Lesson 4: Working with Zones | MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000

Servers refer to their zones (also called DNS database files or db files) to resolve names. The zones contain resource records that comprise the resource information associated with the DNS domain. For example, some resource records map friendly names to Internet Protocol (IP) addresses, and others map IP addresses to friendly names. Some resource records not only include information about servers in the DNS domain, they serve to define the domain by specifying which servers are authoritative for which zones. In this lesson, you learn how to configure DNS zones in Windows 2000.

After this lesson, you will be able to

Implement a delegated zone for DNS
Configure zones for dynamic updates

Estimated lesson time: 20 minutes

Delegating Zones

A DNS database can be partitioned into multiple zones. A zone is a portion of the DNS database that contains the resource records with the owner names that belong to the contiguous portion of the DNS name space. Zone files are maintained on DNS servers. A single DNS server can be configured to host zero, one, or multiple zones. Each zone is anchored at a specific domain name referred to as the zone's root domain. A zone contains information about all names that end with the zone's root domain name. A DNS server is considered authoritative for a name if it loads the zone containing that name. The first record in any zone file is a start of authority (SOA) resource record. The SOA resource record identifies a primary DNS name server for the zone as the best source of information for the data within that zone and as an entity processing the updates for the zone.

Names within a zone can also be delegated to other zones. Delegation is a process of assigning responsibility for a portion of a DNS name space to a separate entity. This separate entity could be another organization, department, or workgroup within your company. In technical terms, delegating means assigning authority over portions of your DNS name space to other zones. The name server record that specifies the delegated zone and the DNS name of the server authoritative for that zone represents such delegation. Delegating across multiple zones was part of the original design goal of DNS. The following are the main reasons for the delegation of a DNS name space:

To delegate management of a DNS domain to a number of organizations or departments within an organization
To distribute the load of maintaining one large DNS database among multiple name servers to improve the name resolution performance as well as create a DNS fault-tolerant environment
To allow for hosts' organizational affiliations by including them in appropriate domains

The name server's resource records facilitate delegation by identifying DNS servers for each zone. They appear in all forward and reverse lookup zones. Whenever a DNS server needs to cross a delegation, it refers to the name server's resource records for DNS servers in the target zone. In Figure 10.11, the management of the microsoft.com domain is delegated across two zones: microsoft.com and mydomain.microsoft.com.

Figure 10.11 The microsoft.com domain delegated across two zones

Understanding DNS Zones and Domains

Domain name servers store information about part of the domain name space called a zone. The name server is authoritative for a particular zone. A single name server can be authoritative for many zones. Understanding the difference between a zone and a domain is sometimes confusing.

A zone is simply a portion of a domain. For example, the domain microsoft.com may contain all of the data for microsoft.com, marketing.microsoft.com, and development.microsoft.com. However, the zone microsoft.com contains only information for microsoft.com and references to the authoritative name servers for the subdomains. The zone microsoft.com can contain the data for sub-domains of microsoft.com if they have not been delegated to another server. For example, marketing.microsoft.com may manage its own delegated zone. The parent, microsoft.com, may manage development.microsoft.com. If there are no subdomains, then the zone and domain are essentially the same. In this case the zone contains all data for the domain.

NOTE
All domains (or subdomains) that appear as part of the applicable zone delegation must be created in the current zone prior to performing a zone delegation as described next. As necessary, use the DNS console to first add domains to the zone before completing the procedure that follows.

Follow these steps to create a zone delegation:

Click Start, point to Programs, point to Administrative Tools, then click DNS.
In the console tree, right-click your subdomain and then click New Delegation, as illustrated in Figure 10.12.
The New Delegation wizard appears.

Figure 10.12 Adding a new delegation server
Click Next.
In the Delegated Domain Name dialog box, type a delegated domain name, then click Next.
In the Name Servers dialog box, click Add to specify names and IP addresses of DNS servers you want to have host the delegated zone.
The New Resource Record dialog box appears, allowing you to specify DNS servers.
Type the DNS server name, click Add, and then click OK.
In the Name Servers dialog box, click Next.
Click Finish to close the New Delegation wizard.

Configuring Zones for Dynamic Update

DNS was originally designed to support only static changes to a zone database. Because of the design limitations of static DNS, adding, removing, or modifying resource records could only be done manually by a DNS system administrator. For example, a DNS system administrator would edit records on a zone's primary server and the revised zone database would then be propagated to secondary servers during zone transfer. This design is workable when the number of changes is small and updates occur infrequently, but is otherwise quite inefficient.

Windows 2000 provides client and server support for the use of dynamic updates. Dynamic updates enable DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address.

By default, computers that run Windows 2000 and are statically configured for TCP/IP attempt to dynamically register host and pointer resource records for IP addresses that are configured and used by their installed network connections. Dynamic updates can be sent for any of the following reasons or events:

An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
An IP address lease changes or renews with the DHCP server any one of the installed network connections; for example, when the computer is started or if the ipconfig /renew command is used.
The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.
The computer is turned on.

Dynamic Update Requirements

For DNS servers, the DNS service allows dynamic update to be enabled or disabled on a per-zone basis at each server configured to load either a standard primary or directory-integrated zone. By default, client computers running any version of Windows 2000 dynamically update their host resource records in DNS when configured for TCP/IP. When DNS zones are stored in Active Directory database, DNS is configured by default to accept dynamic updates.

NOTE
Windows 2000 DNS servers support dynamic updates. The DNS server provided with Windows NT Server 4.0 does not.

For a request for a dynamic update to be performed, several prerequisite conditions can be configured. Each prerequisite must be satisfied for an update to occur. After all prerequisites are met, the zone's primary server can proceed with an update of its local zones. Some examples of prerequisites that can be set are:

A required resource record or resource record set already exists or is in use prior to an update.
A required resource record or resource record set does not exist or is not in use prior to an update.
A requester is permitted to initiate an update of a specified resource record or resource record set.

For client computers to be registered and updated dynamically with a DNS server, you must do one of the following:

Install or upgrade client computers to Windows 2000.
Install and use a Windows 2000 DHCP server on your network to lease client computers.

Practice: Enabling Dynamic Updates

In this practice, you make it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur by enabling dynamic updates for a DNS zone.

Exercise 1: Allowing Dynamic Updates

Click Start, point to Programs, point to Administrative Tools, and then click DNS.
The DNS administrative console appears.
In the console tree, right-click your zone, and then click Properties.
The Zone Properties dialog box appears, as illustrated in Figure 10.13.

Figure 10.13 Zone Properties dialog box
In the Allow Dynamic Updates list box, click Yes.
Click OK to close the Zone Properties dialog box.
Close the DNS administrative console.

Lesson Summary

Delegation is a process of assigning responsibility for a portion of a DNS name space to a separate entity. The names server's resource records facilitate delegation by identifying DNS servers for each zone. They appear in all forward and reverse lookup zones. Windows 2000 provides client and server support for the use of dynamic updates. Dynamic updates enable DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur.