Windows Server 2003 supports primary, secondary, Active Directory–integrated, and stub zones, each of which can be created to support either forward lookups or reverse lookups. Forward lookup queries allow a client to resolve a host name to an IP address. Reverse lookups allow a client to resolve an IP address to a host name. At times you might also need to configure subdomains, forwarders, and zone transfers. All of these topics are discussed in this section.
To create the initial forward lookup zone or additional forward lookup zones on a server, follow these steps:
In the DNS console, expand the node for the server you want to work with. Right-click the Forward Lookup Zone entry, and then choose New Zone. Afterward, in the New Zone Wizard, click Next.
Select the zone type. Choose one of the following options, and then click Next:
Primary Zone—Use this option to create a primary zone and designate this server to be authoritative for the zone. Ensure that Store The Zone In Active Directory is selected if you want to integrate DNS with Active Directory. Otherwise, clear this option so that a standard primary zone is created.
Secondary Zone—Use this option to create a secondary zone. This means the server will have a read-only copy of the zone and will need to use zone transfers to get updates.
Stub Zone—Use this option to create a stub zone. This creates only the necessary glue records for the zone. Optionally, specify that this zone should be integrated with Active Directory. This means the zone will be stored in Active Directory and be updated using Active Directory replication.
If you created an Active Directory–integrated zone, specify the replication scope, and then click Next. You have the following options:
To All DNS Servers In The Active Directory Forest—Enables replication of the zone information to all domains in the Active Directory forest. Each DNS server in the forest will receive a copy of the zone information and get updates through replication.
To All DNS Servers In The Active Directory Domain—Enables replication of the zone information in the current domain. Each DNS server in the domain will receive a copy of the zone information and get updates through replication.
To All Domain Controllers In The Active Directory Domain—Replicates zone information to all domain controllers in the Active Directory domain. As with a Windows 2000 domain, all domain controllers will get a copy of the zone information and get updates through replication regardless of whether they are also running the DNS Server service.
To All Domain Controllers Specified In The Scope Of The Following Application Partition—If you've configured application partitions, you can limit the scope of replication to a designated application partition. Any domain controllers configured with the application partition will get a copy of the zone information and get updates through replication regardless of whether they are also running the DNS Server service.
In the Zone Name page, type the full DNS name for the zone. The zone name should help determine how the zone fits into the DNS domain hierarchy. For example, if you're creating the primary server for the cpandl.com domain, you should type cpandl.com as the zone name. Click Next.
If you're creating a standard primary zone, you see the Zone File page. This page allows you to create a new zone file or use an existing zone file. In most cases, you'll simply accept the default name and allow the wizard to create the file for you in the %SystemRoot%System32Dns folder. If you are migrating from a BIND DNS server or have a preexisting zone file, you can select Use This Existing File and then type the name of the file that you've copied to the %SystemRoot%System32Dns folder. Click Next when you are ready to continue.
If you're creating a secondary zone, you see the Master DNS Servers page. Type the IP address of the primary DNS server that's maintaining the zone, and then click Add. Repeat this step to specify additional name servers. Zone transfers will be configured to copy the zone information from these DNS servers.
On the Dynamic Update page, choose how you want to configure dynamic updates, and then click Next. You can use one of these options:
Allow Only Secure Dynamic Updates—This option is available only on domain controllers and when Active Directory is deployed. It provides for the best security possible by restricting which clients can perform dynamic updates.
Allow Both Nonsecure and Secure Dynamic Updates—This option allows any client to update resource records in DNS. Although it allows both secure and non-secure updates, it doesn't validate updates, which means dynamic updates are accepted from any client.
Do Not Allow Dynamic Updates—Choosing this option disables dynamic updates in DNS. You should use this option only when the zone isn't integrated with Active Directory.
Click Next and then click Finish to complete the configuration and exit the wizard.
To create the initial reverse lookup zone or additional reverse lookup zones on a server, follow these steps:
In the DNS console, expand the node for the server you want to work with. Right-click the Reverse Lookup Zone entry, and choose New Zone. Afterward, in the New Zone Wizard, click Next.
On the Zone Type page, you can select the zone type. The options available are the same as for forward lookup zones. Click Next after making a selection.
If you created an Active Directory–integrated zone, specify the replication scope, and then click Next.
In the Reverse Lookup Zone Name Page, type the network ID for the reverse lookup zone, and then click Next. If you have multiple subnets on the same network, such as 192.168.1, 192.168.2, and 192.168.3, you should enter only the network portion for the zone name, such as 192.168, rather than the complete network ID. The DNS Server service will then fill-in the necessary subnet zones as you use IP addresses on a particular subnet.
If you're creating a standard secondary zone, you see the Zone File page. This page allows you to create a new zone file or use an existing zone file.
On the Dynamic Update page, choose how you want to configure dynamic updates, and then click Next.
