لطفا منتظر باشید ...
Lesson 2: Understanding and Configuring Zones
The DNS service allows a DNS namespace to be divided up into zones that
store name information about one or more DNS domains. The zone becomes
the authoritative source for information about each DNS domain name included in a zone. This lesson introduces you to DNS zones and how they are configured.
After this lesson, you will be able to
Identify zone types
List the benefits of Active Directory integrated zones
Explain zone delegation
Configure zones
Configure Dynamic Domain Name Service (DDNS) for a zone
Estimated lesson time: 30 minutes
Zones
The DNS service provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. The DNS namespace represents the logical structure of your network
resources, and DNS zones provide physical storage for these resources.
Zone Planning
When deciding whether or not to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:
Is there a need to delegate management of part of your DNS namespace to another location or department within your organization?
Is there a need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment?
Is there a need to extend the namespace by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site?
If you can answer "yes" to one of these questions, it may be useful to add or
restructure your namespace into additional zones. When choosing how to structure zones, you should use a plan that meets the needs of your organization.
There are two zone lookup types: forward lookup zones and reverse lookup zones.
Forward Lookup Zones
A forward lookup zone enables forward lookup queries. On name servers, you must configure at least one forward lookup zone for the DNS service to work. When you install Active Directory using the Active Directory Installation Wizard and allow the wizard to install and configure your DNS server, the wizard automatically creates a forward lookup zone based on the DNS name you specified for the server.
To create a new forward lookup zone
Click Start, point to Programs, point to Administrative Tools, and then click DNS.
Expand the DNS server.
Right-click the Forward Lookup Zone folder and click New Zone. The New Zone Wizard guides you through the process of setting up a forward lookup zone. The wizard presents the following configuration options: Zone Type, Zone Name, Zone File, and Master DNS Servers.
Zone Type
There are three types of zones that you can configure:
Active Directory-integrated. An Active Directory-integrated zone is the master copy of a new zone. The zone uses Active Directory to store and replicate zone files.
Standard primary. A standard primary zone is the master copy of a new zone stored in a standard text file. You administer and maintain a primary zone on the computer on which you create the zone.
Standard secondary. A standard secondary zone is a replica of an existing zone. Secondary zones are read-only and are stored in standard text files. A primary zone must be configured to create a secondary zone. When creating a secondary zone, you must specify the DNS server, called the master server, that will transfer zone information to the name server containing the standard secondary zone. You create a secondary zone to provide redundancy and to reduce the load on the name server containing the primary zone database file.
Benefits of Active Directory-Integrated Zones
For networks deploying DNS to support Active Directory, directory-integrated primary zones are strongly recommended and provide the following benefits:
Multimaster update and enhanced security based on the capabilities of Active Directory.
In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update
requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are conducted based on a multimaster update model. In this model, any authoritative DNS server (such as a domain controller running the DNS service) is designated as a primary source for the zone. Because the master copy of the zone is maintained in the
Active Directory database, which is fully replicated to all domain controllers, the zone can be updated by the DNS service at any domain controller in the domain. With the multimaster update model of Active Directory, any of the primary servers for the directory-integrated zone can process requests from DNS clients to
update the zone as long as a domain controller is available and reachable on the network.
Also, when using directory-integrated zones, you can use access control list (ACL) editing to provide granulated access to either the zone or a specified
resource record in the zone. For example, an ACL for a specific domain name in the zone can be restricted so that dynamic updates are only allowed for specified DNS clients or to authorize only a secure group such as domain administrators with permissions for updating zone or record properties for it. This security
feature is not available with standard primary zones.
Zones are replicated and synchronized to new domain controllers automatically whenever a new zone is added to an Active Directory domain.
Although DNS service can be selectively removed from a domain controller,
directory-integrated zones are already stored at each domain controller, so zone storage and management are not additional resources. Also, the methods used to synchronize directory-stored information offer performance improvement over standard zone update methods, which can potentially require transfer of the
entire zone.
By integrating storage of your DNS namespace in Active Directory, you simplify planning and administration for both DNS and Active Directory.
When namespaces are stored and replicated separately (for example, one for DNS storage and replication and another for Active Directory), an additional
administrative complexity is added to planning and designing your network and allowing for its eventual growth. By integrating DNS storage, you can unify managing of storage and replication for both DNS and Active Directory information as a single administrative entity.
Directory replication is faster and more efficient than standard DNS replication.
Because Active Directory replication processing is performed on a per-property basis, only relevant changes are propagated. This allows less data to be used and submitted in updates for directory-stored zones.
