Los Angeles Network Consulting providing professional services to the Los Angeles Area

Windows 2003 Interoperability with unix DNS Servers


 

Stub zones are a new feature of DNS in Windows Server 2003 that can be used to streamline name resolution, especially in a split namespace scenario. They also help reduce the amount of DNS traffic on your network, making DNS more efficient especially over slow WAN links. This article will look in detail at what stub zones are, how they work, and when to use them. I'll also walk you through the process of creating a stub zone to facilitate name lookups between two separate forests. But first, a little background on DNS zones is necessary to see where stub zones fit into the overall picture.

Types of DNS Zones

A zone is a contiguous portion of DNS namespace managed by one or more name servers. Zones contain resource records that specify the name of the DNS server authoritative for the zone (SOA record), the names and IP addresses of all name servers in the zone (NS records), the names and IP addresses of other hosts (A records), aliases for hosts (CNAME records), and so on.

In the original implementation of DNS found in RFCs 1034 and 1035, two different types of zones were defined:  

  • Primary zones, which store their zone information in a writable text file on the name server.
  • Secondary zones, which store their zone information in a read-only text file on the name server.

In the implementation of DNS on Windows NT, these two types of zones were referred to as standard zones.  A typical scenario for a company that had a single Windows NT domain deployed would involve setting up two name servers on the network, one containing the standard primary zone (the primary name server for the domain) and the other containing the standard secondary zone (the secondary name server). Whenever a new host (for example, a file server) was added to the network, both these name servers had to be updated so clients could find the new host using DNS. To do this, the administrator would create a new A record on the primary name server since the only the primary zone could be modified. The primary name server would then notify the secondary that its records had changed, and the secondary would pull the updated zone information from the primary until it had an identical copy of the primary zone. From the perspective of the secondary name server, the primary name server represents the master name server for this zone.

The main problem with this arrangement was that if the primary name server went down, no changes could be made to the resource records since secondary name servers contained read-only zone information. Also, it meant that all the changes you made to DNS had to be performed on a single name server (the primary), which could be an inconvenience if the company spanned several locations. 

Windows 2000 provided a solution to these issues by introducing Active Directory Integrated zones, which stored their zone information within Active Directory instead of text files. The advantages of this new type of zone included using Active Directory replication for zone transfers and allowing resource records to be added or modified on any domain controller running DNS. In other words, all Active Directory Integrated zones are always primary zones as they contain writable copies of the zone database.  

Active Directory Integrated zones work well for most Windows 2000-based networks, but they do have some issues. One limitation is if you are dealing with two separate forests (disjointed namespace), a common scenario when companies are merging or form part of a conglomerate. For example, say Company A has close business ties with Company B and employees in Company A need access to resources on Company B's internal network. The usual way of providing them this access would be for the DNS administrator of Company A to add a standard secondary zone on each of Company A's name servers. These secondary zones would then point to name servers on Company B's network as their master name servers, and would obtain their resource records by zone transfers with Company B's name servers. While that works, it's overkill for several reasons. First, it generates a lot of zone transfer traffic between name servers in Company A and Company B, which can pose a problem if the companies are linked together by a slow WAN connection. Second, if Company B decides to decommission one of its name servers without telling the administrator of Company A, some of the secondary zones on Company A's name servers could suddenly find themselves without a master, and once their records expire the Company A clients that use them will no longer be able to access resources in Company B.  

What Stub Zones Do

Enter stub zones to the rescue. A stub zone is like a secondary zone in that it obtains its resource records from other name servers (one or more master name servers). A stub zone is also read-only like a secondary zone, so administrators can't manually add, remove, or modify resource records on it. But the differences end here, as stub zones are quite different from secondary zones in a couple of significant ways.  

First, while secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records: 

  • A copy of the SOA record for the zone.
  • Copies of NS records for all name servers authoritative for the zone.
  • Copies of A records for all name servers authoritative for the zone.

