What is the main security benefit of creating an integrated AD DNS primary zone?

In this article, Kevin Kocis describes some of the advantages and difficulties of combining the Domain Name Service (DNS) with Active Directory, non-Microsoft DNS servers, and WINS

Like this article? We recommend 

Integrating DNS and Active Directory

The integration of DNS and Active Directory is a key feature of Windows 2000. Like DNS, Active Directory is a distributed database that can be partitioned and replicated. Active Directory domains and DNS domains use identical names for different namespaces. Active Directory uses DNS as its location service, enabling computers to find the location of domain controllers and other services on the network. LDAP is the protocol used to query and update Active Directory, and all domain controllers run an LDAP server.

You cannot install Active Directory without having DNS on your network because Active Directory uses DNS as its location service. However, you can install DNS separately, without Active Directory. If you install DNS on a domain controller, you can also choose whether or not to use Active Directory to provide storage and replication for DNS. Using Active Directory for storage and replication provides the following benefits:

• Increased fault tolerance

• Security

• Easier management

• More efficient replication of large zones

For DNS to function as a location service for Active Directory, you must have a DNS server to host the locator records (A, SRV, and CNAME).

You can configure your Windows 2000 DNS server automatically by using the Active Directory Installation Wizard, which performs all the installation and configuration necessary for DNS, and the Netlogon service adds the necessary locator records.

You can manually configure DNS if you want to set up a configuration other than the Active Directory default configuration (such as BIND).

For information about issues related to configuring DNS when you're using a third-party DNS server, see the later section "Heterogeneous Environments."

DNS Installation Wizard

The Active Directory Installation Wizard promotes the computer to the role of domain controller, installs Active Directory, and can install and configure the DNS server.

When you start the Active Directory Installation Wizard and choose to create a new domain, the wizard finds the DNS server that is authoritative for the name of the new Active Directory domain and then checks whether that server is going to accept dynamic updates. If the test is positive, the wizard does not install and configure a local DNS server.

If the Active Directory Installation Wizard cannot find the DNS server that is authoritative for the name, or if the server it finds does not support dynamic updates or is not configured to accept dynamic updates, the wizard asks whether you want it to automatically install and configure a local DNS server. If you answer yes, the wizard automatically installs and configures the DNS Server service.

During automatic configuration, the Active Directory Installation Wizard adds to the DNS server the forward lookup zone that will host the locator records and configures the DNS server to accept dynamic updates. (A forward lookup zone contains information needed to resolve names within the DNS domain.) If the server is the first in the forest, it becomes the root DNS server. If the server is not the first, the wizard queries for the root servers and primes the root hints with the root DNS server names.

After the Active Directory Installation Wizard is finished, you are prompted to restart the computer. After the computer restarts, Netlogon attempts to add locator resource records to the DNS server by sending a dynamic update request to the authoritative DNS server.

NOTE

The Netlogon service starts after the DNS server service. The SRV resource records may not be registered in the zone for up to 15 minutes. You can force registration of these records by stopping and restarting the Netlogon service.

NOTE

You can also invoke the Active Directory Installation Wizard by executing an answer file that contains all the settings you need to configure. An answer file is a file that a wizard uses to provide answers to questions where a user would normally need to respond or be prompted to input information.

Follow these steps to install and configure DNS and Active Directory:

1. Log on with the appropriate administrative privileges. Depending on the type of DC promotion, the Eadmin account may be required.

2. Check the TCP/IP advanced settings of your computer to make sure that it is configured to use a DNS server. If your computer is the first DNS server on the network, you can configure your computer to use itself as a DNS server.

3. If the Windows 2000 Configure Your Server Wizard is not already open on your computer, click Start, Run, and then type dcpromo.

4. The Active Directory Installation Wizard then guides you through the installation and configuration of the DNS server component.

5. When you're directed to do so, restart your computer.

After you run the Active Directory Installation Wizard, you might need to add a delegation in the parent zone of the zone you created. If this server is a root DNS server, no parent zone exists; therefore, you do not need to add a delegation. However, if other DNS servers are running on the network, you should add a delegation if this zone will be managed outside of the root domain.

Follow these steps to add a delegation:

1. In the DNS console, locate the subdomain where you want to create a zone delegation.

2. From the Action menu, select New Delegation. Click Next.

3. On the Delegated Domain Name page, specify the domain you want to create (select the recently created domain you just installed in DNS), and click Next.

4. Specify the servers hosting the delegated zone, and click Next.

5. Review your entered information, and click Finish.

Configuring Zones

The biggest part of configuring DNS involves configuring zones. After you have installed DNS, you will eventually be required to configure DNS zones. This next section addresses the Windows 2000 DNS console and how to configure various elements of zone creation.

Adding and Deleting Zones

As mentioned earlier, you can configure zones as standard primary, standard secondary, or Active Directory–integrated.

To add a standard primary zone, perform the following steps:

1. Select Start, Programs, Administrative Tools, DNS.

2. In DNS, locate the server designated to be the primary server for the new zone.

3. Right-click the Forward Lookup Zone icon and select New Zone.

4. At the zone selection screen, select Standard Primary, and click Next.

5. Enter the domain name (this should correspond to your Active Directory namespace).

6. Click the Create a New File button if you are not importing or working with a current file. (Note that the default name is the zone name with an appended .dns extension.) If you are using an existing file, it must be located in the root\system32\dns folder.

