7. If you’re configuring a primary zone that isn’t integrated with Active Directory, you need to set the zone file name. A default name for the zone’s DNS database file should be filled in for you. You can use this name or enter a new file name. Tap or click Next.

8. Specify whether dynamic updates are allowed. You have three options:

■ Allow Only Secure Dynamic Updates When the zone is integrated with Active Directory, you can use access control lists (ACLs) to restrict which clients can perform dynamic updates. With this option selected, only clients with authorized computer accounts and approved ACLs can dynamically update their resource records in DNS when changes occur.

■ Allow Both Nonsecure And Secure Dynamic Updates Choose this option to allow any client to update its resource records in DNS when changes occur. Clients can be secure or nonsecure.

■ Do Not Allow Dynamic Updates Choose this option to disable dynamic updates in DNS. You should use this option only when the zone isn’t integrated with Active Directory.

9. Tap or click Next, and then tap or click Finish to complete the process. The new zone is added to the server, and basic DNS records are created automatically.

10. A single DNS server can provide services for multiple domains. If you have multiple parent domains, such as microsoft.com and msn.com, you can repeat this process to configure other forward lookup zones. You also need to configure reverse lookup zones. Follow the steps listed in “Configuring reverse lookups” later in this chapter.

11. You need to create additional records for any computers you want to make accessible to other DNS domains. To do this, follow the steps listed in “Managing DNS records” later in this chapter.

REAL WORLD Most organizations have private and public areas of their network. The public network areas might be where web and external email servers reside. Your organization’s public network areas shouldn’t allow unrestricted access. Instead, public network areas should be configured as part of perimeter networks. (Perimeter networks are also known as DMZs, demilitarized zones, and screened subnets. These are areas protected by your organization’s firewall that have restricted external access and no access to the internal network.) Otherwise, public network areas should be in a completely separate and firewall-protected area.

■ The private network areas are where the organization’s internal servers and work stations reside. On the public network areas, your DNS settings are in the public Internet space. here, you might use a.com,org, or.net DNS name that you’ve registered with an Internet registrar and public IP addresses that you’ve purchased or leased. On the private network areas, your DNS settings are in the private network space. here, you might use adatum.com as your organization’s DNS name and private IP addresses, as discussed in Chapter 7.

Secondary servers provide backup DNS services on the network. If you’re using full Active Directory integration, you don’t really need to configure secondaries. Instead, you should configure multiple domain controllers to handle DNS services. Active Directory replication will then handle replicating DNS information to your domain controllers. On the other hand, if you’re using partial integration, you might want

to configure secondaries to lessen the load on the primary server. On a small or medium-size network, you might be able to use the name servers of your Internet service provider (ISP) as secondaries. In this case, you should contact your ISP to configure secondary DNS services for you. Alternatively, you can put your public DNS records on a dedicated, external DNS service while hosting your private DNS records entirely on your internal DNS servers.

Because secondary servers use forward lookup zones for most types of queries, you might not need reverse lookup zones. But reverse lookup zone files are essential for primary servers, and you must configure them for proper domain name resolution.

If you want to set up your own secondaries for backup services and load balancing, follow these steps:

1. Start the DNS Manager console. If the server you want to configure isn’t listed, connect to it as described previously.

2. Press and hold or right-click the server entry, and then tap or click New Zone to start the New Zone Wizard. Tap or click Next.

3. For Zone Type, select Secondary Zone. Tap or click Next.

4. Secondary servers can use both forward and reverse lookup zone files. You create the forward lookup zone first, so select Forward Lookup Zone, and then tap or click Next.

5. Enter the full DNS name for the zone, and then tap or click Next.

6. Tap or click in the Master Servers list, enter the IP address of the primary server for the zone, and then press Enter. The wizard then attempts to validate the server. If an error occurs, be sure the server is connected to the network and that you’ve entered the correct IP address. Also ensure that you’ve enabled zone transfers on the primary. If you want to copy zone data from other servers in case the first server isn’t available, repeat this step.

7. Tap or click Next, and then tap or click Finish. On a busy or large network, you might need to configure reverse lookup zones on secondaries. If so, follow the steps listed in the next section.

Forward lookups are used to resolve domain names to IP addresses. Reverse lookups are used to resolve IP addresses to domain names. Each segment on your network should have a reverse lookup zone. For example, if you have the subnets 192.168.10.0, 192.168.11.0, and 192.168.12.0, you should have three reverse lookup zones.

The standard naming convention for reverse lookup zones is to enter the network ID in reverse order and then use the suffix in-addr.arpa. With the previous example, you’d have reverse lookup zones named 10.168.192.in-addr.arpa, 11.168.192.in-addr.arpa, and 12.168.192.in-addr.arpa. Records in the reverse lookup zone must be in sync with the forward lookup zone. If the zones get out of sync, authentication might fail for the domain.

You create reverse lookup zones by following these steps:

1. Start the DNS Manager console. If the server you want to configure isn’t listed, connect to it as described previously.

2. Press and hold or right-click the server entry, and then tap or click New Zone to start the New Zone Wizard. Tap or click Next.

3. If you’re configuring a primary server integrated with Active Directory (a domain controller), select Primary Zone and be sure that Store The Zone In Active Directory is selected. If you don’t want to integrate DNS with Active Directory, select Primary Zone, and then clear the Store The Zone In Active Directory check box. Tap or click Next.

4. If you’re configuring a reverse lookup zone for a secondary server, select Secondary Zone, and then tap or click Next.

5. If you’re integrating the zone with Active Directory, choose one of the following replication strategies:

■ To All DNS Servers Running On Domain Controllers In This Forest Choose this strategy if you want the widest replication strategy. Remember, the Active Directory forest includes all domain trees that share the directory data with the current domain.