Section 3.6: Name Servers
You can configure DNS name servers in different name server roles, affecting how the DNS name server stores and maintains its database. A Windows Server 2003 DNS server can be either a primary or secondary DNS server. You need both a primary and a secondary DNS server to provide database redundancy, a degree of fault tolerance and to serve each zone.
• A Primary Name Server is a DNS server that gets the data for its zones from the local DNS database files. When a change is made to the zone data, such as delegating a portion of the zone to another DNS server or adding hosts in the zone, the change must be made on the primary DNS server so that the new information is entered in the local zone file.
• A Secondary Name Server gets its zone data file from the primary DNS server that is authoritative for that zone. The primary DNS server sends a copy of the zone file to the secondary DNS server in a process referred to as a zone transfer. The deployment of a secondary name server within a zone provides three advantages:
• Redundancy - you should implement at least one primary and one secondary name server for each zone. These computers should be as independent as possible and should be located on different subnets to provide continual support for DNS name queries if one subnet should go down.
• Faster access for remote locations - secondary name servers prevents clients in remote locations from communicating across slow links for name resolution.
• Reduction of load - secondary name servers reduce the load on the primary server.
Because information for each zone is stored in separate files, this primary or secondary designation is defined at a zone level. This means that a particular name server may be a primary name server for certain zones and a secondary name server for other zones.
• A Master Name Server must be designated when you define a zone on a DNS name server as a secondary zone. This serves as the source from which zone information is obtained. The source of zone information for a secondary name server in a DNS hierarchy is referred to as a master name server. A master name server can be either a primary or secondary name server for the requested zone. When a secondary name server starts up, it contacts its master name server and initiates a zone transfer with that server.
• A Caching-only Server performs name resolution on behalf of clients and then cache the results. They are not configured to be authoritative for a zone, so they do not store standard primary or standard secondary zones instead the cache is populated with the most frequently requested names. These names and their associated IP addresses are available from the cache for answering subsequent client queries. Caching-only DNS servers help to reduce traffic across a WAN links as they do not maintain zone files, as do a primary DNS server, nor do they hold a copy of a zone file, as do a secondary DNS server. Therefore, they do not generate zone transfer traffic. You can configuring a Caching-Only DNS Server by installing the DNS Server service on a Windows Server 2003 computer, without configuring any forward or reverse lookup zones.
3.6.2: Zone Transfers
Zone transfer is the process of replicating a zone file to another multiple name server, and is achieved by copying the zone file information from the master server to the secondary server. Zone transfers occur when names and IP address mappings change in your domain. When this happens, the changes to the zone are copied from a master server to its secondary servers. The master server is the source of the zone information, and can be either a primary or secondary server.
In Windows Server 2003, zone information is updated by incremental zone transfer (IXFR), which replicates only changes to the zone file and not the entire zone file. DNS servers that do not support IXFR request the entire contents of a zone file when they initiate a zone transfer. However, Windows NT 4.0, zone information is updated by full zone transfer (AXFR) only. AXFR replicates the entire zone file.
In Windows Server 2003, zone transfers occur when:
• A master server sends a notification of a change in the zone to one or more secondary servers. When the secondary server receives the notification, it queries the master server for the changes.
• A secondary server queries a master server for changes to the zone file. This occurs when the DNS Server service on the secondary server starts, or when the refresh interval on the secondary server expires.
You can configure the frequency of a zone transfer by modifying the Start of Authority (SOA) resource record. The SOA resource record specifies the domains for which the zone is authoritative, and the parameters for how zone transfers occur. It also contains administrative information about the zone.
A secondary server queries its primary server for updates to a zone file and uses the serial number in the SOA resource record to determine whether changes have been made to the zone. If the serial number has changed, a zone transfer occurs to update the records on the secondary server. If a secondary server does not receive updates from its master server, you can use the Nsiookup utility to compare the serial numbers in each server's SOA resource record.
3.6.3: Zone Transfer Security
You can also specify the servers that are authorized to receive zone transfers for the zone by selecting one of the options on the Zone Transfers tab of the Properties dialog box for the zone. These options are:
• To any server, which enables zone information to replicate to any server.
• Only to servers listed on the Name Servers tab, which enables zone information to replicate only to the servers that are listed on the Name Servers tab of the Properties dialog box for the zone. The Name Servers tab contains a list of servers that are in the same domain as the zone.
• Only to the following servers, which specifies whether you want to allow zone transfers only to the servers that you list under IP address on the Zone Transfers tab of the Properties dialog box for the zone.
3.6.4: Active Directory Integrated Zones
Active Directory integrated zone data is stored as an Active Directory object and is replicated as part of domain replication. This provides the following advantages:
• No single point of failure. With Active Directory integrated zones, changes made by using the dynamic update protocol can be made to any server that hosts the Active Directory integrated zone, rather than to a single server.
• Fault tolerance. All Active Directory integrated zones are primary zones. Therefore, each domain controller that hosts an Active Directory integrated zone maintains the zone information. Only domain controllers that reside in the Active Directory domain in which the zone data is stored can host the zone.
• Single replication topology. Zone transfers occur automatically as part of Active Directory replication, eliminating the need to configure replication for DNS and Active Directory separately.
• Secure dynamic updates. With Active Directory integrated zones, you can set permissions on zones and records in those zones. Also, updates that use the dynamic update protocol can come from only authorized computers. You can create Active Directory integrated zones only on servers that are configured as domain controllers and that have the DNS Server service installed on them..