Integrated Storage

When you configure a primary zone to be Active Directory–integrated, the zone is stored in Active Directory.

Figure 6.12 shows this configuration.

Figure 6.12 Active Directory-Integrated Zone

The DNS server component contains only a copy of the zone. When it starts up, it reads a copy of the zone from Active Directory (step 1). Then, when the DNS server receives a change, it writes the change to Active Directory (step 2).

Through Active Directory replication, the zone is replicated to other domain controllers. Also, through standard zone transfer, the DNS server can send its copy of the zone to any secondary DNS servers that request it. The DNS server can perform both incremental and full zone transfers. Figure 6.13 shows how the same zone can be replicated by using both Active Directory replication and standard zone transfer.

Figure 6.13 Replication and Zone Transfer

By default, when an Active Directory–integrated DNS server starts up, it checks whether Active Directory is available and if it contains any DNS zones. If Active Directory does have zones, the DNS server loads zones from a location specified by the setting of Load data on startup in the properties page for the server within the DNS console. The DNS server can load zones from the following locations:

• If Load data on startup is set to From registry , the DNS server loads all local standard zone files and Active Directory–integrated zones specified in the following registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\DNS\Zones

• If Load data on startup is set to Boot From File , the DNS server uses a BIND-style boot file to determine the location of the zone files.

Note

The DNS server automatically writes back to the boot file at regular intervals. You can also update the boot file by clicking on the server from within the DNS console and then by clicking the Action menu and selecting Update Server Data Files . Alternatively, you can stop and restart the server to update the boot file by right-clicking on the server from within the DNS console, pointing to All Tasks in the context-sensitive menu, and then clicking Restart .

• If Load data on startup is set to From Active Directory and registry (the default), the DNS server loads all Active Directory–integrated zones in the directoryand all local standard zone files specified in the registry. (The DNS server must load all the files in the directory; you cannot configure the DNS server to load only some of the zones.)

The DNS server also loads the root hints and server and zone parameters from different locations depending on the Load data on startup setting. Table 6.4 shows the locations from which the DNS server loads and to which it writes zones, root hints, and server and zone parameters depending on the setting of Load data on startup .

Table   6.4 How the DNS Server Loads Zones, Root Hints, and Parameters

If you change the setting of Load data on startup , the DNS server first writes the root hints file, zones, and parameters to the locations specified in the original setting of Load data on startup and then reads them from the new setting.

If the server has loaded Active Directory–integrated zones, it periodically polls Active Directory for changes to those zones. The server also checks for the addition of new zones or the deletion of existing zones.

The DNS server can modify Active Directory if an administrator makes a change to the zone, or if the server is configured to accept dynamic updates and a dynamic update occurs. (Dynamic Update is described in "Dynamic Update and Secure Dynamic Update" later in this chapter.)

DNS servers update Active Directory by using the following procedure:

1. When an update occurs, the DNS server polls Active Directory to make sure that the copy of the zone in the memory of the DNS server is up to date. If not, the DNS server polls for any changes and incorporates those changes in the in-memory copy.

2. Next, the server verifies that all prerequisites are satisfied. Prerequisites are conditions that must be satisfied before records can be updated.

3. Finally, to accept the change, it updates the primary zone data in Active Directory.

Storage Location

The Active Directory directory service is an object-oriented database that organizes network resources in a hierarchical structure. Every resource is represented by an object.

Each object has attributes that define its characteristics.

The classes of objects and the attributes of each object are defined in the Active Directory schema.

Table 6.5 shows the DNS objects in Active Directory.

Table   6.5 DNS Objects in Active Directory

Figure 6.14 shows how DNS objects are represented in Active Directory.

Figure 6.14 DNS Objects in Active Directory

Within the MicrosoftDNS container object are the dnsZone container objects. In Figure 6.14, MicrosoftDNS contains the following dnsZone objects:

• The reverse lookup zone, 72.16.172.in - addr.arpa

• The forward lookup zone, reskit.com

• The root hints, RootDNSServers

The dnsZone container object contains a dnsNode leaf object for every unique name within that zone. Figure 6.14 shows the following dnsNode objects within the dnsZone container object for reskit.com:

• @ , which signifies that the node has the same name as the dnsZone object.

• delegated , a delegated subdomain.

• host.notdelegated , a host in the domain notdelegated.reskit.com, a domain that is controlled by the zone on reskit.com.

• host1 , a host in the domain reskit.com.

• mailserver , the mail server in the domain reskit.com.

• nameserver , the name server in reskit.com.

• notdelegated , the domain notdelegated.reskit.com, which is controlled by the zone on reskit.com.

The dnsNode leaf object has a multivalued attribute called dnsRecord with an instance of a value for every record associated with the object's name. In this example, the dnsNode leaf object mailserver.reskit.com has an "A" attribute containing the IP address.

You can view the DNS objects from within the Active Directory Users and Computers console.

To view zones stored in Active Directory

1. Click Start , point to Programs and Administrative Tools , and then click Active Directory Users and Computers .

2. In the View menu, click Advanced Features .

3. Double-click the Domain object, the System object, and then the MicrosoftDNS object to display the dnsZone objects.

4. Double-click the zone that you want to view.

Although you can see the zone objects from within the Active Directory Users and Computers component, the Active Directory Users and Computers component cannot interpret the values of the dnsRecord attribute. If you want to view the DNS domain hierarchy and associated records, you do so from within the DNS console. For information about the DNS console, see "Setting Up DNS for Active Directory" earlier in this chapter. Alternatively, if you want to view the zones, you can retrieve them by using Nslookup. For more information about Nslookup, see "Troubleshooting" later in this chapter.

