Designing DNS Zones

Previous page
Table of content
Next page

Each zone type that is available in Windows Server 2003 DNS has a specific purpose. The DNS designer in your organization selects the type of zones to deploy based on the practical purpose of each zone. The DNS administrators in your organization manage and maintain your DNS zones. Figure 3.8 shows the process for designing DNS zones.

click to expand
Figure 3.8: Designing DNS Zones

Choosing a Zone Type

Design zones to correspond to your network administration infrastructure. If a site in your network is administered locally, deploy a zone for the subdomain. If a department has a subdomain, but no administrator, keep the subdomain in the parent zone. Decide whether or not to store your zones in Active Directory. Active Directory distributes data using a multimaster replication model that provides more security than standard DNS. With the exception of secondary zones, you can store all zone types in Active Directory because all other zones are considered primary zones. When designing DNS zones, host each zone on more than one DNS server.

Decide which type of zone to use, based on your domain structure. For each zone type, with the exception of secondary zones, decide whether to deploy file-based zones or Active Directory-integrated zones.

Primary Zones

Deploy primary zones that correspond to your planned DNS domain names. You cannot store both an Active Directory-integrated and a file-based primary copy of the same zone on the same DNS server.

Secondary Zones

Add secondary zones if you do not have an Active Directory infrastructure. If you do have an Active Directory infrastructure, use secondary zones on DNS servers that are not serving as domain controllers. A secondary zone contains a complete copy of a zone. Therefore, use secondary zones to improve zone availability at remote sites if you do not want zone data propagated across a WAN link by means of Active Directory replication.

Stub Zones

A stub zone is a copy of a zone that contains only the original zone's start of authority (SOA) resource record, the name server (NS) resource records listing the authoritative servers for the zone, and the glue address (A) resource records that are needed to identify these authoritative servers.

A DNS server that is hosting a stub zone is configured with the IP address of the authoritative server from which it loads. DNS servers can use stub zones for both iterative and recursive queries. When a DNS server hosting a stub zone receives a recursive query for a computer name in the zone to which the stub zone refers, the DNS server uses the IP address to query the authoritative server, or, if the query is iterative, returns a referral to the DNS servers listed in the stub zone.

Stub zones are updated at regular intervals, determined by the refresh interval of the SOA resource record for the stub zone. When a DNS server loads a stub zone, it queries the zone's primary servers for SOA resource records, NS resource records at the zone's root, and glue address (A) resource records. The DNS server attempts to update its resource records at the end of the SOA resource record's refresh interval. To update its records, the DNS server queries the primary servers for the resource records listed earlier.

You can use stub zones to ensure that the DNS server that is authoritative for a parent zone automatically receives updates about the DNS servers that are authoritative for a child zone. To do this, add the stub zone to the server that is hosting the parent zone. Stub zones can be either file-based or Active Directory-integrated. If you use Active Directory-integrated stub zones, you can configure them on one computer and let Active Directory replication propagate them to other DNS servers running on domain controllers.

Although conditional forwarding is the recommended method for making your servers aware of other namespaces, you can also use stub zones for this. For more information about using stub zones, see Help and Support Center for Windows Server 2003.

Note

Only DNS servers running Windows Server 2003 and BIND 9 support stub zones.

Stub Zones and Conditional Forwarding

Stub zones and conditional forwarding are Windows Server 2003 DNS features that enable you to control the routing of DNS traffic over a network. These features enable a DNS server to respond to a query by doing one of the following:

  • Providing a referral to another DNS server.

  • Forwarding the query to another DNS server.

A stub zone enables a DNS server that is hosting a parent zone to be aware of the names and IP addresses of DNS servers that are authoritative for a child zone, even if the DNS server does not have a complete copy of the child zone. In addition, when a stub zone is used, the DNS server does not have to send queries to the DNS root servers. If the stub zone for a child zone is hosted on the same DNS server as the parent zone, the DNS server that is hosting the stub zone receives a list of all new authoritative DNS servers for the child zone when it requests an update from the stub zone's primary server. In this way, the DNS server that is hosting the parent zone maintains a current list of the authoritative DNS servers for the child zone as the authoritative DNS servers are added and removed.

