Windows Server DNS Zones Explained

In this guide, I’ll provide a quick overview of the different DNS Zone types for Windows Server and Active Directory.

This will help you better understand and manage DNS and Active Directory.

DNS Zones store DNS resource record information. Some common DNS records include:

  • A Record: Name to IP address mapping
  • CNAME: Maps an alias to the canonical name
  • MX Record: Used to identify mail servers
  • NS Record: Identifies the name servers for a particular zone
  • SOA: Start of Authority records
  • TXT: Allows any text to be inserted into a DNS record

There are many more record types, and without these records, everything would be accessed by an IP address.

DNS Zones provide us with a way to maintain these records on one or more servers.

List of Active Directory DNS Zones Types

Below are the zone types supported by Active Directory.

Active Directory Integrated Zones

Active Directory Integrated Zones stores its zone data in Active Directory. Integrated zones can be replicated to all domain controllers in the domain and forest. Active Directory integrated zones use multi-master replication, which means any domain controller running the DNS server service can write updates to the zone for which they are authoritative.

Advantages of Active Directory integrated Zones

  • Replication is faster, more secure, and more efficient
  • Better redundancy due to zone data being copied to all Domain Controllers
  • Improved Security if secure dynamic update is enabled
  • No need to schedule or manage zone transfers

Primary Zone

This is the main zone and has a read/write copy of the zone data. All changes to the zone are made in the primary zone and are replicated to the secondary zones.

The zone data is stored in a text file located in this folder c:\windows\system32\DNS on the Windows server running DNS.

Secondary Zone

A secondary Zone is a read-only copy of the primary zone. This zone cannot process updates and can only retrieve updates from the primary zone.  This zone can answer DNS name resolution queries from clients nodes, this helps reduce the workload on the primary zone. Secondary zones cannot be active directory integrated.

Stub Zone

Stub zones are like a secondary zone but only stores partial zone data. These zones are useful to help reduce zone transfers by passing the requests to authoritative servers. These zones only contain the SOA, NS, and A records.

Forward Lookup Zone

A forward lookup zone provides hostname to IP address resolution.

When you access a system or website by its hostname such as DNS checks the forward lookup zone for the IP information related to the hostname.

Reverse Lookup Zone

Reverse lookup zones resolve IP addresses into hostnames.

For example, when you look up the IP it resolves to A reverse DNS record had to be created for the IP to resolve to the hostname.

Reverse lookup zones are not as common as forwarding lookups and in most cases are not needed.

Zone Transfers

Zone transfers take place when they are not integrated with Active Directory. A Zone transfer is where the master DNS servers transfer zone data from the master to the secondary.

Zone transfers can occur during any of the following

  • When the refresh interval expires
  • When a master server notifies a change has occurred
  • When the server has rebooted or DNS service has restarted
  • A manual transfer has occurred from the DNS console

Related: How to Use NSLookup to Check DNS Records

16 thoughts on “Windows Server DNS Zones Explained”

  1. Why not AD Integrated using a muli-master replication?
    Answer: Different operating systems needing to use the same Domain Name Service (DNS).
    Specifically, all the different flavors of UNIX cannot take advantage of AD DS Integrated multi-master replication.

  2. @Robert Allen, You have explained DNS Zones very well and you are using the simple language which really helps us.

    I have Bookmarks these notes.


  3. This was very simple and helpful. I like how you structured the explanation so succinctly. I am wondering though, why would anyone make a ‘New Zone’ if Active Directory does everything automatically. Is it to limit the DNS to a specific domain? I am always frustrated (not with you) with instruction that doesn’t explain the purpose of things. Most of the schooling I’ve gotten explains how things work and how to do stuff with computers/servers/networks/etc., but they don’t explain the why of it. The how it is used in real life.

    • James good question.

      You would create a new zone so you can resolve a new namespace. For example, I have the zone but I may to resolve hostnames for a completely different domain such as or With a new zone you can now create resource records and resolve to those names internally by the FQDN name (such as while your in another domain.

      Hope that helps.

  4. This document is really helpful for beginners to understand the basic concepts and also for experienced people who just need to brush up the concepts. Thank you very much for the document


Leave a Comment