That's it--no CNAME records, MX records, SRV records, or A records for other hosts in the zone. So while a secondary zone can be quite large for a big company's network, a stub zone is always very small, just a few records. This means replicating zone information from master to stub zone adds almost nil DNS traffic to your network as the records for name servers rarely change unless you decommission an old name server or deploy a new one. And to make replication even more efficient, stub zones don't use UDP as traditional DNS zone transfers do. Instead, stub zones use TCP, which supports much larger packet sizes than UDP. So while a typical zone transfer might involve many UDP packets flooding the network, stub zone transfer only involves a few packets at most. Also, while most DNS servers can be configured to prevent zone transfers to secondary zones from occurring, stub zones request only SOA, NS, and A records for name servers, all of which are provided without restriction by any name server since these records are essential for name resolution to function properly. Finally, since stub zones can be integrated within Active Directory (secondary zones can't), they can make use of Active Directory replication to propagate their information to all domain controllers on your network.  

In our previous scenario, stub zones can be used instead of secondary zones to reduce the amount of zone transfer traffic over the WAN link connecting the two companies. To do this, the administrator for Company A would simply log on to one of the domain controllers, open the DNS console, and create a new stub zone that uses one or more of Company B's name servers as master name servers. By making this stub zone an Active Directory Integrated zone, the stub zone will then be automatically replicated to all other domain controllers on Company A's network. Now when a client on Company A's network wants to connect to a resource on Company B's network, the client issues a DNS query to the nearest Company A domain controller, which then forwards the query to one of Company B's name servers to resolve.  

How to Create a Stub Zone

Let's see how it works in practice. In my lab I have two forests set up, one for Company A running Windows 2003 Server and named test2003.local, and the other for Company B running Windows 2000 and named test2000.local. The domain controller for the root domain of Company A is named SRV220 while the domain controllers for the root domain of Company B are named SRV210, SRV211 and SRV212. Sally is an employee of Company A and her desktop computer is named DESK231, and she needs to access a share named CATALOG located on SRV210 in Company B. To do this she clicks Start, selects Run, and types \\srv210.test2000.local\catalog and the result is an error:

This is because her command issues a DNS query against her name server SRV220 which has no information in its DNS database about test2000.local, the root domain of Company B:

To allow users in Company A to access resources in Company B, the administrator of Company A decides to create a stub zone for Company B's domain. To do this, right-click on Forward Lookup Zones in the figure above and select New Zone. This starts the New Zone Wizard:

Clicking Next brings up the Zone Type screen, and we'll choose Stub Zone here and select the checkbox to create an Active Directory Integrated stub zone:

Click Next and the Active Directory Zone Replication Scope screen is displayed, which we'll leave at its default setting for automatic replication of stub zone information to all domain controllers in the test2003.local domain.

Clicking Next displays the Zone Name screen, and here we type test2000.local as the name of the stub zone since this is the name of the target domain on Company B's network:

Clicking Next displays the Master DNS Servers screen, and we enter the IP address 172.16.11.210 for one of the name servers on Company B's network:

Clicking Next and then Finish runs the wizard and creates the new stub zone, which here is highlighted in the DNS console connected to SRV220 on Company A's network:

Note in the above figure that as expected the stub zone contains only an SOA record, an NS record for each name server in the domain, and an A record for each name server in the domain. Now when Sally clicks Start, selects Run, and types \\srv210.test2000.local\catalog a window opens up displaying the contents of the CATALOG share on SRV210 in the remote forest:

Summary

Stub zones are easy to create and can make name resolution between forests more efficient, but they have other uses as well. For example, stub zones can enable name servers to perform recursion without needing to query the Internet root name servers or internal corporate root servers, thus decreasing the number of hops between name servers and making name resolution more efficient. Another use of stub zones is to keep delegated zone information up to date and prevent lame delegations from wrecking name resolution within a forest, and that would make a good topic for a future article. Both of these are good topics for future articles, so stay tuned for more on stub zones later.

 

Los Angeles Computer Services Microsoft Certified Los Angeles | IT Outsourcing Los Angeles | Los Angeles Computer Consultant | Exchange Server Migration  |  Los Angeles Network Consultant | GroupWise To Exchange | Law Firm Marketing | MAS90 | Microsoft Windows Clustering spam | anti spam | spam blocker | spam email | spam exchange | spam filter | free spam software tools | spam outlook | spam software | free spam tools |

 

Exchange with us

 

 

 

 

 

 

 

 

 

 

 

 

Linux Cluster

Linux Cluster

Linux Cluster

Los-Angeles-Linux-Consultant

Los-Angeles-Linux-Support

Windows 2003 Interoperability with unix DNS Servers

Windows 2003 Interoperability with unix DNS Servers