7. Review your information, and select Finish.

To create a secondary forward lookup zone, follow steps 1 through 5, and then enter the IP address(es) of the DNS server(s) from which you want to copy the DNS zone information. Click the Add button, and prioritize the list of DNS servers. Then review your information, and click Finish.

Adding a Reverse Lookup Zone

All zones (primary, secondary, and AD-integrated) can be either forward lookup or reverse lookup. A reverse lookup zone returns the host name when queried with the IP address.

To create a primary reverse lookup zone, perform the following steps:

1. Select Start, Programs, Administrative Tools, DNS.

2. In DNS, locate the server designated to be the primary server for the new zone.

3. Right-click the Reverse Lookup Zone icon and select New Zone.

4. At the zone selection screen, select Standard Primary, and click Next.

5. Enter the network ID for the zone (or enter the name, which is the reversed network ID followed by .in-addr.arpa). For example, if the network ID is 10.1.1, the reverse lookup zone name would be .10.1.1.in-addr.arpa. Click Next.

6. Click the Create a New File button if you are not importing or working with a current file. (Note that the default name is the zone name with an appended .dns extension.) If you are using an existing file, it must be located in the root\system32\dns folder.

7. Review your information, and select Finish.

To delete a zone, simply right-click the desired zone in the DNS console, and select Delete.

Active Directory–Integrated Zones

Any zone you create is automatically replicated to all domain controllers in the zone. Therefore, do not create the same zone on more than one domain controller.

NOTE

If you create a zone on one domain controller and then create the same zone on a second domain controller before Active Directory has replicated the zone, Active Directory deletes the zone on the first domain controller. As a result, you lose any changes that you made to the version of the zone that you created on the first domain controller.

To create an Active Directory–integrated zone, perform the following steps:

1. Select Start, Programs, Administrative Tools, DNS.

2. In DNS, locate the server designated to be the primary server for the new zone.

3. Right-click the Forward Lookup Zone icon, and select New Zone.

4. At the zone selection screen, select Standard Active Directory–Integrated Zone, and click Next.

5. Enter the domain name (this should correspond to your Active Directory namespace).

6. Review your information, and click Finish.

You can store many zones in Active Directory, which will act as primary zones. These zones can be modified by any DNS server running on a domain controller in the respective zone.

If you delete an Active Directory–integrated zone from a domain controller and Load Zone Data on Startup is set to Registry, the DNS console asks whether you also want to delete the zone from Active Directory. If you click Yes, the zone is completely deleted from Active Directory and is no longer available to any domain controllers. If you click No, the zone is removed from the Registry but remains in Active Directory. The next time the DNS server polls the directory for changes, if Load Zone Data on Startup on the Advanced tab of the DNS server properties page in the DNS console is set to From Active Directory and Registry, the zone reappears (see Figure 1). If Load Zone Data on Startup is set to Registry, on the other hand, the zone does not reappear.

Figure 1

Setting the load zone data preference.

Converting Standard Zones to AD-Integrated Zones

You can convert either a standard primary or secondary zone to an Active Directory–integrated zone. When you integrate a zone with Active Directory, consider the following issues:

• For a DNS server to use an Active Directory–integrated zone, that server must be running on a domain controller.

• You cannot load Active Directory–integrated zones from other domains. If you want your DNS server to be authoritative for an Active Directory–integrated zone from another domain, the server can only act as a secondary server for that zone.

• There is no such thing as an Active Directory–integrated secondary zone. All domain controllers can update the zone.

• You cannot have at the same time both an Active Directory–integrated zone and a standard primary copy of the same zone.

Converting AD-Integrated Zones to Standard Zones

You can convert an Active Directory–integrated zone to either a standard primary or standard secondary zone (see Figure 2).

Figure 2

Converting an AD-integrated zone to a standard primary zone. You can use this same window in the General tab to convert back to AD-integrated.

If you convert an Active Directory–integrated zone to a standard secondary zone, the zone is copied to the name server on which you converted the zone. Although the server no longer loads the zone from Active Directory, it hosts its own secondary copy of the zone, and requests zone transfers from the primary server for the zone.

If you convert an Active Directory–integrated zone to a standard primary zone, the zone is copied to a standard file on that server and is deleted from Active Directory. The zone no longer appears on other Active Directory–integrated DNS servers.

Preventing Problems When Converting or Deleting Zones

When you delete a zone or convert an Active Directory–integrated zone to a standard secondary zone, configuration errors can result. For example, if you delete a copy of the zone from a server and a secondary server is configured to pull zone transfers from that server, the secondary server is no longer able to pull zone transfers.

Also, if you convert an Active Directory–integrated zone to a standard primary zone, the DNS server loading the new primary zone becomes the single master of the zone. Because Active Directory removes the converted zone from Active Directory, the zone is deleted from all domain controllers.

To prevent this problem, be sure to update all secondary servers for the zone that you are converting from an Active Directory–integrated zone to a standard primary zone. This problem occurs only if you delete a zone from a server or you are converting an Active Directory–integrated zone to a standard primary zone, and a secondary server is pointing at a server from which the zone was deleted. The problem does not occur if you are converting an Active Directory–integrated zone to a standard secondary zone because converting this way does not cause the zone to be deleted from any server.

What is the primary advantage of using Active Directory integrated zone?

What are the advantages of Active Directory integrated DNS?

What is the purpose of using Active Directory integrated zones?

What is the use of the primary zone in DNS?