• Technologies

  • Instructors

  • How to configure a DNS Secondary Zone in Windows Server 2008 & 2012

    Secondary Zones are a DNS feature that allows the entire DNS database from a Master DNS server  to be transferred to the Secondary.  A Secondary Zones allows an organization to provide fault tolerance and load balancing to internal names.  In addition to being able to resolve names to a private namespace or speed up name resolution to a public namespace without the use of Conditional Forwarders or Stub Zones.

    When a Secondary DNS server is configured it will request a zone transfer from a DNS Server maintaining the Master database for a zone.  If the Master has been configured to allow zone transfers with the Secondary the entire database will be transferred.  Once a secondary receives the database from the master it will now perform all name resolution request for the namespace locally. If the client query is not part of the authoritative namespace, it starts a name resolution process beginning with a root name server and continues the process until the name is resolved.  The Secondary database is kept up to date via zone transfers from the Master.


    Two organizations, USSHQ and Dulce Base need to be able to share resources.  A trust relationship between the two organizations Active Directory Domain Services is desired, but neither organization name space can be resolved through public name resolution.  In order to configure the trust relationship name resolution need to be configured.  One option for name resolution is to use a DNS Secondary Zone.  DNS Secondary Zones in each domain will be configured to allow for the resolution to occur for other organization namespace. All other names needing resolved will use the default name resolution method.

    If a computer from Dulce Base attempts to contact a computer in USSHQ it is unable to resolve the name.  See figure below, the same result would occur going the other direction.

    You may also like:  Using File Server Resource Manager (FSRM) to protect files stored inside of documents with RMS Encryption

    DNS Secondary Zone Windows Server 2008 2012

    Configuring the source DNS server to allow for zone transfers  (steps will be accomplished on both DNS Servers).

    1. Launch the DNS console and secondary click on the Forward Look Zone that you desire so configure Zone Transfers on, click on Properties.console DNS Secondary forward lookup zones Windows Server 2008 2012
    2. Select the Zone Transfers tab.
      zone transfers DNS Secondary Zone Windows Server 2008 2012

      1. To allow zone transfers, select the Allow zone transfers check box. Then choose one of the following :
        1. To allow zone transfers to any server, click To any server.
        2. To allow zone transfers only to the DNS servers listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. Use this setting if you have configured Authoritative Name Servers for this zone in the Names Servers tab.
        3. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.  Use this setting if you have not configured Authoritative Name Servers for this zone in the Name Servers tab or you desire to allow zone transfers with Name Servers.
    3. In this demonstration we will be using the last option, click Only to the following servers.
      zone transfers ip address DNS Secondary Zone Windows Server 2008 2012
    4. Click Edit, enter the IP Address of the Name Server that will be requesting the zone transfer, press enter.  After the FQDN has resolved click OK.allow zone transfers ip address DNS Secondary Zone Windows Server 2008 2012
    5. Click OK on the DNS Properties sheet, DNS is now configured to allow zone transfers with the Dulce Base DNS serve.
    You may also like:  How to Disable Network Connectivity Status Indicator (NCSI) with Group Policy

    Configuring a Secondary Zone (Same steps will be accomplished in both DNS servers).

    1. Launch the DNS Console.
      DNS Secondary Zone Windows Server 2008 2012
    2. Expand Forward Lookup Zones, secondary click on Forward Lookup Zone and choose New Zone. On the Welcome to the New Zone Wizard, click zone wizard DNS Secondary Zone Windows Server 2008 2012
    3. On the Zone Type page, click Secondary Zone then click Next.
      DNS Secondary Zone Windows Server 2008 2012
    4. On the Zone Name page, enter the desired zone to transfer from, click zone wizard step 2 DNS Secondary Zone Windows Server 2008 2012
    5. Click Next on the Zone File page.
    6. On the Master DNS Servers page, Enter the IP Address of the master DNS server to transfer from press enter to resolve, Click zone wizard step 3 DNS Secondary Zone Windows Server 2008 2012
    7.  On the Completing the New Zone Wizard, click Finish.
    8. Refresh the zone, a transfer should have occurred.

    Note:  The zone transfer may take a few minutes to occur, keep refreshing the screen and be patient.
    Name resolution will now succeed from DulceBase.Local to USSHQ.Local.  Once the DNS administrator completes the configuration on the USSHQ.Local DNS server name resolution will succeed from USSHQ.Local to DulceBase.local.

    As you can see configuring a Secondary Zone is a simple fix to resolving names in a private network when public name resolution fails.  But, does require the Administrator of the Master Zone to allow zone transfers with your organization before the zone will actually transfer.

    Until next time, RIDE SAFE!

    Rick Trader
    Windows Server Instructor – Interface Technical Training
    Phoenix, AZ

    See what people are saying...

    1. Lawrence Knowlton

      Can’t seem to get these steps to work. I’m trying to create a domain trust between a 2k3 and 2012, but can’t get them to see each other. I can ping, but names do not resolve. I see records for the 2012 in the 2k3 primary zone, but no records are showing up in the 2012 primary. Any help would be greatly appreciated!
      Thank you!

    2. Allan James

      Hello All,

      I’ve configured the above, however my secondary DNS server does not fully update. I can see (A) records in my primary that are not in the slave forward lookup Zone.

      Please help!

    3. Shiva Shanker Bhandari

      Please check whether Zone Transfer is enabled on the Master Server. I was facing the same issue and when i enable the Zone transfer the issue has got resolved.

    4. Vijay

      Hi Nice Article. Am facing few issues here if you can help me out it would be great!!.
      i have created Conditional Forwarding and have created stub zones. am not able to ping the DCs with ip address but not with the fqdn. Is it necessary to create a secondary zone also? which am not able to create, can you please help me on this.

    5. Shawn Morrissey

      Thanks for this post Rick!! I’ve been struggling to create a trust between 2k3 and 2k12 domains with forwarders only, but changed to secondary zones like you explained and it works great!!

    Share your thoughts...

    Please fill out the comment form below to post a reply.