Zone of authority. Examples of zones delegated on the domain name system (DNS) namespace.
Stands for Zero Administration Kit, a collection of tools, methodologies, and guidelines developed for Microsoft Windows 95, Windows 98, and Windows NT 4 that network administrators can use to implement policy-based management of Windows NT-based networks.
See Also Zero Administration Kit (ZAK)
A collection of tools, methodologies, and guidelines developed for Microsoft Windows 95, Windows 98, and Windows NT 4 that network administrators can use to implement policy-based management of Windows NT-based networks.
Overview
Microsoft Corporation developed the Zero Administration Kit (ZAK) as part of their Zero Administration Initiative for Microsoft Windows (ZAW), a multifaceted approach designed to reduce the cost and effort of installing, configuring, and managing desktop workstations. ZAW was intended to provide tools and procedures that would simplify the administration of logons, security, applications, and other functions. The ZAK was the first result of the ZAW initiative, and it enabled administrators of Windows 95-, Windows 98-, and Windows NT 4-based networks to
Manage the configuration of users' desktops from a central location without having to visit each computer. For example, you can specify exactly which applications the user can run, the appearance of the desktop, and where user data might be saved.
Restrict local access to users' desktops. For example, you could lock down the desktops to prevent users from performing actions that might result in costly help desk calls, such as installing unapproved applications or modifying critical system files.
Configure applications and data to be stored on network servers. This facilitated upgrading of applications, enabled centralized backup, and provided improved security by enabling administrators to download applications from the network and use local hard drives for caching.
Implementation
The ZAK employed the security of the NTFS file system (NTFS) along with Windows NT system policies and user profiles. Administrators could use the predefined set of system policies to override default local settings and use standard user profiles to configure and manage users' desktops from a central location. The ZAK included two preconfigured modes of operation, though advanced administrators could also create their own custom network configurations. The default modes were:
TaskStation Mode: A desktop configuration that is designed for a "task-oriented" user such as a bank teller or a data entry person. This mode was ideal for users who required access to only one line-of- business application. TaskStation Mode completely locked down users' desktops and booted directly into Microsoft Internet Explorer or some other specified application. The user had no access to the Microsoft Windows Start button, taskbar, Task Manager, Control Panel, file system, or context menus in this mode of operation.
AppStation Mode: A desktop configuration that is designed for typical "knowledge workers" who might use three or four business applications every day but may lack the knowledge and experience to configure or troubleshoot the system or install other applications. This mode provided users with a constrained Windows interface that allowed them access to only those applications they needed in order to perform their jobs. The user had no access to Task Manager, Control Panel, the file system, or context menus in this mode.
Notes
The Windows NT 4 ZAK has now been superseded by Intellimirror and Group Policy features in Windows 2000, Windows XP, and Windows .NET Server. These features provide greater management and control of user desktops and applications than ZAK provided.
For More Information
You can find ZAK at www.microsoft.com/windows/zak.
See Also Group Policy ,IntelliMirror
In AppleTalk networking, a logical grouping of computers on a network.
Overview
A zone is to legacy AppleTalk networks of Apple Macintosh computers what a virtual LAN (VLAN) is to Ethernet networks. In other words, a zone is a logical way of grouping computers together on a network regardless of the physical network segment they each reside upon. For example, a single zone may span several network segments, and multiple zones can be assigned to the same physical network.
Information concerning which zone a particular computer is on is propagated throughout an AppleTalk network using a protocol called the Zone Information Protocol (ZIP). Each computer maintains information about the zones other machines reside in using a local zone information table (ZIT). Administrators can configure which zone a computer belongs to by using the Choose utility on that machine.
Computers that belong to the same zone have access to the same set of shared resources on the network. If a user moves to a different physical network, the user can still belong to the same zone provided the router interface in the user's new location belongs to that zone.
Notes
The term zone is also used to refer to a zone of authority, a portion of the Domain Name System (DNS) namespace that is managed by a particular name server.
See Also AppleTalk ,
A file on a name server that contains information about a zone in which the name server is authoritative.
