Configuring Windows Server 2008 DNS Zones

Simply put, a zone is the namespace allocated for a particular server. Each “level” of the DNS hierarchy represents a particular zone within DNS. For the actual DNS database, a zone is a contiguous portion of the domain tree that is administered as a single separate entity by a DNS server. The zone contains resource records for all of the names within the zone. If Active Directory–integrated zones are not being used, some zone files will contain the DNS database resource records required to define the zone. If DNS data is Active Directory–integrated, the data is stored in Active Directory, not in zone files.

• Primary Zone. With a primary zone, the server hosting this zone is authoritative for the domain name. It stores the master copy of the domain information locally. When the zone is created, a file with the suffix .dns is created in the %windir%\System32\dns subdirectory of the DNS server.

• Secondary Zone. This is a secondary source—essentially a copy—of the primary DNS zone, with read-only capabilities.

• Stub Zone. Only stores information about the authoritative name servers for a particular zone.

Primary and secondary zones are standard (that is, non-Active Directory–integrated) forward lookup zones. The principal difference between the two is the ability to add records. A standard primary zone is hosted on the master servers in a zone replication scheme. Primary zones are the only zones that can be edited, whereas secondary zones are read-only and are updated only through zone transfer. DNS master servers replicate a copy of their zones to one or more servers that host secondary zones, thereby providing fault tolerance for your DNS servers. DNS standard zones are the types of zones you should use if you do not plan on integrating Active Directory with your DNS servers.

An Active Directory–integrated zone is basically an enhanced primary DNS zone stored in Active Directory and thus can, unlike all other zone types, use multimaster replication and Active Directory security features. It is an authoritative primary zone in which all of the zone data is stored in Active Directory. As mentioned previously, zone files are not used nor necessary. Integrating DNS with Active Directory produces the following additional benefits:

• Speed. Directory replication is much faster when DNS and Active Directory are integrated. This is because Active Directory replication is performed on a per-property basis, meaning that only changes that apply to particular zones are replicated. Because only the relevant information is to be replicated, the time required to transfer data between zones is greatly reduced. On top of this, a separate DNS replication topology is eliminated because Active Directory replication topology is used for both ADI zones and AD itself.

• Reduced Administrative Overhead. Any time you can reduce the number of management consoles you have to work with, you can reduce the amount of time needed to manage information. Without the advantage of consolidating the management of DNS and Active Directory in the same console, you would have to manage your Active Directory domains and DNS namespaces separately. Moreover, your DNS domain structure mirrors your Active Directory domains. Any deviation between Active Directory and DNS makes management more time-consuming and creates more opportunity for mistakes. As your network continues to grow and become more complex, managing two separate entities becomes more involved. Integrating Active Directory and DNS provides you with the ability to view and manage them as a single entity.

• Automatic Synchronization. When a new domain controller is brought online, networks that have integrated DNS and Active Directory have the advantage of automatic synchronization. Even if a domain controller will not be used to host the DNS service, the ADI zones will still be replicated, synchronized, and stored on the new domain controllers.

• Secure Dynamic. DNS Additional features have been added that enhance the security of secure dynamic updates.

A reverse lookup zone is an authoritative DNS zone that is used primarily to resolve IP addresses to network resource names. This zone type can be primary, secondary or Active Directory–integrated. Reverse lookups traverse the DNS hierarchy in exactly the same way as the more common forward lookups.

Stub zones are a new feature introduced in Windows Server 2008. They contain a partial copy of a zone that can be hosted by a DNS server and used to resolve recursive or iterative queries. A recursive query is a request from a host to a resolver to find data on other name servers. An s query is a request, usually made by a resolver, for any information a server already has in memory for a certain domain name. Stub zones contain the Start of Authority (SOA) resource records of the zone, the DNS resource records that list the zone’s authoritative servers, and the glue address (A) resource records that are required for contacting the zone’s authoritative servers. Stub zones are useful for reducing the number of DNS queries on a network, and consequently the resource consumption on the primary DNS servers for that particular namespace. Basically, stub zones are used to find other zones and can be created in the middle of a large DNS hierarchy to prevent a query for a distant zone within the same namespace from having to ascend, traverse, and return over a multitude of zones.

Windows Server 2008 also allows for a special type of Primary Zone—known as an AD integrated zone—which basically means that the data is stored within Active Directory Domain Services, and is replicated to other DNS servers during normal AD replication periods. AD-integrated zones offer a number of benefits, including:

• Secure Dynamic. Updates Systems that are authenticated by Active Directory can update their DNS records. This allows name resolution for clients and servers while eliminating DNS poisoning by rogue systems that create DNS records.

• Automatic Synchronization Zones are created and synchronized to new domain controllers (with DNS installed) automatically.

• Efficient Replication Less data is replicated since only relevant changes are propagated.

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition

No comments:

Cloud storage is for blocks too, not just files

One of the misconceptions about cloud storage is that it is only useful for storing files. This assumption comes from the popularity of file...