Click Next and then click Finish to complete the configuration and exit the wizard.
In a normal configuration, if a DNS name server can't resolve a request, it forwards the request for resolution. A server to which DNS queries are forwarded is referred to as a forwarder. You can specifically designate forwarders that should be used by your internal DNS servers. For example, if you designate your ISP's primary and secondary name servers as forwarders, queries that your internal name servers can't resolve will be forwarded to these servers. Forwarding still takes place, however, even if you don't specifically designate forwarders. The reason for this is that the root hints file specifies the root name servers for the public Internet.
Any time forwarders are not specified or available requests are forwarded to the root name servers. The root name servers then forward the request to the appropriate top-level domain name server, which forwards it to the next level domain server, and so on. This process is referred to as recursion, and, as you can see, this involves a number of forwarding actions.
Another forwarding option is to configure what is called a conditional forwarder. When using conditional forwarding, you can tell your DNS name servers that if they see a request for domain XYZ, they should not forward it to the public DNS name servers for resolution. Instead, the name servers should forward the request directly to the authoritative name server for the XYZ domain.
You can configure these forwarding options in the DNS console. In the DNS console, right-click the server you want to work with, and select Properties. In the Properties dialog box, select the Forwarders tab, as shown in Figure 27-11.
You can now do one of the following:
Configure a forwarder To forward queries that internal servers can't resolve to another server, select All Other DNS Domains, type the IP address for this server, and click Add. You can optionally include the IP address for a second forwarder as well.
Configure a conditional forwarder To forward queries conditionally for a specific domain, click New to the right of the DNS domain boxes. In the New Forwarder dialog box, type the DNS domain name for which conditional forwarding should be configured, such as thephone-company.com, and click OK. With the conditional domain selected under DNS Domain, type the IP address for the primary server in the conditional domain, and then click Add. You can optionally include the IP address for a second forwarder in the conditional domain as well.
Set forwarder query timeout Use the Number Of Seconds Before Forward Queries Time Out to set a timeout for queries in seconds. By default, a DNS server will continue to attempt to contact and use a listed forwarded for 5 seconds. When the timeout expires, the server moves to the next forwarder on the list and does the same. When there are no additional forwarders, the server uses the root hints to locate a root server to which the query can be forwarded.
Disable recursion To disable recursion, select Do Not Use Recursion For This Domain. If this option is selected and no forwarders are configured, a query automatically fails. If this option is selected and forwarders don't respond in the timeout interval, a query automatically fails. Clients configured with another DNS server would then try to resolve the query on this server.
Your organization's domain structure is separate from its zone configuration. If you create subdomains of a parent domain, you can add these subdomains to the parent domain's zone or create separate zones for the subdomains. When you create separate zones, you must tell DNS about the other servers that have authority over a particular subdomain. You do this by telling the primary name server for the parent domain that you've delegated authority for a subdomain.
When you add subdomains of a parent domain to the same zone as the parent domain, you have a single large namespace hosted by primary servers. This gives you a single unit to manage, which is good when you want central control over DNS in the domain. The disadvantage is that as the number of subdomains in the zone grows, there's more and more to manage, and at some point, the DNS server can become overburdened, especially if dynamic updates are allowed and there are hundreds or thousands of host records.
When you create a separate zone for a subdomain, you have an additional unit of management that can be placed on the same DNS server or on a different DNS server. This means that you can delegate control over the zone to someone else, which would allow branch offices or other departments within the organization to manage their own DNS services. If the zone is on another DNS server, you shift the load associated with that zone to another server. The disadvantage is that you lose central control over DNS.
Note
It isn't possible to combine domains from different branches of the namespace and place them in a single zone. As a result, domains that are part of the same Active Directory forest but on different trees must be in separate zones. Thus, you would need separate zones for cohowinery.com and cohovineyards.com.
To create subdomains in separate zones on the same server as the parent domain, complete the following steps:
Create the necessary forward and reverse lookup zones for the subdomains as described earlier in this chapter in the sections "Creating Forward Lookup Zones" and "Creating Reverse Lookup Zones," respectively.
You don't need to delegate authority because these subdomains are on the primary name server for the parent domain. This server automatically has control over the zones.
To create subdomains in separate zones and on separate servers, complete the following steps:
Install a DNS server in each subdomain, and then create the necessary forward and reverse lookup zones for the subdomains as described earlier in this chapter in the sections "Creating Forward Lookup Zones" and "Creating Reverse Lookup Zones," respectively.
On the primary DNS server for the parent domain, you must delegate authority to each subdomain. In the DNS console, expand the node for the server on which the parent domain is located, and then expand the related Forward Lookup Zones folder.
Right-click the parent domain entry, and then select New Delegation. This starts the New Delegation Wizard. Click Next.
As shown in Figure 27-12, type the name of the subdomain, such as ny. Check the fully qualified domain name (FQDN) to ensure that it is correct, and then click Next.
