DNS Zone Storage

Your DNS zone information is stored in one of two places: in a text file or in Active Directory. When you create a primary or stub zone, you can choose where to store the zone file. Secondary zone files are stored only as text files.

Storing Your Zone Information in a Text File

When you choose to store zone information in a text file, it is stored by default at %systemroot%\system32\dns. The filename can be whatever you want—typically it is [zone name].DNS (ex. microsoft.com.dns). Normally, you edit your zone file through the Microsoft Management Console (MMC) snap-in for DNS, but if you stop the DNS service, you can directly edit your text zone file. If a record spans more than one line, the line breaks must be enclosed in parentheses. Comments in the DNS zone file are preceded by a semicolon (;). Figure 8-10 shows an example DNS zone file.

Figure 8-10: DNS zone file

The records contained in a DNS zone file are described here.

SOA Record The first record in a DNS zone file should be the Start of Authority (SOA) record. The SOA record consists of the following fields:

IN SOA <source machine> <contact email> <serial number> <refresh time> <retry time> <expiration time> <minimum time to live>

Source Machine This references the host on which this file was created.

Contact Email The e-mail address of the person responsible for this zone file. The @ in the e-mail address should be replaced with a period (.).

Serial Number The serial number of this version of the zone file database, which is used for version control.

Refresh Time The time, in seconds, for which this information is considered current. This informs a secondary server how long to wait before downloading a new copy of the zone file.

Retry Time In the case of a failed zone transfer, this informs a secondary server of how long to wait before attempting to retry. This field is also in seconds.

Expiration Time The time, in seconds, for which this information is considered valid. This informs a secondary server how long to wait before discarding the data altogether. This counter is reset if a successful zone transfer occurs. So, as long as the secondary server can see the primary server, the data will not be discarded.

Minimum Time to Live The minimum Time to Live (TTL) is presented with a name resolution request. This time is the minimum time, in seconds, in which a requester is to cache a name to IP mapping. The default minimum TTL is 1 hour. A value of 0 tells the requester not to cache the data.

Other Records The other records in the DNS zone file inherit the TTL from the SOA Resource Record (RR), but you can override that in individual records. Let’s break down the individual records. The syntax is <name> <class> <type> <data>.

• Name The host or record name you are resolving.

• Class Contains the standard text indicating the class of the resource record. IN indicates that the resource record belongs to the Internet class. This is the only class Windows DNS supports.

• Type This record indicates the resource record type. For example, A indicates that the resource record stores host address information.

• Data This field contains the record-specific data. The format of this record varies, depending on which record it is used for.

Storing Zone Information in Active Directory

Active Directory integrated zones are stored as a container in the Active Directory tree under the domain object container. The Active Directory database is an extensible storage engine database file named ntds.dit. It is placed when you create a domain controller. The container object is named after the zone you chose when creating the zone.

Benefits of Active Directory Integration

Storing your DNS zones in Active Directory is the preferred method for WS03 servers because it provides the following benefits:

Fault Tolerance Storing DNS in Active Directory provides fault tolerance for your DNS zones, because DNS zone information is stored on every domain controller in your domain. Even though a certain domain controller may not have the DNS service running on it, it still has a copy of the database, since the Active Directory database is replicated to each domain controller. This prevents loss of the DNS database if the DNS server is lost.

Multi-Master Update WS03 Active Directory allows for multi-master update, which means that several copies of the DNS database exist, and any one of them can be updated. Since Active Directory–integrated DNS zones are stored in the Active Directory database, each domain controller holds a copy of the zone. When a new domain controller is added, the DNS database is replicated to that domain controller. Any WS03 domain controller running the DNS Server service can update the master copy of the DNS zone.

This is a significant enhancement to the DNS system, which typically has a single point of failure, with the master copy of the database being in a local file on one server. Using a standard DNS server, if the primary server is not available, DNS updates cannot be made.

Security Active Directory–integrated zones allow for the use of Access Control Lists (ACLs) to restrict access to zones or records in a zone. For example, you can restrict a zone so that only specific users or computers are allowed to update records in that zone. This is known as secure dynamic update, and it is the default for Active Directory– integrated zones.

Better Performance Standard DNS zones require that the entire zone be replicated to the secondary servers when a record is changed. Active Directory–integrated zones replicate only deltas, or changes. This greatly reduces the amount of replication traffic and streamlines database replication on the network. The DNS changes are replicated using Active Directory replication, so you don’t have to worry about planning for DNS zone replication. This also reduces administrative overhead.