A secondary zone keeps a read-only copy of a primary zone. It needs to refresh the zone data by contacting the primary zone hosted on another server. Network connectivity and zone transfer permissions are used to maintain a secondary zone. Secondary zones cannot be stored in AD DS.

I have an AD-integrated primary zone running. I have a standalone DNS server, and for application requirement, I need to set up a secondary zone in it.

Before the secondary zone setup, I need to adjust the permission for zone transfer. By default, zone transfer is not allowed in AD DS-integrated zones:

Set-DnsServerPrimaryZone -Name "rebeladmin.net" -SecureSecondaries TransferToSecureServers -SecondaryServers 192.168.0.106

In the preceding command, rebeladmin.net is my zone and TransferToSecureServers defines that the transfer will be allowed only for the listed secondary server 192.168.0.106.

If needed, configuration can be modified with -TransferAnyServer to allow transfer to any server and -TransferToZoneNameServer to allow transfer only to nameservers:

Now I can set up a secondary zone from the server 192.168.0.106.

In the following command, -MasterServers defines the IP address of the master server. The -ZoneFile parameter is there only for file-backed DNS servers:

Add-DnsServerSecondaryZone -Name "rebeladmin.net" -ZoneFile "rebeladmin.net.dns" -MasterServers 192.168.0.105

The following figure shows Forward Lookup Zones: