Types of DNS Zones in Windows Server 2003
When you plan a DNS installation, be sure that you choose the most suitable type of zone. For instance, if your goal is to install a Windows Server 2003 domain, then investigate Active Directory Integrated Zones. Also decide how many zones to configure, it is easy to focus on the forward lookup zone, but overlook the reverse lookup zone.
Topics for DNS Zones in Windows 2003
One of the coincidence with DNS is how many of the components come in pairs. I find this provides a natural fork for decision making (and troubleshooting).
- Active Directory-Integrated v Primary Zone
This pairing could be called Windows 200x v NT 4.0.
- Scopes of DNS Zones
- Secure and Non Secure Dynamic Updates
- Forward and Reverse Lookup Zones
- DNS Level – Main Zone or Subzone
- Summary of DNS Types
If the situation is that you are about to install Active Directory and have complete charge of DNS (no Unix DNS in the background) then aim for Active Directory-Integrated Zones. The big advantage is efficient DNS record replication. Efficient in the sense of less network traffic, fewer errors and easier configuration with low maintenance.
In a sense, Active Directory Integrated Zones are a special case of Primary Zones, where the all servers are required to be Domain Controllers.
This is the NT 4.0 DNS model, with Windows 200x improved incremental replication (IXFR). Naturally there are also Secondary Zones, which hold read only copies of the Primary Zones. There are two uses for this Primary / Secondary model :
1) The domain’s main records are held on a Unix server
2) If your DNS servers are not Domain Controllers.
(There are many ways of analyzing DNS zones, however, the advantage of looking at DNS from different angles is that you get a sense of perspective. Only by viewing the multiple sides of DNS will you be able to you judge how to configure your servers. Be sure to research thoroughly, plan carefully and test to destruction before you implement a production DNS network.)
Primary Zone – Holds Read and Write copies of all resource records (A, NS, _SRV). See more on resource records
Secondary Zone – Read only copies of records, gets updates from the primary server by zone transfer.
Stub Zone – New in Windows 2003, a tiny zone with just pointers to another domain. For example NS and SOA and A record of the main server in that Stub domain. Think of Stub Domains like secondary zones, but with only 3 records. See more on Stub Zones here.
(Store the zone in Active Directory is available for Primary Zone)
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
Starting with Windows 2000, DNS became Dynamic. This is a huge advantage over the old model where you had to update records manually. Secure Updates means that only machines with computer records in Active Directory can add or update their Host (A) records with DNS servers. With secure updates you avoid lots of rogue records cluttering your DNS records. This can happen if you get a visiting laptop which picks up an IP address from DHCP but does not release it because they do not disconnect gracefully from the network.
The default and recommended setting for Active Directory-Integrated is Secure only.
When you configure a DNS remember that there are 2 directions of DNS Zone. In particular, remember the reverse lookup otherwise utilities such as NSLookup or DNSLint fail.
Forward Lookup – You know the hostname, DNS tells you the IP address. Forward Lookup zones supply the main DNS mechanism for finding Hosts (A), Name Servers (NS) or Service (_gc).
Reverse Lookup – You know the IP, DNS gives you the hostname. I think of Reverse Lookup as a hackers tool, they can PING a server’s IP address and then they use a Reverse Lookup query to discover the hostname. In truth, Reverse Lookup is required by NSLookup, DNSLint and other utilities.
Let us end this section with a reminder that DNS is hierarchical, moreover you should check which level or levels you need to create zones. Take as an example a company that has bought the domain name guybay.com from InterNIC. The first point to note is that they bought a .com rather than .net or .org. When it comes to configuring DNS servers, their DNS zone will be – guybay.com. Later they could have subzones such as, customers.guybay.com. The company server where guybay.com is installed will be a name server, and it will have authority to answer queries for host records in the guybay.com zone.
Remember that DNS is hierarchical. Here is an example of the levels.
- ‘ . ‘ ……………. Root Zone
- com …………… Top Level Domain (TLD)
- guybay.com …. Guy’s main zone
- customers.guybay.com auctions.guybay.com (2 subzones)
There are many ways of implementing DNS zones, but through looking at DNS from different angles you get a sense of perspective. Only by investigating forward, reverse and Active Directory zones will you be able to you judge how to configure your servers. Be sure to research thoroughly, plan carefully and test to destruction before you implement a production DNS network.
If you like this page then please share it with your friends
Related DNS Server topics
- New Features for DNS in Windows Server 2003
- DNS – Names & Namespace
- Types of DNS Zone
- Conditional Forwarding
- Installing DNS Server
- DNS Queries
- Root Hints
- Resource Records
- DNS Naming Rules
- Basic DNS Server Troubleshooting
- Advanced DNS Troubleshooting
- Debug Logging for DNS in Windows Server 2003
- DNSLint – Utility