Windows Server 2008 DNS Zone Transfer

Zone transfer is the process of copying the contents of the zone file on a primary DNS server to a secondary DNS server. Using zone transfer provides fault tolerance by synchronizing the zone file in a primary DNS server with the zone file in a secondary DNS server. The secondary DNS server can continue performing name resolution if the primary DNS server fails. Furthermore, secondary DNS servers can transfer to other secondary DNS servers in the same hierarchical fashion, which makes the higher-level secondary DNS server a master to other secondary servers. Three transfer modes are used in a Windows Server 2008 DNS configuration:

• Full Transfer. When you bring a new DNS server online and configure it to be a secondary server for an existing zone in your environment, it will perform a full transfer of all the zone information in order to replicate all the existing resource records for that zone. Older implementations of the DNS service also used full transfers whenever updates to a DNS database needed to be propagated. Full zone transfers can be very time-consuming and resource-intensive, especially in situations where there isn’t sufficient bandwidth between primary and secondary DNS servers. For this reason, incremental DNS transfers were developed.

• Incremental Transfer. When using incremental zone transfers, the secondary server retrieves only resource records that have changed within a zone, so that it remains synchronized with the primary DNS server. When incremental transfers are used, the databases on the primary server and the secondary server are compared to see if any differences exist. If the zones are identified as the same (based on the serial number of the Start of Authority resource record), no zone transfer is performed. If, however, the serial number on the primary server database is higher than the serial number on the secondary server, a transfer of the delta resource records commences. Because of this configuration, incremental zone transfers require much less bandwidth and create less network traffic, allowing them to finish faster. Incremental zone transfers are often ideal for DNS servers that must communicate over low-bandwidth connections.

• DNS Notify. The third method for transferring DNS zone records isn’t actually a transfer method at all. To avoid the constant polling of primary DNS servers from secondary DNS servers, DNS Notify was developed as a networking standard (RFC 1996) and has since been implemented into the Windows operating system. DNS Notify allows a primary DNS server to utilize a “push” mechanism for notifying secondary servers that it has been updated with records that need to be replicated. Servers that are notified can then initiate a zone transfer (either full or incremental) to “pull” zone changes from their primary servers as they normally would. In a DNS Notify configuration, the IP addresses for all secondary DNS servers in a DNS configuration must be entered into the notify list of the primary DNS server to pull, or request, zone updates.

Each of the three methods has its own purpose and functionality. How you handle zone transfers between your DNS servers depends on your individual circumstances. The full and incremental transfers actually transfer the data between the DNS servers, and that DNS Notify is not a mechanism for transferring zone data. It is used in conjunction with AXFR (Full Transfer) and IXFR (Incremental Transfer) to notify a secondary server that new records are available for transfer.


How to create a new DNS zone:
1. Choose Start Administrative Tools DNS.

2. In the console tree, double-click your server, and then click Forward Lookup Zones.

3. Right-click Forward Lookup Zones, and then select New Zone.

4. The New Zone Wizard appears. Click Next.

5. On the Zone Type page, click Primary zone and then click Next.

6. On the Active Directory Zone Replication Scope page, click Next.

7. On the Zone Name page, in the Name field, type a name for a test zone, and then click Next.

8. On the Zone File page, click Next.

9. On the Dynamic Update page, choose Allow Both Nonsecure And Secure Dynamic Updates and click Next.
Normally, when configuring Dynamic Updates, you should choose the Secure Only option. For lab purposes in this book, however, you can choose Allow Both Nonsecure And Secure Dynamic Updates.

10. On the Completing The New Zone Wizard page, click Finish.

Source of Information : Syngress The Best Damn Windows Server 2008 Book Period 2nd Edition