Use conditional forwarding if you want DNS servers in one network to perform name resolution for DNS clients in another network. You can configure DNS servers in separate networks to forward queries to each other without querying DNS servers on the Internet. If DNS servers in separate networks forward DNS client names to each other, the DNS servers cache this information. This enables you to create a direct point of contact between DNS servers in each network and reduces the need for recursion.

If you are using a stub zone and you have a firewall between DNS servers in the networks, then DNS servers on the query/resolution path must have port 53 open. However, if you are using conditional forwarding and you have a firewall between DNS servers in each of the networks, the requirement to have port 53 open only applies to the two DNS servers on either side of the firewall.

Active Directory-Integrated Zones

If your DNS topology includes Active Directory, use Active Directory-integrated zones. Active Directory-integrated zones enable you to store zone data in the Active Directory database. Zone information on any primary DNS server within an Active Directory-integrated zone is always replicated.

Because DNS replication is single-master, a primary DNS server in a standard primary DNS zone can be a single point of failure. In an Active Directory-integrated zone, a primary DNS server cannot be a single point of failure because Active Directory uses multimaster replication. Updates that are made to any domain controller are replicated to all domain controllers and the zone information on any primary DNS server within an Active Directory-integrated zone is always replicated. Active Directory-integrated zones:

  • Enable you to secure zones by using secure dynamic update.

  • Provide increased fault tolerance. Every Active Directory-integrated zone can be replicated to all domain controllers within the Active Directory domain or forest. All DNS servers running on these domain controllers can act as primary servers for the zone and accept dynamic updates.

  • Enable replication that propagates changed data only, compresses replicated data, and reduces network traffic.

If you have an Active Directory infrastructure, you can only use Active Directory-integrated zones on Active Directory domain controllers. If you are using Active Directory-integrated zones, you must decide whether or not to store Active Directory-integrated zones in the application directory partition.

You can combine Active Directory-integrated zones and file-based zones in the same design. For example, if the DNS server that is authoritative for the private root zone is running on an operating system other than Windows Server 2003 or Windows 2000, it cannot act as an Active Directory domain controller. Therefore, you must use file-based zones on that server. However, you can delegate this zone to any domain controller running either Windows Server 2003 or Windows 2000.

Storing Active Directory-Integrated Zones in Application Directory Partitions

Windows Server 2003 Active Directory enables you to configure an application directory partition that limits the scope of replication. Data stored in an application directory partition is replicated to a subset of domain controllers. This subset is determined by the replication scope of the data. In the default configuration of Windows Server 2003 Active Directory, DNS application directory partitions are present only on the domain controllers that run the DNS Server service. By storing Active Directory-integrated zones in an application directory partition, you can reduce the number of objects that are stored in the global catalog, and you can reduce the amount of replication traffic within a domain.

In contrast, Active Directory-integrated zones that are stored in domain directory partitions are replicated to all domain controllers in the domain. Storing Active Directory-integrated zones in an application directory partition allows replication of DNS data to domain controllers anywhere in the same Active Directory forest.

When you are setting up your Active Directory environment and installing the first Windows Server 2003 domain controller in the forest, if you install DNS, two Windows Server 2003 DNS application directory partitions are created by default. A forest-wide DNS application directory partition called ForestDNSZones will be created, and for each domain in the forest, a domain-wide DNS application directory partition called DomainDNS Zones will be created.

Choosing a Propagation Method

After you decide which zone each DNS server hosts, decide how to propagate the zones among the servers. Propagated zones provide higher availability, improve query response time, and reduce network traffic produced by name queries. However, propagated zones require storage space and increase network traffic. If your network is distributed and managed at different sites, use subdomains for these sites. If you do not have a distributed network, avoid using subdomains when possible.

In Windows Server 2003, zones are propagated by means of file-based zone transfer or Active Directory replication. If you use file-based zones, file-based zone transfer is the method of propagation. If you have Windows Server 2003 and Windows 2000 Active Directory-integrated zones, use Active Directory replication.

File-Based Zone Transfer

Windows Server 2003 and Windows 2000 DNS support both incremental and full zone transfer of file-based zones. Incremental zone transfer is the default method, but if this method is not supported by a third-party DNS server that is involved in the transfer, DNS servers running Windows Server 2003 and Windows 2000 transfer the full zone.

Incremental zone transfer, described in RFC 1995:Incremental Zone Transfer in DNS, provides better use of available network bandwidth. Rather than sending the entire contents of the zone file, the primary server only transfers the incremental changes in the zone. This reduces the impact of DNS zone transfers on network traffic. Without incremental zone transfers, the primary server transfers the entire zone file to the secondary server every time a DNS zone is updated.

