHCP automates IP address assignment with scopes and failover
- VPN enables secure remote access with multiple protocols
- DirectAccess provides always-on VPN for domain-joined machines
- Network Policy Server delivers RADIUS authentication and 802.1X
- Software-Defined Networking offers programmatic network control
- Network performance tuning improves throughput and latency
- Monitoring tools track network health and troubleshoot issues
Next Steps
- Deploy DNS with DNSSEC for secure resolution
- Configure DHCP failover for high availability
- Set up VPN for remote users
- Implement DirectAccess for seamless connectivity
- Configure NPS for wireless authentication
- Optimize network adapter settings
- Monitor network performance regularly
Additional Resources
Connect. Secure. Optimize. Scale.