When adding a DNS zone, there is an option to create secondary zone. A secondary zone is basically a replica of zone from another existing DNS server in the network. The other server which is being replicated is called the Master. Any changes on the Master applies to the secondary zone as well, but not vice versa as we cannot perform changes directly on a secondary zone. In this article we’re going to show you how and why we would Configure Secondary Zone in Windows DNS Server.
How to Configure Secondary Zone in Windows DNS Server
Before configure secondary zone in Windows DNS Server, we have to create a new server and install DNS role in it. Then in the next step we will create a secondary zone by referring to a Master server. In this example, we have our server AS-DCO001 as the Master server and AS-DNS001 in which we will create the secondary zone. Both DNS server role installed on Windows Server 2012 R2. The zone name that we will replicate is mustbegeek.com. Below are the step-by-steps:
Using DNS Manager
First, open up DNS Manager in AS-DNS001 (the server where we will create a secondary zone) by going to Server Manager and select Tools > DNS.
In the DNS Manager, expand the server name. You’ll see a few items with icon similar to a folder, including Forward Lookup Zones and Reverse Lookup Zones.
Right click on either Forward Lookup Zones or Reverse Lookup Zones, depending on the types of the zone you would like to replicate. Since the zone mustbegeek.com is a forward lookup zone, we’re going to right click on Forward Lookup Zones and select New Zone.
Click Next button to skip the welcome screen.
On the zone type selection, choose Secondary Zone and click Next to proceed.
In the zone name field, type in the zone name carefully. In our case it is mustbegeek.com. Click Next to continue to the next screen.
In this section, type in the Master server FQDN or IP address then press Enter on the keyboard. Valid entry will have green checklist icon as shown in the picture below. You can add more than one Master server. To reorder the Master priority use the Up/Down button. In our case we only have one Master server which is AS-DCO001. When you’re done, click Next button to continue.
Now in the final screen, review if everything’s good then you can click Finish to complete the process.
Now if you browse to the secondary zone you just created, you may see this error message:
To avoid this from happening, we have to ensure that the Master has allowed zone transfer to this server. To configure zone transfer, go to the zone Properties in the Master server.
Then on the Zone Transfer tab, tick on the Allow zone transfer options. You can then select either “To any server”, “Only to servers listed on the Name Servers tab”, or “Only to the following servers”. If you choose the second or third option, you may need to specify the server name where secondary zone will be created. In this example, for the sake of simplicity we’re going to use the first option which is allowing any server to replicate the mustbegeek.com zone.
Now go back to AS-DNS001 and refresh the DNS Manager, you should be able to see all records in mustbegeek.com zone. Or, you can expedite the process by right clicking on the secondary zone name and select Transfer from Master.
With this, we have successfully configured a secondary zone.
Did you know that you can also perform the above steps by using PowerShell cmdlets? Using PowerShell to configure secondary zone in Windows DNS server is very easy and can save you a lot of time.
Below is the PowerShell command to create DNS secondary zone:
Add-DnsServerSecondaryZone -Name “ZONE_NAME” —ZoneFile “ZONE_FILENAME” -MasterServers “MASTER_IP”
You only need to replace ZONE_NAME with the name of the actual zone, ZONE_FILENAME with the zone file name (usually the same with zone name, just append “.dns” at the end) and MASTER_IP with the Master server IP address.
Additionally, you can also run this command below on the Master server if the zone transfer is not yet configured.
Set-DnsServerPrimaryZone -Name “ZONE_NAME” -SecureSecondaries TRANSFER_LIST
Again, replace ZONE_NAME with the name of the same zone. Also replace TRANSFER_LIST with either one of the values below depending of your needs:
- TransferAnyServer = Allow zone transfer to any server.
- TransferToZoneNameServer = Allow zone transfer only to servers listed as the Name Servers.
- TransferToSecureServers = Allow zone transfer only to servers listed explicitly on the command. Additional keyword “-SecondaryServers” must be included after this command followed by list IP address of the secondary servers.
Below is the command that we use in AS-DNS001 to create the secondary zone:
And below is the command that we use in AS-DCO001 to allow zone transfer:
The result is exactly the same as we previously configure in the GUI. Just remember to run PowerShell as administrator when executing both commands.
Working with Secondary Zone in Windows DNS Server
There are many reasons to configure secondary zone in Windows DNS server. One of the example is to provide redundancy in DNS infrastructure. When you have a DNS server with secondary zone in the network, it can act as the backup when the Master server failed because secondary zone can still run with records stored in its local cache.
The other good reason to use secondary zone is that because you can configure DNS load balance. You can distribute DNS query redirection to the Master and all the secondaries, therefore reducing the workload on each server. This is a very good option if you have a high intensity network.
With all of these benefits, there is no reason why you shouldn’t learn to configure secondary zone in Windows DNS server.