Zone Name
Typically, a zone is named after the highest domain in the hierarchy that the zone encompasses—that is, the root domain for the zone. For example, for a zone that encompasses both microsoft.com and sales.microsoft.com, the zone name would be microsoft.com. For further information on zone naming, see Chapter 2, "Introduction to Active Directory."
Zone File
For the standard primary forward lookup zone type you must specify a zone file. The zone file is the zone database file name, which defaults to the zone name with a .dns extension. For example, if your zone name is microsoft.com, the default zone database file name is MICROSOFT.COM.DNS.
When migrating a zone from another server, you can import the existing zone file. You must place the existing file in the systemroot\System32\DNS directory on the target computer before creating the new zone, where systemroot indicates the Windows 2000 installation folder, typically C:\Winnt.
Master DNS Servers
For the standard secondary forward lookup zone type you must specify the DNS server(s) from which you want to copy the zone. You must enter the IP address of one or more DNS servers.
Reverse Lookup Zones
A reverse lookup zone enables reverse lookup queries. Reverse lookup zones are not required. However, a reverse lookup zone is required to run troubleshooting tools, such as NSLOOKUP, and to record a name instead of an IP address in Internet Information Services (IIS) log files.
To create a new reverse lookup zone
Click Start, point to Programs, point to Administrative Tools, and then click DNS.
Expand the DNS server.
Right-click the Reverse Lookup Zone folder and click New Zone. The New Zone Wizard guides you through the process of setting up a reverse lookup zone. The wizard presents the following configuration options: Zone Type, Reverse Lookup Zone, Zone File, and Master DNS Servers.
Zone Type
For the zone type, select Active Directory-integrated, Standard Primary, or
Standard Secondary, as defined previously.
Reverse Lookup Zone
To identify the reverse lookup zone, type the network ID or the name of the zone. For example, a network ID with an IP address of 169.254.16.200 would result in a network ID of 169.254. All reverse lookup queries within the 169.254 network are resolved in this new zone.
Zone File
For the standard primary forward lookup zone type, you must specify a zone file. The network ID and subnet mask determine the default zone file name. DNS
reverses the IP octets and adds the in-addr.arpa suffix. For example, the reverse lookup zone for the 169.254 network becomes 254.169.in-addr.arpa.dns.
When migrating a zone from another server, you can import the existing zone file. You must place the existing file in the systemroot\System32\DNS directory on the target computer before creating the new zone.
Master DNS Servers
For the standard secondary reverse lookup zone type you must specify the DNS server(s) from which you want to copy the zone. You must enter the IP address of one or more DNS servers.
Resource Records
Resource records are entries in the zone database file that associate DNS domain names to related data for a given network resource, such as an IP address. There are many different types of resource records. When a zone is created, DNS automatically adds two resource records: the Start of Authority (SOA) and the Name Server (NS) records. Table 5.1 describes these resource record types, along with the most frequently used resource records.
Table 5.1 Frequently Used Resource Record Types
| Resource Record Type | Description |
|---|---|
| Host (A) | Lists the host name-to-IP-address mappings for a forward lookup zone. |
| Alias (CNAME) | Creates an alias, or alternate name, for the specified host name. You can use a Canonical Name (CNAME) record to use more than one name to point to a single IP address. For example, you can host a File Transfer Protocol (FTP) server, such as ftp.microsoft.com, and a Web server, such as www.microsoft.com, on the same computer. |
| Host Information (HINFO) | Identifies the CPU and operating system used by the host. Use this record as a low-cost resource-tracking tool. |
| Mail Exchanger (MX) | Identifies which mail exchanger to contact for a specified domain and in what order to use each mail host. |
| Name Server (NS) | Lists the name servers that are assigned to a particular domain. |
| Pointer (PTR) | Points to another part of the domain namespace. For example, in a reverse lookup zone, it lists the IP-address-to-name mapping. |
| Service (SRV) | Identifies which servers are hosting a particular service. For example, if a client needs to find a server to validate logon requests, the client can send a query to the DNS server to obtain a list of domain controllers and their associated IP addresses. |
| Start of Authority (SOA) | Identifies which name server is the authoritative source of information for data within this domain. The first record in the zone database file must be the SOA record. |
NOTE
For more information on resource records, use your Web browser to search for RFC 1035, RFC 1183, RFC 1886, and RFC 2052 to retrieve the
contents of these Requests for Comment (RFCs).
To view a resource record
In the DNS console tree, click the zone for which you want to view a resource record.
In the details pane, click the record you want to view.
On the Action menu, click Properties.
On the Properties dialog box, view the properties specific to the record you selected.
When you have finished viewing the record, click OK.
