As mentioned earlier in this chapter, a DNS zone is a portion of the DNS namespace over which a specific DNS server has authority. Within a given DNS zone, there are resource records that define the hosts and other types of information that make up the database for the zone. You can choose from several different zone types. Understanding the characteristics of each will help you choose which is right for your organization.
The DNS zones discussed in this book are all Microsoft Windows Server 2022 zones. Non- Windows (for example, Unix) systems set up their DNS zones differently.
In the following sections, I will discuss the different zone types and their characteristics.
Understanding Primary Zones
When you’re learning about zone types, things can get a bit confusing. But it’s really not difficult to understand how they work and why you would want to choose one type of zone over another. Zones are databases that store records. By choosing one zone type over another, you are basically just choosing how the database works and how it will be stored on the server.
The primary zone is responsible for maintaining all of the records for the DNS zone. It contains the primary copy of the DNS database. All record updates occur on the primary zone. You will want to create and add primary zones whenever you create a new DNS domain.
There are two types of primary zones:
■ Primary zone
■ Primary zone with Active Directory Integration (Active Directory DNS)
From this point forward, I refer to a primary zone with Active Directory Integration as an Active Directory DNS. When I use the term primary zone, Active Directory is not included.
To install DNS as a primary zone, first you must install DNS using the Server Manager MMC. Once DNS is installed and running, you create a new zone and specify it as a primary zone.
The process of installing DNS and its zones will be discussed later in this chapter. In addition, there will be step- by- step exercises to walk you through how to install these components.
Primary zones have advantages and disadvantages. Knowing the characteristics of a primary zone will help you decide when you need the zone and when it fits into your organization.
Local Database
Primary DNS zones get stored locally in a file (with the suffix .dns) on the server. This allows you to store a primary zone on a domain controller or a member server. In addition, by loading DNS onto a member server, you can help a small organization conserve resources. Such an organization may not have the resources to load DNS on an Active Directory domain controller.
Unfortunately, the local database has many disadvantages:
Lack of Fault Tolerance Think of a primary zone as a contact list on your smartphone. All of the contacts in the list are the records in your database. The problem is that if you lose your phone or the phone breaks, you lose your contact list. Until your phone gets fixed or you swap out your phone card, the contacts may become unavailable.
It works the same way with a primary zone. If the server goes down or you lose the hard drive, DNS records on that machine are unreachable. You can install a secondary zone (explained in the next section), and that provides temporary fault tolerance. Unfortunately, if the primary zone is down for an extended period of time, the secondary server’s information will no longer be valid.
Additional Network Traffic Let’s imagine that you are looking for a contact number for John Smith. John Smith is not listed in your cell phone directory, but he is listed in your partner’s cell phone. You have to contact your partner to get the listing. You cannot directly access your partner’s cell contacts.
When a resolver sends a request to DNS to get the TCP/IP address for Jsmith (in this case Jsmith is a computer name) and the DNS server does not have an answer, it does not have the ability to check the other server’s database directly to get an answer. Thus, it forwards the request to another DNS. When DNS servers are replicating zone databases with other DNS servers, this causes additional network traffic.
No Security Staying with the cell phone example, let’s say that you call your partner looking for John Smith’s phone number. When your partner gives you the phone number over your wireless phone, someone with a scanner can pick up your conversation. Unfortunately, wireless telephone calls are not very secure.
Now a resolver asks a primary zone for the Jsmith TCP/IP address. If someone on the network has a packet sniffer, they can steal the information in the DNS packets being sent over the network. The packets are not secure unless you implement some form of secondary security. Also, the DNS server has the ability to be dynamic. A primary zone accepts all updates from DNS servers. You cannot set it to accept secure updates only.
Understanding Secondary Zones
In Windows Server 2022 DNS, you have the ability to use secondary DNS zones. Secondary zones are noneditable copies of the DNS database. You use them for load balancing (also referred to as load sharing), which is a way of managing network overloads on a single server. A secondary zone gets its database from a primary zone.
A secondary zone contains a database with all of the same information as the primary zone, and it can be used to resolve DNS requests. Secondary zones have the following advantages:
■ A secondary zone provides fault tolerance, so if the primary zone server becomes unavailable, name resolution can still occur using the secondary zone server.
■ Secondary DNS servers can also increase network performance by offloading some of the traffic that would otherwise go to the primary server.
Secondary servers are often placed within the parts of an organization that have high- speed network access. This prevents DNS queries from having to run across slow WAN connections. For example, if there are two remote offices within the stormwind.com organization, you may want to place a secondary DNS server in each remote office. This way, when clients require name resolution, they will contact the nearest server for this IP address information, thus preventing unnecessary WAN traffic.
Having too many secondary zone servers can actually cause an increase in network traffic because of replication (especially if DNS changes are fairly frequent). Therefore, you should always weigh the benefits and drawbacks and properly plan for secondary zone servers.
Configure Zone Delegation
One advantage of DNS is the ability of turning a namespace into one or more zones. These zones can be replicated to each other or other DNS servers. As an administrator, you must decide when you want to break your DNS into multiple zones. When considering this option, there are a few things to think about:
■ You want the management of your DNS namespace to be delegated by another location or department in your organization.
■ You want to load- balance your traffic among multiple servers by turning a large zone into many smaller zones. This will help improve performance and create redundancy among your DNS servers.
■ You have remote offices opening up, and you want to expand your DNS namespace. To create a new zone delegation, complete the following steps:
- Open the DNS console.
- In the console tree, right- click the applicable subdomain and then click New Delegation.
- Follow the instructions provided in the New Delegation Wizard to finish creating the newly delegated domain.