Overview
A zone file is a text file consisting of a series of resource records that form the Domain Name System (DNS) database of the name server. These records identify the domain and subdomains that the name server is responsible for managing, Internet Protocol (IP) address to host name mappings for hosts within these domains and subdomains, timing parameters for zone transfers between primary and secondary name servers, and other data.
A name server typically has at least three zone files:
<root_domain>.dns: The forward lookup zone file that is used to resolve host names into IP addresses for Transmission Control Protocol/Internet Protocol (TCP/IP) hosts over which the name server has authority. In the example that follows, the root domain is microsoft.com, and therefore the zone file is microsoft.com.dns.
z.y.x.w.in-addr.arpa: The reverse lookup zone file for the forward lookup zone, which is used to resolve IP addresses into host names for TCP/IP hosts over which the name server has authority. In the following example, the network ID is 192.250.100.0, so the reverse lookup zone file is 100.250.192.in-addr.arpa.dns.
cache.dns: A standard file that exists on all name servers and that contains the host names and IP addresses of name servers on the Internet that maintain the root domain of the entire DNS namespace.
Examples
A typical zone file might look like this:
; Database file microsoft.com.dns for microsoft.com. zone. @ IN SOA dns1.microsoft.com. admin.microsoft.com. 12 ; serial number 3600 ; refresh 600 ; retry 86400 ; expire 3600 ; minimum TTL ; Zone NS records @ IN NS dns1 @ IN NS dns2 ; Zone A records dns1 IN A 192.250.100.10 dns2 IN A 192.250.100.11 proxy1 IN A 192.250.100.101 fred IN A 192.250.100.102 wilma IN A 192.250.100.103 localhost IN A 127.0.0.1 www IN CNAME fred ftp IN CNAME wilma
Notes
Microsoft Windows 2000 gives you the option of integrating DNS with Active Directory directory service. This results in zone information being stored in Active Directory, which has several advantages over traditional implementations of DNS such as Berkeley Internet Name Domain (BIND), in which zone data is stored in text files:
It provides a more efficient mechanism for zone transfers through the domain replication process of Active Directory. This eliminates the chore of manually configuring zone transfers between primary and secondary DNS servers.
It provides additional fault tolerance for the DNS information because all Active Directory integrated zones are primary zones and therefore contain a copy of the zone data.
See Also Active Directory , Berkeley Internet Name Domain (BIND) ,Domain Name System (DNS) ,IP address ,name server ,resource record (RR) ,
A portion of the Domain Name System (DNS) namespace that is managed by a particular name server.
Overview
A zone of authority (often simply called a zone) is an administrative unit of DNS namespace and can consist of a single DNS domain or a domain combined with some of its subdomains. An example of a domain might be microsoft.com, which might contain the subdomains sales.microsoft.com, support.microsoft.com, and tech.microsoft.com. The name server that administers the microsoft.com domain is said to be authoritative for that domain. The zone of authority for such a name server might be, for example:
Microsoft.com and all three of its subdomains: The name server contains information about all the hosts in Microsoft.com and in each of its three subdomains. This is not a particularly efficient approach, as it concentrates name resolution within a single name server and may place an undue burden upon the DNS administrator of the zone.
Microsoft.com and the two subdomains sales.microsoft.com and support.microsoft.com: Authority for the subdomain tech.microsoft.com would be delegated to a different name server. This approach is useful if the tech.microsoft.com subdomain needs to be managed as a separate entity from the rest of microsoft.com.
Microsoft.com only, with none of its subdomains: Authority for the subdomains is delegated to one or more name servers, and the name server for microsoft.com contains only delegation information about the other name servers and about hosts in the microsoft.com domain. This approach reduces the burden of administering hosts in the microsoft.com domain by distributing it to administrators in one or more delegated zones.
Note that the concepts of a zone and a domain are related: each zone is anchored in a specific domain known as the zone's root domain. However, not all of the subdomains of the domain necessarily belong to that same zone; those that have been delegated belong to different zones. Another way of saying this is to say that zones are bounded from one another by delegation-that is, each act of delegation creates a new zone.
