In this blog post we continue our study overview of the Microsoft 70-640 Active Directory Configuration certification exam. Today’s subject is Windows Server 2008 DNS zone transfers and replication.
Latest posts by Timothy Warner (see all)

The screenshot below shows the relevant section from the 70-640 exam blueprint on configuring DNS zone transfers and delegation.

What we will do here is cover each of the aforementioned bullet points by providing (a) very brief definitions of each technology; and (b) links to relevant Microsoft resources to foster your certification study.

Microsoft Exam 70-640 - Configuring DNS zone transfers and replication

Microsoft Exam 70-640 - Configuring DNS zone transfers and replication

DNS replication scope

One of many benefits of storing DNS zone data in Active Directory is that we can leverage application directory partitions to control the scope of Active Directory and DNS zone replication. For instance, we may not want every domain controller in a domain to host a copy of our zone data. The zone replication scope options in Windows Server 2008 are (1) All DNS servers in the forest; (2) All DNS servers in the domain; (3) All domain controllers in the domain; and (4) All domain controllers in a specified application directory partition.

DNS Zone Replication Scope

DNS Zone Replication Scope

Relevant Links:

Incremental zone transfer

With standard DNS, incremental zone transfers save network bandwidth and reduce load on your DNS servers. Incremental zone transfer involves a secondary DNS server sending incremental zone transfer (IXFR) queries to its configured primary server instead of full zone transfer (AXFR) queries. Thus, only delta (or changed) resource record data is replicated from the primary to the secondary DNS server.

Relevant Links:

DNS Notify

DNS Notify, formally defined in Request for Comments (RFC) 1996, is a technology whereby primary DNS servers can proactively, well, notify any configured secondary DNS servers of zone changes. The secondary DNS server then “gets the message,” so to speak, and initiates a full or incremental zone transfer from its configured primary.

Relevant Links:

Secure zone transfer

Because an attacker can fingerprint your entire network by capturing DNS zone data, Windows Server 2008 DNS enables administrators to apply confidentiality and integrity to DNS zone transfer data streams by using the industry standard IPsec protocols. Note that this option pertains to standard DNS zone transfers and not AD-integrated zone transfers.

Relevant Links:

Configuring name servers

The actual installation of the DNS Server server role is pretty easy: we can use The Server Manager graphical utility or Windows PowerShell 2.0. Managing a DNS server can be performed with the DNS Server console, with PowerShell, or with a variety of DNS-related command-line tools.

Relevant Links:

Application directory partitions

As previously mentioned, application directory partitions are “compartments” within Active Directory that enterprise applications and services can use for data replication among selected or all domain controllers. For instance, we can store DNS zone data in an application directory partition to tightly control which forest DNS servers receive that zone information.

Relevant Links:


If you studied all of the material in 70-640 domain 1, then you should be pretty cognitively “tight” regarding DNS in Windows Server 2008. Microsoft has, for good reason I think, placed a lot of emphasis on DNS in all of their IT pro certification exams. In my next post in this series  I will discuss the DNS zone transfers and replication sample practice question.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account