Planning DNS Zone Replication

Understanding DNS Zone Types and Zone Transfer Methods

A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority, or is authoritative. DNS zones contain either domains or subdomains. The DNS namespace can be divided into multiple zones. You can even host all your zones on a single DNS server. The Windows Server 2003 DNS Server can host up to 20,000 DNS zones.

A DNS zone contains a zone database that contains resource records for all the domains within the zone. Zone files are used if DNS is not integrated with Active Directory. The zone files contain the DNS database resource records which define the zone. If DNS and Active Directory are integrated, then zone data is stored in Active Directory.

The different types of zones which you can configure in Windows Server 2003 DNS are:

Primary zone: This is the only zone type that can be edited or updated because the data in the zone is the original source of the data for all domains in the zone. Updates made to the primary zone are made by the DNS server that is authoritative for the specific primary zone. You can also back up data from a primary zone to a secondary zone.
Secondary zone: A secondary zone is a read-only copy of the zone that was copied from the master server during zone transfer.
Active Directory-integrated zone: An Active Directory-integrated zone is a zone that stores its zone data in Active Directory. DNS zone files are not used to store data for these zones. An Active Directory-integrated zone is an authoritative primary zone. Zone data of an Active Directory-integrated zone is replicated during the Active Directory replication process. This is the only DNS zone type that can use multi-master replication and the security features of Active Directory
Reverse lookup zone: Reverse lookup zones are are mainly used to resolve IP addresses to resource names on the network. Forward lookup zones contain name to IP address mappings, while reverse lookup zones contain IP address to name mappings.
Stub zone: A stub zone is a new Windows Server 2003 feature. Stub zones only contain those resource records necessary to identify the authoritative DNS servers for the master zone. Stub zones contain the following:

Start Of Authority (SOA) resource record for the zone.
Name Server (NS) resource record for the zone.
Host (A) resource records that identify the authoritative servers for the specific zone.

Zone transfer is the process that copies the resource records of a zone file on the primary DNS server to the secondary DNS servers. A secondary DNS server can also transfer its zone data to other secondary DNS servers, who are beneath it in the DNS hierarchy. In this case, the secondary DNS server is regarded as the master DNS server to the other secondary servers.

The zone transfer methods which you can configure are:

Full transfer: When you configure a secondary DNS server for a zone, and start the secondary DNS server, the secondary DNS server requests a full copy of the zone from the primary DNS server. A full transfer is performed of all the zone information. Full zone transfers tend to be resource intensive. This disadvantage of full transfers has led to the development of incremental zone transfers.
Incremental zone transfer: With an incremental zone transfer, only those resource records that have since changed in a zone are transferred to the secondary DNS servers. During zone transfer, the DNS databases on the primary DNS server and the secondary DNS server are compared to determine whether there are differences in the DNS data. If the DNS data of the primary and secondary DNS servers are the same, zone transfer does not take place. If the DNS data of the two servers are different, transfer of the delta resource records starts. This occurs when the serial number on the primary DNS server database is higher than that of secondary DNS server's serial number. For incremental zone transfer to occur, the primary DNS server has to record incremental changes to its DNS database. Incremental zone transfers require less bandwidth than full zone transfers.
Active Directory transfers: These zone transfers occur when Active Directory-integrated zones are replicated to the domain controllers in a domain. Replication occurs through Active Directory replication.
DNS Notify is a mechanism that enables a primary DNS server to inform secondary DNS servers when its database has been updated. DNS Notify informs the secondary DNS servers when they need to initiate a zone transfer so that the updates of the primary DNS server can be replicated to them. When a secondary DNS server receives the notification from the primary DNS server, it can start an incremental zone transfer or a full zone transfer to pull zone changes from the primary DNS servers.

Determining DNS Resource Record (RR) Requirements

The commonly used resource records (RR) are:

Start of Authority (SOA): The SOA record is the first record in the DNS database file. The SOA record includes information on zone properties, such as the primary DNS server for the zone, and the version number of the database.
Name Server (NS): The Name Server (NS) resource record provides a list of the authoritative DNS servers for a domain, as well authoritative DNS server for any delegated subdomains.
Host (A): The host (A) resource record contains the IP address of a specific host, and maps the FQDN to this 32-bit IPv4 addresses. Host (A) resource records basically associates the domain names of computers (FQDNs) or hosts names to their IP addresses.
Alias (CNAME): Alias (CNAME) resource records ties an alias name to its associated domain name. Alias (CNAME) resource records are referred to as canonical names. By using canonical names, you can hide network information from the clients who connect to your network.
Mail exchanger (MX): The mail exchanger (MX) resource record provides routing for messages to mail servers and backup servers. The MX resource record provides information on which mail servers processes e-mail for the particular domain name.
Pointer (PTR): The pointer (PTR) resource record is used for reverse lookups to point to A resource records. Reverse lookups resolve IP addresses to host names or FQDNs.
Service location (SRV): Service (SRV) resource records are typically used by Active directory to locate domain controllers, LDAP servers, and global catalog servers.

The main resource records that identify hosts on a DNS network are:

Start of Authority (SOA)
Address records: A and AAAA records
Canonical Name (CNAME) or Alias record

For Active Directory to operate, your DNS servers which host Active Directory-integrated zones must support the (SRV) resource records defined in RFC 2052: DNS RR for specifying the location of services (DNS SRV). This is due to clients and domain controllers querying DNS for SRV records when they need to locate a domain controller's IP addresses.

