Configuring Zones

All operations on managing Microsoft DNS Server can be performed by using a GUI tool — the DNS snap-in, or from the command prompt — with the DnsCmd.exe utility. This utility is standard in Windows .NET, and has been included in the Windows 2000 Support Tools pack. The Windows .NET version of the utility has many new commands, since it allows users to work with application directory partitions. (However, you need to use the NTDSutil.exe tool to manage the partition replicas.)


The DNS snap-in allows you to manage a local as well as one or more remote DNS servers.

Let us consider some aspects of managing zones on a Windows .NET DNS Server. Most of the issues discussed are also applicable to Windows 2000 DNS server.

Fig. 4.1 shows the main window of the DNS snap-in that contains authoritative zones (and their subdomains, or nodes) created by default for a sample forest. Let us discuss these zones in more detail.

A primary updatable reverse zone 192.168.1.x (with the real name has been created manually and requires no comments.

There are two authoritative zones for the forest root domain (net.dom): net.dom and (called the domain system zone). The former zone is stored in the DomainDnsZones application partition, whereas the latter one is stored in the ForestDnsZones application partition. As you can see, the corresponding DNS subdomains for these zones have been created within the main authoritative zone. In a similar way, any application partition with the net.dom suffix will have appropriate subdomains within that zone.

An authoritative zone for the domain has been automatically created within the main net.dom zone after the first domain controller for the child domain has been created and rebooted. As you might notice, this zone is also stored in the DomainDnsZones application partition and, therefore, will be replicated to all DNS servers in the net.dom domain. If such default behavior does not meet your requirements, you can rebuild it at any moment or create all necessary zones manually from scratch (after the first domain controller's installation).

Fig. 4.2 illustrates the same DNS configuration that is shown in Fig. 4.1, i.e., the clients performing DNS queries will not notice any differences in these configurations. However, in fact, there are many important distinctions that concern the child domain zones. Two independent zones — and — have been created. Since these are authoritative zones, you can manage their storage method as well as their replication scope. You may use built-in application partitions or create your own partition scheme that will store DNS information for the entire forest.

click to expand
Fig. 4.2: An example of manually created zones

It is possible to safely change DNS configuration (the zones themselves as well as their properties) at any time. However, you must be sure that all necessary resource records have been re-registered after any changes have been made and all clients will be able to resolve DNS queries without interruption.

In Fig. 4.3, you can see a zone property window. (Note that the Security tab appears for Active Directory-integrated zones only.) Let us discuss a few important zone property features that have been added to Windows .NET DNS Server. These features can be selected when a zone is created as well as changed for an existing zone.

click to expand
Fig. 4.3: Properties of a DNS zone on a Windows .NET DNS Server

As you might notice in Fig. 4.4, Windows .NET DNS Server supports a new zone type — stub zone. Stub zones allow the root DNS server (that holds the forest authoritative zone, e.g., net.dom) to remain aware of the DNS servers authoritative for a delegated child zone (e.g.,

click to expand
Fig. 4.4: Zone types

In Fig. 4.5, you can see all zone replication scopes supported by Windows .NET DNS Server. To change the replication scope for a zone, it is also possible to use the DnsCmd command-line utility. To view the contents of an application partition, use the ADSI Edit snap-in or the dnscmd /ZonePrint command. The following sample command allows you to quickly view all replicas of an application partition:

click to expand
Fig. 4.5: Zone replication scopes

     C:\>dnscmd /DirectoryPartitionInfo     Directory partition info:       DNS root:       Flags: 0x19 Enlisted Auto Forest       State: 0       Zone count: 4       DP head: DC=ForestDnsZones,DC=net,DC=dom       Crossref: CN=4579c777-4ff0-46ec-9ef5-b825de36f677,CN=Partitions,CN=Con...    Replicas: 2      CN=NTDS Settings,CN=NETDC2,CN=Servers,CN=NET-Site,CN=Sites,CN=Configur...      CN=NTDS Settings,CN=NETDC1,CN=Servers,CN=NET-Site,CN=Sites,CN=Configur... Command completed successfully. 

The first scope option corresponds to the DomainDnsZones application partition. To change the scope, or to move a zone to a new partition, you can use the command:

     C:\>dnscmd /ZoneChangeDirectoryPartition net.dom /domain     DNS Server moved zone net.dom to new directory partition     Command completed successfully. 

The DNS server name ( is not required if the command is run on the DNS server. As you might notice, one can only move the entire zone, not a subdomain of a zone.

The second scope option corresponds to the ForestDnsZones application partition. To move a zone to the forest new partition, use the command:

     C:\>dnscmd /ZoneChangeDirectoryPartition net.dom /forest 

The third scope option enables the zone to be stored in the domain partition (in the System/MicrosoftDNS container). This is a storage method supported for Active Directory-integrated zones in Windows 2000. The following command is used in this case:

    C:\>dnscmd /ZoneChangeDirectoryPartition net.dom /legacy 

The last option allows you to store the zone in a user-created application directory partition that can be replicated between DNS servers running on any domain controllers that belong to any domains. Remember that you are fully responsible for managing such partitions and should create application replicas to provide DNS fault tolerance and distribute workload on DNS servers. To move a zone to a user created partition, use the command:

     C:\>dnscmd /ZoneChangeDirectoryPartition     $ net.dom, 

where is the DNS name of the application partition.

Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154 © 2008-2017.
If you may any questions please contact us: