Recipe13.8.Creating a Stub Zone

Recipe 13.8. Creating a Stub Zone

Stub zones are a new feature in Windows Server 2003, so this recipe will not work on Windows 2000.

Problem

You want to create a stub zone to improve the efficiency of name resolution, avoid creating secondaries in some situations, or keep delegated zone information current without manual intervention.

Solution

Using a graphical user interface

1. Open the DNS snap-in (dnsmgmt.msc).

2. Connect to the DNS Server you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select The following computer and enter the target server name. Click OK.

3. Expand the server in the left pane and click on Forward Lookup Zones.

4. Right-click on Forward Lookup Zones and select New Zone.

5. Click Next.

6. Select the option beside Stub Zone and click Next.

7. Enter the zone name and click Next.

8. Fill out the information for the remaining screens, which vary depending on whether you are creating a file-based or Active Directory-integrated zone.

Using a command-line interface

To create a file-based stub zone, use the following command:

> dnscmd <ServerName> /zoneadd <ZoneName> /stub <ServerList> /file <FileName>

<ZoneName> should be the name of the zone you want to create the stub for; <ServerList> should be a space-separated list of IP addresses of servers that are authoritative for the stub; and the /file <FileName> parameter is optional for file-based stub zones only and should specify the filename where the zone information is stored.

Here is an example:

> dnscmd /zoneadd rallencorp.com /stub 6.10.6.24 17.7.16.18

To create an Active Directory-integrated stub zone, replace the /stub option with /dsstub and do not include a /file option; For example:

> dnscmd /zoneadd rallencorp.com /dsstub 6.10.6.24 17.7.16.18

Using VBScript

' This code creates a file-based stub zone ' ------ SCRIPT CONFIGURATION ------ strServer = "<ServerName>"   ' e.g., dns01 strNewZone = "<ZoneName>"    ' e.g., rallencorp.com strFileName = "<FileName>"   ' e.g., rallencorpstubzone.dns (THIS IS OPTIONAL) arrMasterIPs = Array("<IP1>","<IP2>") ' replace <IP1,2> with IPs of master server ' ------ END CONFIGURATION --------- on error resume next set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone") strNull = objDNSZone.CreateZone(strNewZone,2,false,strFileName, _                                 strFileName, arrMasterIPs) if Err then    WScript.Echo "Error occurred creating zone: " & Err.Description else     WScript.Echo "Zone created." end if ' This code creates an Active Directory-integrated stub zone ' ------ SCRIPT CONFIGURATION ------ strServer = "<ServerName>"   ' e.g., dns01 strNewZone = "<ZoneName>"    ' e.g., rallencorp.com arrMasterIPs = Array("<IP1>","<IP2>") ' replace <IP1,2> with IPs of master server ' ------ END CONFIGURATION --------- on error resume next set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone") strNull = objDNSZone.CreateZone(strNewZone,2,true,,strFileName, arrMasterIPs) if Err then    WScript.Echo "Error occurred creating zone: " & Err.Description else     WScript.Echo "Zone created." end if

Discussion

Stub zones are a new kind of zone supported in Windows Server 2003 that let you create a more efficient and automated name resolution topology. Consider the following scenario. You are preparing to deploy Active Directory and you plan on creating a subdomain called ad.rallencorp.com to be the root of your AD forest. You create the delegation on your root DNS servers (by creating NS records) for ad.rallencorp.com that points at one of the domain controllers the AD team is using to host the AD DNS namespace. Your root DNS servers will be authoritative for rallencorp.com and the domain controllers using Active Directory-integrated DNS will be authoritative for ad.rallencorp.com. There is nothing unusual here, but there is some support overhead in maintaining the delegation relationship between the root DNS servers and the AD DNS servers (i.e., maintaining the list of NS records). Normally, you wouldn't want to delegate to just one server because that is a single point of failure. And the AD team may enable DNS on several domain controllers. With Microsoft DNS on Windows 2000, your only option would be to manually create NS records for each domain controller on your root servers. With Windows Server 2003, you can actually automate the process by creating a stub zone.

In this example, you'd create a stub zone on your root DNS server for ad.rallencorp.com. You then specify a couple of "master" server IPs (i.e., pick a couple of the domain controllers running DNS) and you are done. Periodically the root servers will go out to the master IPs and refresh their list of NS records for the stub zone automatically. In fact, you can't modify the contents of a stub zone because it is maintained through this automatic process. Changes must be made in the source zone before they'll show up in the stub zone.

There are three resource record types you'll see in a stub zone:

Start of Authority (SOA)

This record contains various zone properties such as the primary nameserver(s), administrative contact, default time to live, etc.

Name Server (NS)

There will be one NS record for each authoritative name server for the source zone of the stub zone.

Glue Address (A)

There will be at least one A record for every name server that has an NS record. These glue records are necessary so that clients can determine the IP address of a host defined in an NS record (which only contains host names).

Stub zones aren't for everyone and they generally won't have a place in organizations that don't have subdomains or a discontiguous namespace.

See Also

Recipe 13.9 and MS KB 811118 (Support WebCast: Microsoft Windows Server 2003 DNS: Stub Zones and Conditional Forwarding)