Hello friends. I hope you all are good and having great time. Today, we will discuss AD-integrated zone. I consider you already know basics of DNS and Zones. Let’s quickly review different types of zones.
Windows Server supports four types of Zones:
- Standard Primary – It has read/write copy of zone data. All changes to a zone are made in the primary zone and then get replicated to secondary zones. Primary zone stores a writable master copy of a zone as a text file that end with the .dns extension, and the default location of these files is %SystemRoot%\System32\Dns although we can change it. If name of domain is gcs.com then the text file name will be gcs.com.dns. You can open this file with notepad and check the entries.
- Standard Secondary – It has read-only copy of zone data. It is used to provide redundancy and load balancing. Changes are made on primary zone which gets replicated to a secondary zone using zone transfers. It also stores a text file which has read-only copy of zone.
- Stub Zone – It stores only partial zone i.e. A, SOA and NS records that can be used to identify the authoritative DNS servers for the zone. A stub zone doesn’t has complete information of hosts in zone but since it stores NS records and A records of name server, it can forward queries to those name server who are authoritative for the zone.
- Active Directory-Integrated zone– Let’s discuss it in detail.
AD-Integrated zone store data in AD database as container object. A container is created for each DNS zone and its class is dnsZone . The dnsZone object contains a DNS node object for every unique name within that zone. Class of these objects is dnsNode. The dnsNode objects have multiple attributes associated with them.
Although AD-integrated zone was first introduced in Windows 2000, since Windows 2003 application partitions are used for its replication. Two application partition get created automatically once AD-integrated zone is configured; DomainDNSZones and ForestDNSZones. Zone data stored in DomainDNSZones is replicated to every DNS server in the domain. DNS zone data stored in ForestDNSZone is replicated to every DNS server in the AD forest. You can also create application partition manually using dnscmd or ntdsutil commands. DNS servers associated with these application partition will replicate among themselves.
To check contains of DomainDNSZones and ForestDNSZones the steps are as under (I am writing steps for Windows 2012 server. You may need to change it slightly for other Windows server):
- Click on ADSIEDIT from tools menu in Server Manager.
- Right click ADSIEDIT and click connect to.
- in connection menu click on select or type a Distinguished Name or Naming Context.
- Type DC=DomainDNSZones ,DC=<domainname>,DC=com ( to check ForestDNSZones type it in place of DomainDNSZones)
- Expand CN=MicrosoftDNS and browse.
Before going in advantages of AD-integrated zone there are few points which need to be noted:
- AD-integrated zone can only be configured on domain controllers.
- With Active Directory–integrated zones, each domain controller configured as a DNS server in a domain is an authoritative server for that domain. So, DNS records can be updated on any of these servers and the changes will be automatically replicated.
The advantages of using AD-Integrated zone are as under:
- Replication : AD-Integrated zone is replicated using Active Directory replication. Because Active Directory can compress replication data between sites and replicates data securely, hence DNS replication also becomes fast, secure and efficient. This works even over slow links.
- Redundancy : AD-integrated zones provide redundancy thus, there’s no single point of failure in DNS design. Otherwise, only standard primary zone holds writeable copy of a zone file which is transferred to standard secondary zones. These servers hold read-only copy of the zone. If server hosting primary zone fails, DNS records can’t be updated until the server is back online or secondary server is promoted to primary. With AD-integrated zones, since all DCs can write on zone hence there is no single point failure.
- Security : If secure dynamic update is enabled, only authorized clients can update their records in DNS zone which counters the issue of proxy records update.
- New domain controller gets updated automatically without configuring zone transfer for it.
- In locations which are geographically apart, AD sites can be configured to control replication and schedule it during off hours. AD-integrated zone are also part of AD database so their replication also get controlled.
So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!