Validating role transfer windows domain controller
The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
For information and detailed procedures to deploy DNSSEC in a production environment, see DNSSEC in Windows Server 2012.
In most cases they can be left alone, but there are times when they need to be moved such as a failed DC.
It is a good idea to be familiar with where the roles are installed in your AD environment, you never know when a disaster will hit.
Both of these types of attacks can be prevented with DNSSEC by requiring that DNS responses are validated as authentic. DNSSEC uses digital signatures and cryptographic keys to validate that DNS responses are authentic.
The following topics briefly discuss how these signatures are managed and validation is performed.
A successful spoofing attack will insert a fake DNS response into the DNS server’s cache, a process known as cache poisoning.
A spoofed DNS server has no way of verifying that DNS data is authentic, and will reply from its cache using the fake information.
With DNSSEC, non-authoritative DNS servers are able to validate the responses they receive when they query other DNS servers.
The DNS protocol is vulnerable to attack due to an inherent lack of authentication and integrity checking of data that is exchanged between DNS servers or provided to DNS clients.