Creating, Converting, and Deleting Zones

You can store any number of zones in Active Directory. Zones stored in Active Directory act like primary zones: Any DNS server running on a domain controller in the domain can modify the zone.

To store a zone in Active Directory, you can either create an Active Directory–integrated zone or convert a primary or secondary zone to be Active Directory–integrated. You can also convert Active Directory–integrated zones back to standard primary or secondary zones. This section explains issues you need to consider when you create, convert, and delete zones. For information about how to create, convert, and delete zones, see Windows 2000 Server Help.

Creating an Active Directory–Integrated Zone

Any zone you create is automatically replicated to all domain controllers in the zone. Therefore, do not create the same zone on more than one domain controller.

Caution

If you create a zone on one domain controller, and then create the same zone on a second domain controller before Active Directory has replicated the zone, Active Directory deletes the zone on the first domain controller. As a result, you lose any changes that you made to the version of the zone that you created on the first domain controller.

Converting a Standard Zone to an Active Directory–Integrated Zone

You can convert either a standard primary or secondary zone to an Active Directory–integrated zone. When you integrate a zone with Active Directory, consider the following issues:

• For a DNS server to use an Active Directory–integrated zone, that server must be running on a domain controller.

• You cannot load Active Directory–integrated zones from other domains. If you want your DNS server to be authoritative for an Active Directory–integrated zone from another domain, the server can only be a secondary server for that zone.

• There is no such thing as an Active Directory–integrated secondary zone. When you store a zone in Active Directory, all domain controllers can update the zone.

• You cannot have at the same time both an Active Directory–integrated zone and a standard primary copy of the same zone.

Converting an Active Directory–Integrated Zone to a Standard Zone

You can convert an Active Directory–integrated zone to either a standard primary or standard secondary zone.

If you convert an Active Directory–integrated zone to a standard secondary zone, the zone is copied to the name server on which you converted the zone. That server no longer loads the zone from Active Directory, but it has its own secondary copy of the zone. It requests zone transfers from whatever server you specified as the primary server for the zone.

If you convert an Active Directory–integrated zone to a standard primary zone, the zone is copied to a standard file on that server and is deleted from Active Directory. The zone no longer appears on other Active Directory–integrated DNS servers.

Deleting Zones

If you delete an Active Directory–integrated zone from a domain controller and Load data on startup is set to Registry , the DNS console asks you whether you also want to delete the zone from Active Directory. If you click Yes , the zone is completely deleted from Active Directory and is no longer available to be loaded onto any domain controllers. If you click No , the zone is removed from the registry but remains in Active Directory. The next time that the DNS server polls the directory for changes, if Load data on startup , on the Advanced tab of the DNS server properties page in the DNS console, is set to From Active Directory and registry , the zone reappears. If Load data on startup is set to Registry , on the other hand, the zone does not reappear.

If you delete a standard secondary zone from a domain controller, it is generally deleted from that domain controller. However, if a corresponding Active Directory–integrated zone exists, and you have configured the DNS server to load data on startup from Active Directory and the registry, the zone reappears as an Active Directory–integrated primary zone. You can then delete the Active Directory–integrated zone from the computer or from Active Directory.

Creating a Secondary Copy of an Active Directory–Integrated Zone

It is possible to integrate a zone in Active Directory and then add a secondary copy of the zone on another DNS server. You might want to create a secondary copy of an Active Directory–integrated zone; for example, if you have a remote site from which your users need to be able to resolve names, but you do not want to increase your network traffic by adding a domain controller, you might want to create a secondary copy of the zone.

Preventing Problems When Converting or Deleting Zones

When you delete a zone, or convert an Active Directory–integrated zone to a standard secondary zone, you can cause configuration errors. For example, if you delete a copy of the zone from a server and a secondary server is configured to pull zone transfers from that server, the secondary server is no longer able to pull zone transfers.

In another example, if you convert an Active Directory–integrated zone to a standard primary zone, the DNS server loading the new primary zone becomes the single master of the zone. Therefore, Active Directory removes the converted zone from Active Directory, which means that the zone is deleted from all domain controllers.

This can cause problems for secondary servers in some configurations. For example, suppose domain the noam.reskit.com has two Active Directory–integrated name servers, DC1.noam.reskit.com and DC2.noam.reskit.com; the domain has one secondary name server, SecondaryNS.noam.reskit.com, that has a secondary copy of the zone for noam.reskit.com and that points to DC2.noam.reskit.com as the master server for the zone. Figure 6.15 shows this configuration.

Figure 6.15 Sample Domain Structure

Now, suppose that a user with the proper permissions logs on to DC1.noam.reskit.com and converts the zone from an Active Directory–integrated zone to a standard primary zone. As Figure 6.16 shows, DC1.noam.reskit.com will have a standard primary zone, and DC2.noam.reskit.com will not have a copy of the zone. Even though the zone is deleted from DC2.noam.reskit.com, SecondaryNS.noam.reskit.com still points to DC2.noam.reskit.com as the master server from the zone, and SecondaryNS.noam.reskit.com has no way to get a copy of the zone by using zone transfers.

Figure 6.16 Orphaned Secondary Server

To prevent this problem, be sure to update all secondary servers for the zone that you are converting from an Active Directory–integrated zone to a standard primary zone.

This problem occurs only if you delete a zone from a server or you are converting an Active Directory–integrated zone to a standard primary zone, and a secondary server is pointing at a server from which the zone was deleted. The problem will not occur if you are converting an Active Directory–integrated zone to a standard secondary zone, because converting an Active Directory–integrated zone to a standard secondary does not cause the zone to be deleted from any server.