Each name server must either
Have its own local zone file, which contains the mappings between Internet Protocol (IP) addresses and host names for hosts found in that zone. A primary name server is one that has its own locally stored zone file called a primary zone file, which is implemented on Berkeley Internet Name Domain (BIND) name servers as a text file called a zone file.
Zone of authority. Examples of zones delegated on the domain name system (DNS) namespace.
or
Download its zone file from another name server using a process known as zone transfer. A secondary name server has no local zone file but downloads it from the primary name server authoritative over the particular zone. This secondary zone file is a read-only file that can only be modified in its original version on the primary name server from which it has been downloaded. Secondary name servers are used in the DNS system mainly to provide redundancy.
A single name server can manage one or more zones, depending on how it is configured. For example, a name server might have one zone for the domain microsoft.com and another zone for the domain adventure.expedia.com.
In networks that use Microsoft Windows 2000 and Windows .NET Server, a zone can take yet a third form, called an Active Directory directory-integrated zone. In this type of zone, the zone information is stored in Active Directory directory service instead of in a text file, and it is replicated across the network using the standard directory replication method employed by domain controllers. Windows 2000 DNS also supports dynamic DNS (DDNS) to ease the administrative burden of manually maintaining zone files.
Notes
Do not confuse DNS zones with AppleTalk zones, discussed in the article "zone" elsewhere in this chapter.
See Also Active Directory , Berkeley Internet Name Domain (BIND) ,domain (DNS) ,Domain Name System (DNS) ,dynamic DNS (DDNS) ,IP address ,name server ,
The process of transferring zone information from a primary name server to a secondary name server.
Overview
Zone transfers are an essential part of the operation of the Domain Name System (DNS). Primary name servers maintain the master copy of the zone information for a particular DNS zone of authority, usually in the form of a text file called a zone file. Secondary name servers then download this information from the primary name server authoritative over their zone using the method of zone transfer. The advantages of this approach are that:
If the primary name server goes down, the secondary name server has a complete, up-to-date copy of the zone file and can handle name resolution requests by DNS clients on the network.
If a large number of DNS clients on the local network are making name resolution requests from a particular zone, these requests can be load balanced between the primary and secondary name servers for that zone.
If the primary name server is located on the remote side of a slow wide area network (WAN) link, placing a secondary name server on the local side reduces bandwidth usage for the WAN link by allowing name resolution requests to be handled locally. In this scenario the only network traffic created by DNS is the occasional zone transfers that take place over the link.
Implementation
Zone transfers generally occur in three circumstances:
When a secondary name server is rebooted.
When the refresh interval for a secondary name server expires. This interval is defined in the start of authority (SOA) record at the beginning of the zone file on the primary name server.
When changes have been made to the zone file on the primary name server and a notify list has been configured on the primary name server. A notify list is a list of Internet Protocol (IP) addresses that specify which secondary name servers are allowed to access zone information on the primary name server for purposes of zone transfer. The primary name server immediately notifies the secondary name server that the zone file has been modified and instructs it to initiate a zone transfer without waiting for the refresh interval to expire.
The secondary name server always initiates a zone transfer. Typically, the secondary name server periodically contacts the primary name server to determine whether any changes have been made to the primary name server's zone file. If so, it initiates a request for a zone transfer. Specifically, when the refresh interval expires on the secondary name server, the following occurs:
The secondary name server requests and receives the SOA record from the primary name server.
The secondary name server compares the version number in the primary name server's SOA record with its own current version number. If they differ, the secondary name server requests a zone transfer from the primary name server.
In standard DNS operation, the entire zone file is then transferred during this process.
Zone transfer. How a typical zone transfer works.
Notes
DNS as implemented on the Microsoft Windows 2000 and Windows .NET Server platforms allows zone information to be transferred incrementally using updates. In other words, the entire contents of the zone file are not sent when a small change is made to a resource record in the zone file. This method is called incremental zone transfer and is defined in RFC 1995.
An advantage of using directory-integrated DNS zones on Windows 2000 and Windows .NET Server is that the dnsZone object container in Active Directory can be secured using Windows 2000 access control lists (ACLs) for greater security.
See Also Domain Name System (DNS) , incremental zone transfer ,name server ,
