MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000

This lesson introduces zone replication and transfer. Zone transfer is the process by which DNS servers interact to maintain and synchronize authoritative name data.


After this lesson, you will be able to

Estimated lesson time: 10 minutes


Zone Replication and Zone Transfers

Because of the important role that zones play in DNS, it is intended that they be available from more than one DNS server on the network to provide availability and fault tolerance when resolving name queries. Otherwise, if a single server is used and that server is not responding, queries for names in the zone can fail. For additional servers to host a zone, zone transfers are required to replicate and synchronize all copies of the zone used at each server configured to host the zone.

When structuring your zones, there are several good reasons to use additional DNS servers for zone replication:

When a new DNS server is added to the network and is configured as a new secondary server for an existing zone, it performs a full zone transfer (AXFR) to obtain and replicate a full copy of resource records for the zone. For earlier DNS server implementations, this same method of full transfer for a zone is also used when the zone requires updating after changes are made to the zone. For Windows 2000 Server, the DNS service supports incremental zone transfer (IXFR), a revised DNS zone transfer process for intermediate changes.

Incremental Zone Transfers

IXFR is described in RFC 1995 as an additional DNS standard for replicating DNS zones. IXFRs provide a more efficient method of propagating zone changes and updates.

In earlier DNS implementations, any request for an update of zone data required a full transfer of the entire zone database using an AXFR query. With incremental transfer, an IXFR query is used instead. IXFR allows the secondary server to pull only those zone changes it needs to synchronize its copy of the zone with its source, either a primary or secondary copy of the zone maintained by another DNS server.

With IXFR zone transfers, differences between the source and replicated versions of the zone are first determined. If the zones are identified to be the same version—as indicated by the serial number field in the SOA resource record of each zone—no transfer is made.

If the serial number for the zone at the source is greater than at the requesting secondary server, a transfer is made of only those changes to resource records for each incremental version of the zone. For an IXFR query to succeed and changes to be sent, the source DNS server for the zone must keep a history of incremental zone changes to use when answering these queries. The incremental transfer process requires substantially less traffic on a network, and zone transfers are completed much faster.

Example of a Zone Transfer

In addition to a manual initiation, a zone transfer occurs during any of the following scenarios:

Zone transfers are always initiated by the secondary server for a zone and sent to the DNS server configured as its source for the zone. This DNS server can be any other DNS server that loads the zone, either a primary or another secondary server. When the source server receives the request for the zone, it can reply with either a partial or full transfer of the zone.

As shown in Figure 18.2, zone transfers between servers follow an ordered process. This process varies depending on whether a zone has been previously replicated or if initial replication of a new zone is being performed.

Figure 18.2 Zone transfer process

In this example, the following sequence of steps is performed for a requesting secondary server—the destination server—for a zone and its source server, another DNS server that hosts the zone.

  1. During new configuration, the destination server sends an initial (AXFR) transfer request for the zone to the DNS server configured as its source for the zone.
  2. The source server responds and fully transfers the zone to the destination server.

    The zone is delivered to the server requesting the transfer with its version established by use of a serial number field in the properties for the SOA resource record. The SOA record also contains a stated refresh interval in seconds (by default, 15 minutes) to indicate when the destination server should next request renewal of the zone with the source server.

  3. When the refresh interval expires, the destination server requests renewal of the zone from the source server with an SOA query.
  4. The source server answers the query for its SOA record.

    This response contains the serial number for the zone in its current state at the source server.

  5. The destination server checks the serial number of the SOA record in the response and determines how to renew the zone.

    If the value of the serial number in the SOA response is equal to its current local serial number, it concludes the zone is the same at both servers and a zone transfer is not needed. The destination server then renews the zone by resetting its refresh interval based on the value of this field in the SOA response from its source server.

    If the value of the serial number in the SOA response is higher than its current local serial number, it concludes that the zone has been updated and a transfer is needed.

  6. If the destination server concludes the zone has changed, it sends an IXFR query to the source server containing its current local value for the serial number in the SOA record for the zone.
  7. The source server responds with either an incremental or full transfer of the zone.

    If the source server supports incremental transfer by maintaining a history of recent and incremental zone changes for modified resource records, it can answer with an incremental (IXFR) transfer of the zone.

    If the source server does not support incremental transfer or does not have a history of zone changes, it can, alternatively, answer with a full (AXFR) transfer of the zone instead.

NOTE


Incremental zone transfer through IXFR query is supported in Windows 2000 Server. For earlier versions of the DNS service running in Windows NT Server 4.0, and for many other DNS server implementations, incremental zone transfer is not available and only full-zone (AXFR) queries and transfers are used to replicate zones.

Zone Transfer Security

The DNS console permits you to specify the servers allowed to participate in zone transfers. This can help prevent an undesired attempt by an unknown or unapproved DNS server to pull, or request, zone updates.

Follow these steps to specify servers allowed to participate in zone transfers:

  1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.
  2. In the DNS console tree, right-click the zone for which you want to set up zone transfers, and then click Properties.
  3. Select the Zone Transfers tab (see Figure 18.3).

    Figure 18.3 The Zone Transfers tab

  4. Specify the servers for which you want to allow zone transfers, and then click OK.

DNS Notification

The DNS service supports DNS notification, which is an updated revision to the DNS standard specification (RFC 1996). DNS notification implements a push mechanism for notifying a select set of secondary servers for a zone when a zone is updated. The notified servers can then initiate the zone transfer process and pull changes from the notifying server to update the zone.

Use DNS notification only to notify DNS servers that are operating as secondary servers for a zone. For replication of directory-integrated zones, DNS notification is not needed. This is because any DNS servers that load a zone from Active Directory automatically poll the directory approximately once every 15 minutes (depending on the SOA refresh interval setting) to update and refresh the zone. In these cases, configuring a notification list can actually degrade system performance by causing unnecessary additional transfer requests for the updated zone.

Follow these steps to specify servers to be notified:

  1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.
  2. In the DNS console tree, right-click the zone for which you want to set up zone transfers, and then click Properties.
  3. Select the Zone Transfers tab, and then click Notify.
  4. In the Notify dialog box (see Figure 18.4), specify the secondary servers to be notified when the zone changes, and then click OK.

    Figure 18.4 The Notify dialog box

The DNS Notify Process

The following is a brief summary of the typical DNS Notify process:

  1. The local zone on a DNS server acting as a source for the zone to other servers is updated. When the zone is updated at the source, the serial number field in the SOA record also updates, indicating a new local version of the zone.
  2. The source server sends a notify message to other servers specified on the Notify screen.
  3. All secondary servers that receive the notification message can then respond by initiating a zone transfer request back to the notifying server. The normal zone transfer process can then continue as described in the previous section.

Lesson Summary

In this lesson you learned how zone transfers are required to replicate and synchronize all copies of the zone used at each server configured to host the zone. For earlier DNS server implementations, when a new DNS server is added to the network and is configured as a new secondary server for an existing zone, it performs a full initial transfer of the zone to obtain and replicate a full copy of resource records for the zone. For Windows 2000 Server, the DNS service supports incremental zone transfer, a revised, more efficient DNS zone transfer process for intermediate changes.

You also learned how the DNS console permits you to specify the servers allowed to participate in zone transfers. Finally, you learned how DNS notification implements a push mechanism for notifying a select set of secondary servers for a zone when a zone is updated. The notified servers can then initiate the zone transfer process and pull changes from the notifying server to update the zone. The DNS console allows you to specify the secondary servers for notification; for replication of directory-integrated zones, DNS notification is not needed.

Категории