In the Name Servers page, click Add. As shown in Figure 27-13, the New Resource Record dialog box is displayed.
In the Server Fully Qualified Domain Name (FQDN) box, type the fully qualified host name of a DNS server for the subdomain, such as ns1.ny.cpandl.com, and then click Resolve. If the IP address of the name server is filled in for you, click Add, and then add other IP addresses for this name server as necessary.
Click OK to close the New Resource Record dialog box. Repeat steps 5 and 6 to specify other authoritative DNS servers for the subdomain.
Click Next, and then click Finish.
Zone transfers are used to send a read-only copy of zone information to secondary DNS servers, which can be located in the same domain or in other domains. Windows Server 2003 supports three zone transfer methods:
Standard zone transfers in which a secondary server requests a full copy of a zone from a primary server.
Incremental zone transfers in which a secondary server requests only the changes that it needs to synchronize its copy of the zone information with the primary server's copy.
Active Directory zone transfers in which changes to zones are replicated to all domain controllers in the domain (or a subset if application partitions are configured) using Active Directory replication.
Active Directory zone transfers are automatically used and configured when you use Active Directory–integrated zones. If you have secondary name servers, these name servers can't automatically request standard or incremental zone transfers. To allow this, you must first enable zone transfers on the primary name server. Zone transfers are disabled by default to enhance DNS server security. Speaking of security, although you can allow zone transfers to any DNS server, this opens the server to possible attack. It is better to designate specific name servers that are permitted to request zone transfers.
Inside Out: Incremental zone transfers
To manage incremental transfers, DNS servers track changes that have been made to a zone between each increment of a zone's serial number. Secondary servers use the zone's serial number to determine whether changes have been made to the zone. If the serial number matches what the secondary server has for the zone, no changes have been made and an incremental transfer isn't necessary. If the serial number doesn't match, the secondary server's copy of the zone isn't up-to-date and the secondary server then requests only the changes that have occurred since the last time the secondary zone was updated.
Zone transfers can be enabled for domains and subdomains in forward lookup zones and subnets in reverse lookup zones. You enable zone transfers on primary name servers. If a server is a secondary name server, it is already configured to perform zone transfers with the primary name server in the zone.
Using the DNS console, you can enable zone transfers on a primary name server and restrict the secondary name servers that can request zone transfers. In the DNS console, expand the node for the primary name server, and then expand the related Forward Lookup Zones or Reverse Lookup Zones folder as appropriate. Right-click the domain or subnet you want to configure, and then choose Properties. In the Properties dialog box, select the Zone Transfers tab, as shown in Figure 27-14.
Select Allow Zone Transfers. You have three zone transfer options:
To Any Server Select To Any Server to allow any DNS server to request zone transfers.
Only To Servers Listed On The Name Servers Tab Select Only To Servers Listed On The Name Servers Tab to restrict transfers to name servers listed in the Name Servers tab, and then click the Name Servers tab. Then complete these steps:
The Name Servers list shows the DNS servers currently configured to be authoritative for the zone and includes DNS servers that host secondary zones. If a secondary server isn't listed and you want to authorize the server to request zone transfers, click Add. This displays the New Resource Record dialog box.
In the Server Fully Qualified Domain Name (FQDN) field, type the fully qualified host name of a secondary server for the domain, and then click Resolve. If the IP address of the name server is filled in for you, click Add, and then add other IP addresses for this name server as necessary.
Click OK to close the New Resource Record dialog box. Repeat this process to specify other secondary DNS servers for the domain or subnet.
Only The Following Servers Select Only The Following Servers to restrict transfers to a list of approved servers. Then complete these steps.
Type the IP addresses of a secondary server that should receive zone transfers, and then click Add.
Repeat this process to specify other secondary DNS servers for the domain or subnet.
When you are finished, click OK to close the Properties dialog box.
When changes are made to a zone on the primary server, secondary servers can be automatically notified of the changes. This allows the secondary servers to request zone transfers. You can configure automatic notification of secondary servers using the DNS console.
In the DNS console, expand the node for the primary name server, and then expand the related Forward Lookup Zones or Reverse Lookup Zones folder as appropriate. Right-click the domain or subnet you want to configure, and then choose Properties. In the Properties dialog box, select the Zone Transfers tab. Click Notify in the lower-right corner of the Zone Transfers tab. This displays the Notify dialog box, as shown in Figure 27-15.
Select Automatically Notify. You have two notification options:
Servers Listed On The Name Servers Tab Select Servers Listed On The Name Servers Tab to notify name servers listed in the Name Servers tab.
The Following Servers Select The Following Servers to specify the name servers that should be notified. Then complete these steps:
Type the IP addresses of a secondary server that should receive notification, and then click Add.
Repeat this process to notify other secondary DNS servers for the domain or subnet.
When you are finished, click OK twice.