none
Secondary Zone

    Question

  • Studying for test 70-642 (network infrastructure), and for working in a small company I am with
    difficulty understanding the secondary zone (DNS).

    I understand that for example in a server with only the DNS role installed, I can create a secondary zone from another server
    that stores the main zone, so I did and understood.

    However this does not make sense (the exercise is a training kit), as a DNS server with only the secondary zone, if the main server
    fails, not solve anything.

    Studying on the Internet, I saw the best of cases would be two servers each with its own domain, namely domain A and domain B, on separate networks.
    In this case I saw the meaning of the secondary zone that is in the domain I can create a secondary zone of the domain B and domain B in a secondary area of the domain
    for name resolution.

    However trying to do it in virtual machines, I came across the following problem:

    Before I create the secondary zone in Domain A, I was able to ping all machines in the domain B was, and still make the UNC path, or if I can ping a station
    to create a secondary zone that then?

    this is my doubt.

    thanks
    Wednesday, July 20, 2011 12:02 AM

Answers

  • Thank you for your patience.

    Just to clarify these questions and conclude, what I meant was that a server with the function of secondary DNS zone hosting is not a guarantee of high availability. Because the DC server goes down, there will be no name resolution in the same way.

    So what I realized is that the secondary zone will give me high availability case, only the DNS Server Service DC fall.

    And in another scenario serves to improve name resolution when there are different companies with different domains, and a company wants to resolve names for other company.


    For the most part, that is a good summary.

    However, not to distract from your studies or understanding, the "high availability part," that is if the DNS servers that the client is configured as the first entry in the NIC goes down, actually leads into another topic. This is soley due to the way the client side resolver service algorithm works.

    If the Master DNS server (the DNS server that hosts the Primary zone) that is specified in a Secondary zone  goes down, as pointed out, the Secondary can still be used to resolve data in the zone, but the problem comes down to the client side. The CSE (client side extensions) and the client side resolver service that initially resolved AD zone data while logging on or at startup, will be "glued" to whatever DC that it resolved at logon or startup. The easy way to alleviate this is to logoff the client and logon again, or restart the client. In Windows 2008 and newer, this was changed a bit to address this issue, but it's not 100% fool-proof, and it doesn't address other applications or services that rely heavily on AD services, such as Exchange and Outlook's heavy reliance on a GC.

    More info on this topic:

    This article discusses:
    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
    The DNS Client Side Resolver algorithm.
    If one DC or DNS goes down, does a client logon to another DC?
    DNS Forwarders Algorithm (if you've configured more than one forwarders)
    Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    DNS Client side resolver service
    http://technet.microsoft.com/en-us/library/cc779517.aspx 

    The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
    http://support.microsoft.com/kb/320760

     

    Also if the Master goes down, the client can't register its resource record into the zone. This is because the DHCP Client Service will send a query for the "MNAME" in the Secondary to get the SOA of the zone. Then the Secondary will return the SOA resource record, and the client will send the registration request to the SOA. If it's down, then it can't register.

    Some of these points above may or may not be in the exam,, but it's good to understand them.

     

    Basically you'll want to remember, and this is extrapolating/adding to JM's and James' info already provided:

    • A Secondary is a read-only copy
    • A Secondary zone stores it's data in a text file (by default in the system32\dns folder)
    • A Seondary gets a copy of the zone data from the Primary
    • A Primary is the writeable copy
    • A Primary stores it's zone data in a text file (by default in the system32\dns folder)
    • There can only be one Primary, but as many Secondaries as you want.
    • You must allow zone transfer capabilities from the Primary zone if you want to create a Secondary.

    Active directory Integrated Zones changes this a bit:

    • The "only one Primary" rule is changed by introducing the Multi-Master Primary feature. This is because the data is not stored as a text file, rather it is stored in the actual, physical AD database (in one of 3 differenc logical locations or what we call the Replication Scope), and any DC that has DNS installed (based on the replication scope) will be a writeable copy
    • The zone data is replicated to other DCs in the replication scope where the data is stored (based on one of the 3 logical locations)
    • Each DC in the replication scope that has DNS installed, will automatically make available the zone data in DNS
    • Each DC that hosts the zone can "write" to the zone, and the changes get replicated to other DCs in the replication scope of the zone/
    • The DC that makes a change becomes the SOA at that point in time, until another DC makes a change to the zone, then it becomes the SOA
    • An AD Integrated zone can be configured to allow zone transfers to a Secondary, but the Secondary CANNOT be a DC in the same replication scope as the zone you are trying to create as a Secondary, otherwise the DC you are attempting to create teh Seconary on will automatically change it to AD integrated, since it "sees" it in the AD database. IN some cases, if this is forced or done incorrectly, it can lead to duplicate zones in the AD database, which is problematic until fixed.

     

    I hope that wasn't too confusing!

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Wednesday, July 20, 2011 6:35 PM

All replies

  • The purpose of a secondary zone is to simply host the same zone on a secondary DNS server so that you can provide a highly avaiable, fault tolerant DNS solution.

    Updates to the zone are made on the primary zone.  These updates are then transferred over to the DNS server(s) hosting the secondary zone.  More than one DNS server can host a secondary zone.   In a simple example, if you clients are configured to use more than one DNS server, if one server fails, the client can simply query the other DNS server which is also hosting a copy of the same zone.  therefore, name resolution will continue even though one DNS server is offline.

    As you mentioned, a DNS server can host a primary and secondary zone at the same time.  If you have two domains, Domain A & B, and you have two DNS servers, you can host PRI-A and SEC-B on DNS server #1, then PRI-B and SEC-A on DNS server #2.  Again, this is just a simple example.

    Hope this has cleared up your confusion with regard to DNS secondary zones.

     


    anITKB Visit anITKB.com, an IT Knowledge Base.
    facebook Follow me on Facebook.
    Wednesday, July 20, 2011 2:19 AM
  • Hi,

     

    Thank you for your post.

     

    Just as [JM] said, secondary servers can be used to offload DNS query traffic in areas of the network where a zone is heavily queried. In addition, if a primary server is unavailable, a secondary server can provide some name resolution in the zone until the primary server is available.

     

    When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server.

     

    Best Regards,

    James

    Wednesday, July 20, 2011 6:22 AM
    Moderator
  • Hello,

    Thanks for the replies, however, it was still a doubt,
    When you say that if the server hosting the primary zone fails, name resolution can continue because it is hosted on another server as a secondary zone, I kept thinking the following, in this case would not be better to install a second domain controller the other side? For hardly have paralyzed the only DNS service, in this case the entire server may stop, and no use of a secondary zone.

    Sorry by questionings, however'm delving my studies and seek always better understand to be one good professional

    thanks
    Wednesday, July 20, 2011 12:16 PM
  • Hello,

    Thanks for the replies, however, it was still a doubt,
    When you say that if the server hosting the primary zone fails, name resolution can continue because it is hosted on another server as a secondary zone, I kept thinking the following, in this case would not be better to install a second domain controller the other side? For hardly have paralyzed the only DNS service, in this case the entire server may stop, and no use of a secondary zone.

    If I install the domain controller on Server A (The server does not exist in the function of DNS). I will go to Server B to install the DNS service for name resolution of domain controller (Server A). Server C And I do the installation of this secondary zone server B.
    What I mean by that is that I would have the domain controller role on server A, the function of DNS on Server B and Server C. the Secondary Zone Was that it?


    Sorry by questionings, however'm delving my studies and seek always better understand to be one good professional

    thanks

    Wednesday, July 20, 2011 12:16 PM
  • I am not following your question very well. 

    You have now introduced the concept of a DC.  So when it comes to DNS and DCs, the recommendation is to not use primary & secondary zones, but rather use an Active Directory Integrated zones.  So if you had one DC, yes, you would definately want at least a second DC, both running DNS.

    If you have a DC running DNS and you wanted to bring a new server online that is NOT a DC, but you do want to run DNS services on the second server, your DC can run the zone as AD Integrated and the second server running only DNS can still host the secondary zone which is transferred from the AD Integrated zone.

    Here are some DNS design options...

    DNS Server hosting Primary --- Transfer ---> DNS Server hosting Secondary

    AD/DNS Server hosting Primary --- Transfer ---> AD/DNS server hosting  Secondary

    AD/DNS Server hosting AD Integrated --- AD Replication --->AD/DNS hosting AD Integrated

    AD/DNS Server hosting AD Integrated --- Transfer --->AD/DNS hosting Secondary

    I hope this clarifies it for you.

     

     

     


    anITKB Visit anITKB.com, an IT Knowledge Base.
    facebook Follow me on Facebook.
    Wednesday, July 20, 2011 2:54 PM
  • Thank you for your patience.

    Just to clarify these questions and conclude, what I meant was that a server with the function of secondary DNS zone hosting is not a guarantee of high availability. Because the DC server goes down, there will be no name resolution in the same way.

    So what I realized is that the secondary zone will give me high availability case, only the DNS Server Service DC fall.

    And in another scenario serves to improve name resolution when there are different companies with different domains, and a company wants to resolve names for other company.
    Wednesday, July 20, 2011 3:38 PM
  • Thank you for your patience.

    Just to clarify these questions and conclude, what I meant was that a server with the function of secondary DNS zone hosting is not a guarantee of high availability. Because the DC server goes down, there will be no name resolution in the same way.

    So what I realized is that the secondary zone will give me high availability case, only the DNS Server Service DC fall.

    And in another scenario serves to improve name resolution when there are different companies with different domains, and a company wants to resolve names for other company.


    For the most part, that is a good summary.

    However, not to distract from your studies or understanding, the "high availability part," that is if the DNS servers that the client is configured as the first entry in the NIC goes down, actually leads into another topic. This is soley due to the way the client side resolver service algorithm works.

    If the Master DNS server (the DNS server that hosts the Primary zone) that is specified in a Secondary zone  goes down, as pointed out, the Secondary can still be used to resolve data in the zone, but the problem comes down to the client side. The CSE (client side extensions) and the client side resolver service that initially resolved AD zone data while logging on or at startup, will be "glued" to whatever DC that it resolved at logon or startup. The easy way to alleviate this is to logoff the client and logon again, or restart the client. In Windows 2008 and newer, this was changed a bit to address this issue, but it's not 100% fool-proof, and it doesn't address other applications or services that rely heavily on AD services, such as Exchange and Outlook's heavy reliance on a GC.

    More info on this topic:

    This article discusses:
    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
    The DNS Client Side Resolver algorithm.
    If one DC or DNS goes down, does a client logon to another DC?
    DNS Forwarders Algorithm (if you've configured more than one forwarders)
    Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    DNS Client side resolver service
    http://technet.microsoft.com/en-us/library/cc779517.aspx 

    The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
    http://support.microsoft.com/kb/320760

     

    Also if the Master goes down, the client can't register its resource record into the zone. This is because the DHCP Client Service will send a query for the "MNAME" in the Secondary to get the SOA of the zone. Then the Secondary will return the SOA resource record, and the client will send the registration request to the SOA. If it's down, then it can't register.

    Some of these points above may or may not be in the exam,, but it's good to understand them.

     

    Basically you'll want to remember, and this is extrapolating/adding to JM's and James' info already provided:

    • A Secondary is a read-only copy
    • A Secondary zone stores it's data in a text file (by default in the system32\dns folder)
    • A Seondary gets a copy of the zone data from the Primary
    • A Primary is the writeable copy
    • A Primary stores it's zone data in a text file (by default in the system32\dns folder)
    • There can only be one Primary, but as many Secondaries as you want.
    • You must allow zone transfer capabilities from the Primary zone if you want to create a Secondary.

    Active directory Integrated Zones changes this a bit:

    • The "only one Primary" rule is changed by introducing the Multi-Master Primary feature. This is because the data is not stored as a text file, rather it is stored in the actual, physical AD database (in one of 3 differenc logical locations or what we call the Replication Scope), and any DC that has DNS installed (based on the replication scope) will be a writeable copy
    • The zone data is replicated to other DCs in the replication scope where the data is stored (based on one of the 3 logical locations)
    • Each DC in the replication scope that has DNS installed, will automatically make available the zone data in DNS
    • Each DC that hosts the zone can "write" to the zone, and the changes get replicated to other DCs in the replication scope of the zone/
    • The DC that makes a change becomes the SOA at that point in time, until another DC makes a change to the zone, then it becomes the SOA
    • An AD Integrated zone can be configured to allow zone transfers to a Secondary, but the Secondary CANNOT be a DC in the same replication scope as the zone you are trying to create as a Secondary, otherwise the DC you are attempting to create teh Seconary on will automatically change it to AD integrated, since it "sees" it in the AD database. IN some cases, if this is forced or done incorrectly, it can lead to duplicate zones in the AD database, which is problematic until fixed.

     

    I hope that wasn't too confusing!

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Wednesday, July 20, 2011 6:35 PM
  • Master, now I understand,

    Studying alone, I saw that only the name resolution stopped working when DNS service from a local workstation or better still to be finalized. And also the dns server to stand still.

    Strange as it always has been learned that the resolution of the DNS (DC say), but now I understand this article.

    Thank you very much
    Wednesday, July 20, 2011 7:00 PM
  • Master, now I understand,

    Studying alone, I saw that only the name resolution stopped working when DNS service from a local workstation or better still to be finalized. And also the dns server to stand still.

    Strange as it always has been learned that the resolution of the DNS (DC say), but now I understand this article.

    Thank you very much

    I did not find a better explanation in Brazil and in other forums I searched.

    Congratulations
    Wednesday, July 20, 2011 7:02 PM
  • Ace, you are definately a master of DNS!

     


    anITKB Visit anITKB.com, an IT Knowledge Base.
    facebook Follow me on Facebook.
    Wednesday, July 20, 2011 7:30 PM
  • Thanks JM and Danilo! :-)

    Cheers!

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, July 20, 2011 10:21 PM