Windows Server 2003 DNS uses full zone transfer when zones must be transferred to DNS servers that do not support incremental zone transfer, such as DNS servers running on Windows NT 4.0 or earlier versions of BIND 8.

Active Directory Replication

Active Directory replication propagates zone changes between domain controllers. Replication processing differs from DNS full zone transfers, in which the DNS server transfers the entire zone. Replication processing also differs from incremental zone transfers, in which the server transfers all changes made since the last change.

Active Directory zone replication provides the following additional benefits:

  • Network traffic is reduced because the domain controllers only send the final result of all changes.

  • When a zone is stored in Active Directory, replication occurs automatically. No additional configuration is required.

  • When Active Directory zone replication occurs between sites, zone data that is greater than the default transfer size is automatically compressed before it is transferred. This compression decreases the network traffic load.

After careful analysis, you can partition and delegate your DNS zones based on what is required for providing efficient and fault-tolerant name service to each location or site.

If you are using Active Directory-integrated zones in a Windows Server 2003 domain, you must select an Active Directory-integrated zone replication scope. When selecting a replication scope, note that network traffic increases as you broaden the replication scope. For example, if you choose to replicate Active Directory-integrated DNS zone data to all DNS servers in the forest, this produces greater network traffic than replicating the DNS zone data to all DNS servers in a single Active Directory domain in that forest. Balance your need to minimize replication traffic against your need to minimize zone query traffic. The DNS administrators in your organization are responsible for managing zone replication.

Table 3.8 lists the replication options for Active Directory-integrated zone data.

Table 3.8: Replication Options for Active Directory-Integrated Zone Data

Option

Description

When to Use

All DNS servers in the Active Directory forest

The zone data replicates to all the DNS servers running on Windows Server 2003-based domain controllers in all domains of the Active Directory forest.

You want the broadest scope of replication. This option generally produces the most zone replication traffic. Note that you can choose this option only if all DNS servers hosting an Active Directory-integrated copy of this zone run Windows Server 2003.

All DNS servers in a specified Active Directory domain

The zone data replicates to all DNS servers running on Windows Server 2003-based domain controllers in the specified Active Directory domain. This option is the default setting for Active Directory-integrated DNS zone replication.

(The specified Active Directory domain is the domain hosted by the domain controller on which the DNS server hosting the zone is running.)

You do not need the zone to be replicated throughout the forest and you want to limit zone replication traffic. This option produces less zone replication traffic than replicating the zone to all DNS servers in the forest or to all domain controllers in the domain. If you choose this option, the zone data does not replicate to DNS servers running on Windows 2000-based domain controllers.

All domain controllers in the Active Directory domain

The zone data replicates to all domain controllers in the specified Active Directory domain, whether or not the DNS Server service runs on the domain controllers in the domain.

You host an Active Directory-integrated copy of this zone on a DNS server running on a Windows 2000-based domain controller.

All domain controllers specified in the replication scope of a DNS application directory partition

The zone data replicates to all the domain controllers specified in the replication scope of the DNS application directory partition.

You want to customize zone replication scope for your organization. With this option, you can minimize zone replication traffic while maximizing functionality. However, this option requires more administrative overhead. You can choose this option only if all DNS servers hosting an Active Directory-integrated copy of this zone run Windows Server 2003.

Migrating Zones to Windows Server 2003 DNS Servers

You can migrate zones to DNS servers running Windows Server 2003 in one of two ways:

  • By using zone transfer.

  • By copying the zone files.

If you copy the zone files, you must manually verify the integrity of the zones. Regardless of the method that you use to migrate zones, you must decide whether to take the original DNS server offline, or to use it as a secondary server. If you determine that the original third-party DNS server causes interoperability problems on your network, or if you need to use that server hardware for another purpose, take the server offline. Otherwise, keep the server on you network to provide backup for your primary DNS server running Windows Server 2003.

For more information about using zone transfer, see "Initiate a zone transfer at a secondary server" in Help and Support Center for Windows Server 2003.



Previous page
Table of content
Next page
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 146
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
CISSP Exam Cram 2
SQL Tips & Techniques (Miscellaneous)
A+ Fast Pass
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy