Understanding Active Directory Integrated DNS- Implementing DNS

Windows Server 2000 introduced Active Directory Integrated DNS to the world. This zone type was unique, and it was a separate choice during setup. In Windows Server 2003, this zone type became an add- on to a primary zone. In Windows Server 2022, it works the same way. After choosing to set up a primary zone, you select the Store The Zone In Active Directory option (see Figure 5.6).

FIGURE 5.6 Setting up an Active Directory Integrated zone

Disadvantages of Active Directory Integrated DNS

The main disadvantage of Active Directory Integrated DNS is that it has to reside on a domain controller because the DNS database is stored in Active Directory. As a result, you cannot load this zone type on a member server, and small organizations might not have the resources to set up a dedicated domain controller.

Advantages of Active Directory Integrated DNS

The advantages of using an Active Directory Integrated DNS zone well outweigh the disadvantages just discussed. The following are some of the major advantages to an Active Directory Integrated DNS zone:

Full Fault Tolerance Think of an Active Directory Integrated zone as a database on your server that stores contact information for all your clients. If you need to retrieve John Smith’s phone number, as long as it was entered, you can look it up on the software.

If John Smith’s phone number was stored only on your computer and your computer stopped working, no one could access John Smith’s phone number. But since John Smith’s phone number is stored in a database to which everyone has access, if your  computer stops working, other users can still retrieve John Smith’s phone number.

An Active Directory Integrated zone works the same way. Since the DNS database is stored in Active Directory, all Active Directory DNS servers can have access to the same data. If one server goes down or you lose a hard drive, all other Active Directory DNS servers can still retrieve DNS records.

No Additional Network Traffic As previously discussed, an Active Directory Integrated zone is stored in Active Directory. Since all records are now stored in Active Directory, when a resolver needs a TCP/IP address for Jsmith, any Active Directory DNS server can access Jsmith’s address and respond to the resolver.

When you choose an Active Directory Integrated zone, DNS zone data can be  replicated automatically to other DNS servers during the normal Active Directory replication process.

DNS Security An Active Directory Integrated zone has a few security advantages over a primary zone:

           An Active Directory Integrated zone can use secure dynamic updates.

       As explained earlier, the Dynamic DNS standard allows secure- only updates or dynamic updates, not both.

       If you choose secure updates, then only machines with accounts in Active Directory can register with DNS. Before DNS registers any account in its database, it checks Active Directory to make sure that it is an authorized domain computer.

       An Active Directory Integrated zone stores and replicates its database through Active Directory replication. Because of this, the data gets encrypted as it is sent from one DNS server to another.

Background Zone Loading Background zone loading (discussed in more detail later in this chapter) allows an Active Directory Integrated DNS zone to load in the background. As a result, a DNS server can service client requests while the zone is still loading into memory.

Understanding Stub Zones

Stub zones work a lot like secondary zones—t he database is a noneditable copy of a primary zone. The difference is that the stub zone’s database contains only the information necessary (three record types) to identify the authoritative DNS servers for a zone (see Figure 5.7). You should not use stub zones to replace secondary zones, nor should you use them for redundancy and load balancing.

FIGURE 5.7 DNS stub zone type

Stub zone databases contain only three record types: name server (NS), start of authority (SOA), and glue host (A) records. Understanding these records will help you on the Microsoft certification exams. Microsoft asks many questions about stub zones on all DNS- related exams.

When to Use Stub Zones
Stub zones become particularly useful in a couple of different scenarios. Consider what happens when two large companies merge: example.com and example.net. In most cases, the DNS zone information from both companies must be available to every employee. You could set up a new zone on each side that acts as a secondary for the other side’s primary zone, but administrators tend to be very protective of their DNS databases and probably wouldn’t agree to this plan. A better solution is to add to each side a stub zone that points to the primary server on the other side. When a client in example.com (which you help administer) makes a request for a name in example.net, the stub zone on the example.com DNS server would send the client to the primary DNS server for example.net without actually resolving the name. At this point, it would be up to example.net’s primary server to resolve the name. An added benefit is that, even if the administrators over at example.net change their configuration, you won’t have to do anything because the changes will automatically replicate to the stub zone, just as they would for a secondary server. Stub zones can also be useful when you administer two domains across a slow connection. Let’s change the previous example a bit and assume that you have full control over example.com and example.net but they connect through a 56 Kbps line. In this case, you wouldn’t necessarily mind using secondary zones because you personally administer the entire network. However, it could get messy to replicate an entire zone file across that slow line. Instead, stub zones would refer clients to the appropriate primary server at the other site.
GlobalName Zones

Earlier in this chapter, I talked about organizations using WINS to resolve NetBIOS names (also referred to as computer names) to TCP/IP addresses. Even today, many organizations still use WINS along with DNS for name resolution. Unfortunately, WINS is slowly becoming obsolete.

To help organizations move forward with an all-D NS network, Microsoft Windows Server 2022 DNS supports GlobalName zones. These use single- label names (DNS names that do not contain a suffix such as .com, .net, and so on). GlobalName zones are not intended to support peer- to- peer networks and workstation name resolution, and they don’t support dynamic DNS updates.

GlobalName zones are designed to be used with servers. Because GlobalName zones are not dynamic, you have to enter the records into the zone database manually. In most organizations, the servers have static TCP/IP addresses, and this works well with the GlobalName zone design. GlobalName zones are usually used to map single- label CNAME (alias) resource records to an FQDN.

Leave a Reply

Your email address will not be published. Required fields are marked *