Determining Zone Requirements

When determining how to break up the DNS namespace into zones, keep the following factors in mind:

Transferring zone files between zones increases DNS zone transfer traffic, and Active Directory replication traffic.
You need to determine the traffic patterns that exist between clients and the DNS server. Pay careful attention to queries which are being passed over WAN connection. The System Monitor tool can be used to obtain DNS server statistics.
Consider the network links between your DNS servers, and the speed of these links.
Determine whether full DNS servers or caching-only DNS servers are required for your different locations.

Primary Zones versus Active Directory-integrated zones

When deciding on whether to implement primary DNS zones or Active Directory-integrated DNS zones, remember to include the DNS design requirements of your environment. Primary zones and secondary zones are standard DNS zones that use zone files. An Active Directory-integrated zone stores its zone data in Active Directory, and can therefore use multi-master replication and the security features of Active Directory.

If you are going to be implementing Active Directory-integrated zones, you can choose between the following zone replication scope options:

To All DNS Servers In The Active Directory Forest option: Zone data is replicated to all DNS servers running on domain controllers in the Active Directory forest.
To All DNS Servers In The Active Directory Domain option: Zone data is replicated to all DNS servers running on domain controllers in the Active Directory domain.
To All Domain Controllers In The Active Directory Domain option: Zone data is replicated to all domain controllers in the Active Directory domain.
To All Domain Controllers Specified In The Scope Of The Following Application Directory Partition option: Zone data is replicated based on the replication scope of the particular application directory partition.

The main advantages that Active Directory-integrated zones have over standard primary DNS zones are:

Active Directory replication is faster, which means that the time needed to transfer zone data between zones is far less.
The Active Directory replication topology is used for Active Directory replication, and for Active Directory-integrated zone replication. There is no longer a need for DNS replication when DNS and Active Directory are integrated.
Active Directory-integrated zones can enjoy the security features of Active Directory.
The need to manage your Active Directory domains and DNS namespaces as separate entities is eliminated. This in turn reduces administrative overhead.
When DNS and Active Directory are integrated; the Active Directory-integrated zones are replicated, and stored on any new domain controllers automatically. Synchronization takes place automatically when new domain controllers are deployed.

Determining Zone Placement

The process that DNS uses to forward a query that one DNS server cannot resolve, to another DNS server is called DNS forwarding. DNS forwarders are the DNS servers used to forward DNS queries for different DNS namespace to those DNS servers who can answer the query. Creating DNS forwarders can improve name resolution efficiency.
Windows Server 2003 DNS introduces a feature called conditional forwarding. With conditional forwarding, you create conditional forwarders within your environment that will forward DNS queries based on the specific domain names being requested in the query. This differs from DNS forwarders where the standard DNS resolution path to the root was used to resolve the query. A conditional forwarder can only forward queries for domains that are defined in the particular conditional forwarders list. The query is passed to the default DNS forwarder if there are no entries in the forwarders list for the specific domain queried.

When planning your DNS environment and it is evident that you need to implement forwarders or conditional forwarders, consider the recommendations for planning forwarders which are summarized below:

Use forwarders to limit the number of DNS servers which have to communicate between each other over firewalls. This strategy enhances DNS security.
You can also enhance fault tolerance by configuring multiple forwarders, and then enabling recursion for those queries which cannot be forwarded to your specified forwarders.
You should only implement the number of DNS forwarders that are necessary for your environment. You should refrain from creating loads of forwarders for your internal DNS servers.
You should avoid chaining your DNS servers together in a forwarding configuration.
To avoid the DNS forwarder turning into a bottleneck, do not configure one external DNS forwarder for all your internal DNS servers.

Recommendations for Determining Zone Replication

A number of recommendations for planning for zone replication are noted below:

You should limit the number of zones of authority within your DNS environment. The more zones of authority you have, the greater the administrative effort required to manage your DNS environment.
Transferring zone files between zones increases DNS zone transfer traffic, and Active Directory replication traffic.
If you need to minimize zone transfer traffic, and your DNS servers exist on Windows Server 2003 domain controllers and you are using Active Directory-integrated zones, consider using the application directory partition for storing zone data.
If you are using standard DNS zone transfers, it is beneficial to implement the following:

Incremental zone transfers
Fast zone transfers

If you need to reduce the bandwidth used by standard DNS zone transfers, consider changing the schedule for zone transfers to your secondary DNS zones.
Consider implementing stub zones to minimize DNS traffic.
You should use Active Directory-integrated zones so that you can specify that only secure updates to your zones are allowed
To secure zone data of the standard zone types, consider implementing the following:

Limit the number of hosts that are allowed to receive zone transfers.
Encrypt zone transfer data by using VPN tunnels or IPSec.

How to create a DNS zone

Click Start, Administrative Tools, and then click DNS to open the DNS console.
Expand the Forward Lookup Zones folder
Select the Forward Lookup Zones folder.
From the Action menu, select New Zone.
The New Zone Wizard initiates.
On the initial page of the Wizard, click Next.
On the Zone Type page, ensure that the Primary Zone. Creates A Copy Of A Zone That Can Be Updated Directly On This Server option is selected. This option is by default selected.
Uncheck the Store The Zone In Active Directory (Available Only If DNS Server Is A Domain Controller) checkbox. Click Next.
On the Zone Name page, enter the correct name for the zone in the Zone Name textbox. Click Next.
On the Zone File page, ensure that the default option, Create A New File With This File Name is selected. Click Next.
On the Dynamic Update page, ensure that the Do Not Allow Dynamic Updates. Dynamic Updates Of Resource Records Are Not Accepted By This Zone. You Must Update These Records Manually option is selected. Click Next.
The Completing The New Zone Wizard page is displayed next.
Click Finish to create the new zone.