Windows Server DNS Zones Explained

In this guide, I’ll provide a quick overview of the different DNS Zone types for Windows Server and Active Directory.

This will help you better understand and manage DNS and Active Directory.

DNS Zones store DNS resource record information. Some common DNS records include:

  • A Record: Name to IP address mapping
  • CNAME: Maps an alias to the canonical name
  • MX Record: Used to identify mail servers
  • NS Record: Identifies the name servers for a particular zone
  • SOA: Start of Authority records
  • TXT: Allows any text to be inserted into a DNS record

There are many more record types, and without these records, everything would be accessed by an IP address.

DNS Zones provide us a way to maintain these records on one or more servers.

Let’s take a look at the different zone types.

Active Directory Integrated Zones

Active Directory Integrated Zones stores its zone data in Active Directory. Integrated zones can be replicated to all domain controllers in the domain and forest. Active Directory integrated zones use multi-master replication, this means any domain controller running the DNS server service can write updates to the zone for which they are authoritative.

Advantages of Active Directory integrated Zones

  • Replication is faster, more secure and efficient.
  • Better redundancy due to zone data being copied to all Domain Controllers
  • Improved Security if secure dynamic update is enabled
  • No need to schedule or manage zone transfers

Primary Zone

This is the main zone and has a read/write copy of the zone data. All changes to the zone are made in the primary zone and are replicated to the secondary zones.

The zone data is stored in a text file located in this folder c:\windows\system32\DNS on the Windows server running DNS.

Secondary Zone

A secondary Zone is a read-only copy of the primary zone. This zone cannot process updates and can only retrieve updates from the primary zone.  This zone can answer DNS name resolution queries from clients nodes, this helps reduce the workload on the primary zone. Secondary zones cannot be active directory integrated.

Stub Zone

Stub zones are like a secondary zone but only stores partial zone data. These zones are useful to help reduce zone transfers by passing the requests to authoritative servers. These zones only contain the SOA, NS and A records.

Forward Lookup Zone

A forward lookup zone provides hostname to IP address resolution.

When you access a system or website by its hostname such as mcirosoft.com DNS checks the forward lookup zone for the IP information related to the hostname.

Reverse Lookup Zone

Reverse lookup zones resolve IP addresses into hostnames.

For example, when you look up the IP 8.8.8.8 it resolves to google-public-dns-a.google.com. A reverse DNS record had to be created for the IP to resolve to the hostname.

Reverse lookup zones are not as common as forwarding lookups and in most cases are not needed.

Zone Transfers

Zone transfers take place when they are not integrated with Active Directory. A Zone transfer is where the master DNS servers transfer zone data from the master to secondary.

Zone transfers can occur during any of the following

  • When the refresh interval expires
  • When a master server notifies a change has occurred
  • When the server has rebooted or DNS service has restarted
  • A manual transfer has occured from the DNS console

Related: How to Use NSLookup to Check DNS Records

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

Leave a Comment