Configuring and Managing DNS Zones | MCSA/MCSE Managing and Maintaining a Windows Server 2003 Environment Exam Cram 2 (Exam Cram 70-292)

Configuring DNS zones includes configuring zone options, secure dynamic updates, and configuring AD-integrated zones.

Now that you have forward and reverse lookup zones created on your Windows 2003 DNS server, let's explore DNS zone options next .

Configuring Zone Options

In the DNS Console, right-click the forward or reverse lookup zone and choose Properties. Your zone's General tab displays as shown in Figure 6.7.

Figure 6.7. Forward Lookup Zone Properties, General tab.

graphics/06fig07.gif

The zone properties dialog box on Windows Server 2003 is very similar to the zone properties dialog box on Windows 2000 Server. One difference is the General tab on Windows 2003 DNS Server. Added beneath Status and Type is Replication along with a Change button. Click the Change button to change the replication scope for an AD zone. The Active Directory Zone Replication Scope dialog box opens. This dialog box previously appeared under the heading Create a Forward Lookup Zone (step 5 in the list that described how to install forward and reverse lookup zones).

If you have installed AD on your Windows Server 2003, your zone type by default is Active Directory (AD) Integrated. AD-integrated zones store their zone information in Active Directory's database. To change the zone type to primary, secondary, or stub zone (discussed later), click the Change button. You can also change zone types using the dnscmd command-line tool.

If you select the secondary or stub zone type, you must specify the source or primary DNS server IP address that is used for obtaining updated zone information.

The zone property tabs and their descriptions are listed in Table 6.1.

Table 6.1. Zone Property Tabs

Item	Description
General	View status; view or change zone type; view or change replication; view or change dynamic updates; set/aging scavenging properties.
Start of Authority (SOA)	Information on primary server; refresh and retry intervals; expire and TTL settings.
Name Servers	The fully qualified domain name (FQDN) of the name server with options to add, edit, and remove name servers.
WINS	Option to enable WINS forward lookup servers for down-level clients .
Zone Transfers	Configures secondary servers to query for zone transfers to any server, only the servers listed in the Names tab, or specific servers. Click the Notify button to configure secondary servers to notify for changes.
Security	Configure permissions for AD-integrated zones.

Active Directory “Integrated Zones and Secure Dynamic Updates

AD-integrated zones store and replicate DNS information as part of the AD database replication. AD-integrated zones are created on domain controllers hosting DNS. Each DC contains a read-write copy of the zone information stored in AD. In the Dynamic Updates section on the General properties tab, Secure Only is selected by default. Secure dynamic updates are supported only for AD-integrated zones. Clients using secure dynamic updates automatically register and update their own resource records with the DNS server.

Using secure dynamic updates eases DNS administration and reduces the need to manually add and update resource records. Properly configured DHCP servers can dynamically register records for down-level clients such as Windows NT and Windows 98 computers. For good security practices, you should not change the default dynamic updates unless you have a valid reason. For example, a Unix DNS server not supporting the latest version of BIND on your network is a good reason to choose the medium-level security dynamic update option, nonsecure and secure.

In an AD domain, you should always try use the secure dynamic updates for maximum security. Larger companies with mixed Windows clients, such as NT workstations and Windows 98 clients, should deploy a DHCP server and configure the DNS tab of the DHCP server options to Always Update DNS and check Enable Updates for DNS Clients That Do Not Support Dynamic Update. Down-level, non “DNS-aware clients then use DHCP to dynamically register their DNS records.

Zone Transfers and Security

Secondary DNS servers receive their zone information from the master name DNS server. The Zone Transfers tab has options to Send Zone Transfers to Any Server, Only Servers Listed in the Name Servers Tab, or Only to the Following Servers. You add DNS servers by typing their IP addresses and clicking the Add button.

Windows 2000 and Windows Server 2003 both support incremental zone transfers. Early implementations of DNS supported only full zone transfers. When you use incremental zone transfers, only the zone changes that occur on the primary DNS server are transferred and synchronized with the secondary DNS server, thus reducing DNS network traffic. Primary servers have the Notify button and can be configured to notify selected secondary servers as soon as a change is made. Otherwise, the secondary servers will query the primary at each Refresh Interval. Secondary DNS servers have a Notify button located on the Zone Transfer tab of the Zone Properties page. After clicking the Notify button, you can use this property page to specify the secondary servers to be automatically notified when the zone changes. You use this to restrict or limit zone transfer access to specific servers in the list.

To perform these procedures, you must be a member of the Domain Admins or DnsAdmins group in AD, or you must be delegated the appropriate authority. Microsoft likes to test your knowledge of group memberships for various activities.

Another method used for assigning DNS administration tasks is to delegate control. Delegations are used to separate servers in the same domain so that certain individuals or groups can manage one server and others can manage other servers. To create a zone delegation, right-click the domain to which you want to delegate control and choose New Delegation. The New Delegation Wizard guides you through the process.