To add a resource record
Right-click the zone to which you want to add the record, then select the type of record that you want to add, for example New Host or New Mail Exchanger.
Delegating Zones
A zone starts as a storage database for a single DNS domain name. If other
domains are added below the domain used to create the zone, these domains can either be part of the same zone or part of another zone. Once a subdomain is added, it can then be
Managed and included as part of the original zone records
Delegated away to another zone created to support the subdomain
For example, Figure 5.4 shows the microsoft.com domain, which contains
domain names for Microsoft. When the microsoft.com domain is first created
at a single server, it is configured as a single zone for all of the Microsoft DNS namespace. If, however, the microsoft.com domain needs to use subdomains, those subdomains must be included in the zone or delegated away to another zone. In Figure 5.4, the example subdomain was added to the microsoft.com
domain. The example.microsoft.com zone was created to support the example.microsoft.com subdomain.
Figure 5.4 Delegating a new subdomain to a new zone
When you delegate zones within a namespace, you must also create SOA
resource records to point to the authoritative DNS server for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone. The New Delegation Wizard is available to assist in delegation of zones.
To create a zone delegation
In the DNS console tree, click the subdomain for which you want to create a zone delegation.
On the Action menu, click New Delegation.
On the New Delegation Wizard welcome page, click Next.
On the Delegated Domain Name page, specify the name of the domain you want to create, then click Next.
On the Name Servers page, specify the servers to host the delegated zone, then click Next.
Review your settings on the Completing The New Delegation Wizard page, then click Finish.
NOTE
All domains (or subdomains) that appear as part of the applicable zone delegation must be created in the current zone prior to performing delegation.
Configuring Dynamic DNS
The DNS service includes a dynamic update capability, called Dynamic DNS (DDNS). With DNS, when there are changes to the domain for which a name server has authority, you must manually update the zone database file on the primary name server. With DDNS, name servers and clients within a network automatically update the zone database files, as shown in Figure 5.5.
Figure 5.5 DDNS updates the zone database when IP addresses change
Dynamic Updates
You can configure a list of authorized servers to initiate dynamic updates. This list can include secondary name servers, domain controllers, and other servers that perform network registration for clients, such as servers running the Dynamic Host Configuration Protocol (DHCP) service or Microsoft Windows Internet Name Service (WINS).
DDNS and DHCP
DDNS interacts with the DHCP service to maintain synchronized name-to-IP mappings for network hosts. By default, the DHCP service allows clients to add their own A (Host) records to the zone, and the DHCP service adds the PTR
resource record to the zone. The DHCP service cleans up both the A and PTR resource records in the zone when the lease expires.
IMPORTANT
To send dynamic updates, you must configure the DHCP server to point to the appropriate DNS servers. Configuring DHCP is beyond the scope of this course; refer to MCSE Training Kit—Microsoft Windows 2000 Network
Infrastructure Administration for more information on this topic.
To configure a zone for DDNS
From the DNS console, right-click the forward or reverse lookup zone that you want to configure, and then click Properties.
On the General tab, in the Allow Dynamic Updates? list, choose one of the following options:
No. Does not allow dynamic updates for this zone.
Yes. Allows all dynamic DNS update requests for this zone.
Only Secure Updates. Allows only dynamic DNS updates that use secure DNS for this zone. This is the preferred option.
The Only Secure Updates option only appears if the zone type is Active Directory-integrated. If you select the Only Secure Updates option, the requester''s
permission to update the records in the zone database is tested using mechanisms specified in a subsequent secure DNS update protocol.
NOTE
For more information on DDNS, use your Web browser to search for
RFC 2136 and RFC 2137.
Practice: Configuring Zones
In this practice, you configure zones. In Exercise 1 you create a forward and a reverse lookup zone for the DNS service. In Exercise 2 you configure the zones you created in Exercise 1 for DDNS. In Exercise 3 you add a PTR resource record for a reverse lookup zone.
Exercise 1: Creating Zones
In this exercise, you create a forward lookup zone and a reverse lookup zone.
To create a forward lookup zone
Click Start, point to Programs, point to Administrative Tools, and then click DNS.
The DNS console window appears.
Double-click SERVER1 (or the name of your computer).
The Forward Lookup Zones and Reverse Lookup Zones folders appear.
Right-click SERVER1, then click New Zone.
The New Zone Wizard appears.
Click Next to continue.
The Zone Type page appears.
Ensure that Standard Primary is selected, and then click Next.
The Forward or Reverse Lookup Zone page appears.
Ensure that Forward Lookup Zone is selected, and then click Next.
