A DNS zone is a is a collection of DNS records. A client may choose between two ways to query a DNS zone, and that is through forward lookup zones or reverse lookup zones.
Forward Lookup Zones
forward lookup zone converts a domain name to an IP address. You can ask a DNS server for the IP address of the host name “ITFDC01” and the DNS server will respond with the IP address of that DNS host name.
An example would be typing the command “nslookup ITFDC01”. This would be a forward lookup.
Reverse Lookup Zones
A reverse lookup zone converts an IP address to a domain name. For example, you can ask a DNS server what host name uses the IP address of 10.0.2.6 and the reverse lookup zone will provide the DNS host name.
A primary zone is a DNS zone that this DNS server is the primary source of information. By default, the data for this zone is stored in a local file named zone_name.dns and is located in the %windir%\System32\Dns directory. The file may also be stored in Active Directory if this DNS server is also a write-able Domain Controller.
There are several benefits and reasons why you would want to store a primary zone in Active Directory. Since the zone is stored in AD, the zone can be replicated using AD replication process and AD’s security features.
It is also worth mentioning that a primary zone is the only zone type that can be directly edited or updated.
A secondary zone is a read-only replica of a primary DNS zone that is hosted on another remote DNS server. This obviously means that your DNS server must have network access to the remote DNS server in order to gather the information. This DNS zone is not stored in AD DS because it is a mere read-only copy of the DNS zone.
If you try to make a change in a secondary DNS zone, the change request will be passed on to the server which holds the primary zone. If the server is available, the change will be made. If the server is offline, the change will not be made.
The purpose of a secondary DNS zone comes down to redundancy. If the server hosting the primary copy is unavailable, this server will be available for use by clients in its place. One of the issues with a secondary DNS zone is that each record held within this zone must be replicated from another server. On large networks that have frequent DNS server changes this can be somewhat resource intensive.
A stub zone is similar to a secondary zone in that it is a read-only zone that obtains its information from other DNS servers. The main difference between a stub zone and a secondary zone, is that while a secondary zone contains an exact replica (including all resource records) of a primary zone, a stub zone only contains information about authoritative name servers.
So inside a stub zone you will not find records for computer host names, but instead records for other DNS servers. The purpose of this zone is to allow hosts on one network to obtain information from a DNS server on another network, without this DNS server needing to replicate all of the data inside of the other DNS server.
You can think of stub zones as being a less resource intensive version of a secondary zone.
Creating a Zone
Now that you understand DNS zones, let’s hop onto our Windows Server and create a zone. In Server Manager, select Tools > DNS
To create a new DNS zone, right click on either Forward Lookup Zones or Reverse Lookup Zones and select New Zone. Choose Next and then either select Primary, Secondary, or Stub Zone. If you are creating a Primary or Stub Zone you may choose to store the zone in Active Directory. If you select this checkbox this zone will be considered an Active Directory Integrated Zone.
On the next screen, if you chose to store the zone in Active Directory you will be able to choose how you want it to be replicated.
The first option allows you to replicate the zone across all domain controllers that have the DNS server role in the forest. This means that the zone can be replicated across multiple domains. This is the broadest replication scope you can choose.
The second option will replicate the zone to all domain controllers with the DNS role installed on this current domain.
The third option option allows you to replicate the DNS zone to all domain controllers in the current domain. Choose this option if you are working with Windows 2000 domain controllers.
The final option is grayed out because this server has not been enlisted in a DNS Application Directory Partition. With DNS directory partitions you fine tune exactly which domain controllers you want this zone to be replicated to.
I am going to leave the default option checked, and click next.
The next screen will prompt you to enter your zone name. I am going to enter “mytestzone,” and click next.
If you do not choose to integrate with Active Directory, you will now be asked to create a DNS file.
Since I choose to integrate with Active Directory, I am not brought to the Dynamic Update screen.
You can either choose secure, non-secure or no dynamic updates. I strongly recommend you choose the first option unless you have some specific need to do otherwise. Allowing non-secure dynamic updates imposes a great unnecessary security vulnerability to your DNS server, and disabling dynamic updates will require you to manually create and maintain the DNS resource records in the zone.
If you did not choose to integrate this zone with Active Directory, you will only be able to choose between allowing both nonsecure and secure or not allowing dynamic updates. In this scenario your best option is to not allow dynamic updates as you will be unable to use active directories secure dynamic updates. Since I choose to integrate this DNS zone with Active Directory, I am going to leave the Allow only secure dynamic updates, and click next.
You will now be presented with the finish screen. I am going to click Finish.
I now have created my new Forward Lookup Zone. I can see it has the two required records which are the SOA and NS records.