The Zone Name page appears.
Type training.microsoft.com and click Next. (If you are on a network, check with your network administrator to make sure it is OK to use this as your DNS domain name.)
The Zone File page appears.
Ensure that Create A New File With This File Name is selected and that the name of the file to be created is TRAINING.MICROSOFT.COM.DNS. (If you did not use training.microsoft.com as the domain name in Step 7, this will be the domain name you typed in Step 7 with a .dns extension.)
Click Next.
The Completing the New Zone Wizard page appears.
Click Finish.
To create a reverse lookup zone
Right-click SERVER1, and then click New Zone.
The New Zone Wizard appears.
Click Next to continue.
The Zone Type page appears.
Ensure that Standard Primary is selected, and then click Next.
The Forward or Reverse Lookup Zone page appears.
Ensure that Reverse Lookup Zone is selected, and then click Next.
The Reverse Lookup Zone page appears.
Ensure that Network ID is selected, and type 10.10.1 in the Network ID box. (If you are on a network and did not use 10.10.1.1 as your static IP address, type in the octets identifying your network ID.)
NOTE
In the Name box at the bottom of the screen, notice that the in-addr.arpa name is typed in and is 1.10.10.in-addr.arpa. If you did not use 10.10.1.1, your name will match the IP address that you are using.
Click Next.
The Zone File page appears.
Ensure that Create A New File With This File Name is selected and that the name of the file to be created is 1.10.10.in-addr.arpa.dns. (If you did not use 10.10.1 as your Network ID in Step 5, the file name will match the IP address that you used.)
Click Next.
The Completing the New Zone Wizard page appears.
Review the information on the Completing the New Zone Wizard page, then click Finish.
Exercise 2: Configuring DDNS Service
In this exercise, you configure the DNS service to allow dynamic updates for
forward and reverse lookup zones.
To configure DDNS
In the DNS console tree, double-click SERVER1 (or the name of your server).
Double-click Forward Lookup Zones, and then double-click training.microsoft.com. (If you did not use training.microsoft.com as your DNS domain name, double-click your DNS domain name.)
Right-click training.microsoft.com (or your DNS domain name), and then click Properties.
The training.microsoft.com Properties dialog box appears. (If you did not use training.microsoft.com as your DNS domain name, the name of the dialog box will reflect your DNS domain name.)
In the Allow Dynamic Updates? list on the General tab, select Yes, and click OK.
This configures DDNS for the forward lookup zone.
Double-click Reverse Lookup Zones, then click 10.10.1.x Subnet or the reverse lookup zone you created in Exercise 1.
Right-click 10.10.1.x Subnet, then click Properties.
The 10.10.1.x Subnet Properties dialog box appears.
In the Allow Dynamic Updates? list on the General tab, select Yes, then click OK.
This configures DDNS for the reverse lookup zone.
Exercise 3: Adding a Resource Record
In this exercise, you practice adding a PTR resource record for a zone.
To add a PTR resource record for a zone
In the console tree, click Reverse Lookup Zones.
Click 10.10.1.x Subnet. (If you did not use 10.10.1.1 as the static IP address for your server name, click the appropriate subnet.)
What types of resource records exist in the reverse lookup zone?
In the console tree, right-click 10.10.1.x Subnet (if you did not use 10.10.1.1 as the static IP address for your server name, click the appropriate subnet), then click New Pointer.
In the Host IP Number box, type 1 in the highlighted octet of your IP address (if you did not use 10.10.1.1 as the static IP address for your server name, then enter the appropriate octet value from the IP address that you used).
In the Host Name box, type the fully qualified domain name of your computer, followed by a period.
You can also "browse" through existing DNS records using Browse. For example, if your computer name is SERVER1, type server1.microsoft.com. Remember to include the trailing period.
Click OK.
A Pointer record appears in the details pane.
Close the DNS console.
Answers
Lesson Summary
In this lesson you learned that the DNS service provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. The DNS namespace represents the logical structure of your network resources, and DNS zones provide physical storage for these resources.
You also learned how to configure forward and reverse lookup zones and that
directory-integrated primary zones are strongly recommended and provide the following benefits: multimaster update and enhanced security, automatic zone replication when new domain controllers are added, simplified administration with integrated namespace storage, and faster replication.
You learned how to add resource records and delegate zones when new subdomains are added. You also learned that the DNS service includes a dynamic update capability called DDNS, by which name servers and clients within a network automatically update the zone database files.
In the practice portion of this lesson, you created a forward and a reverse lookup zone for the DNS service, configured the zones for DDNS, and added a PTR
resource record for a reverse lookup zone.
