none
Windows Server 2003 - Change DNS to Active Directory Integrated

    Question

  • HI,

    I have a Windows 2003 Domain with Primary and Secondary DNS Servers.

    As I understand it, it would be better if they were AD Integrated.

    To that end, I have seen how to make the change from Primary to "Store in Active Directory" by right clicking the domain name under Forward Lookup Zones. (This option does not exist for the Secondary though).

    My questions are :-


    Is it as easy as it looks? i.e, just make that change on the Primary DNS Server to ADI ?
    Are there any potential "gotachs" ?
    Any downside to this ?

    How do I then change the Secondary to be ADI too ?

    Any help would be apprecaited !

    Regards
    Dave

    Thursday, July 29, 2010 11:34 AM

Answers

  • Convert the primary as AD-integrated. Remove secondary. Wait for the zone to replicate via AD replication - it should appear on the other DNS server.

    As far as caveats are concerned, keep in mind that with the new setup, your DNS records are stored in AD, so proper functioning of DNS becomes dependent on AD replication (although you should monitor it anyway). In addition, this might complicate matters in situations where you need to simultaneously shut down all DCs - since you will see a delay during their startup, due to unavailability of DNS (however, this is not a factor in your case, since all your DNS servers already reside on DCs)

    hth
    Marcin

    • Proposed as answer by Mike Kline Thursday, July 29, 2010 2:31 PM
    • Marked as answer by dave_home Friday, July 30, 2010 9:59 AM
    Thursday, July 29, 2010 11:43 AM
  • Integrating the DNS service in the Active Directory service will alow you to benefit from these advantages:

    -Avoid DNS record pollution attack.

    -Possibility to have more multiple DNS servers hosting the same primary zone

    -The use of the Active Directory replications to replicate changes

    This is a link that will give more informations about what I wrote: http://technet.microsoft.com/en-us/library/cc978010.aspx

    This is a link that will provide you the way to integrate the DNS service in the Active Directory service: http://www.windowsitpro.com/article/dns/how-do-i-configure-active-directory-integrated-dns-.aspx

    For your DNS secondary zone, you should install the Active directory on this server and then proceed by integrating the DNS service in the Active Directory service if you want to have another primary zone.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    • Marked as answer by dave_home Friday, July 30, 2010 9:59 AM
    Thursday, July 29, 2010 2:22 PM

All replies

  • Convert the primary as AD-integrated. Remove secondary. Wait for the zone to replicate via AD replication - it should appear on the other DNS server.

    As far as caveats are concerned, keep in mind that with the new setup, your DNS records are stored in AD, so proper functioning of DNS becomes dependent on AD replication (although you should monitor it anyway). In addition, this might complicate matters in situations where you need to simultaneously shut down all DCs - since you will see a delay during their startup, due to unavailability of DNS (however, this is not a factor in your case, since all your DNS servers already reside on DCs)

    hth
    Marcin

    • Proposed as answer by Mike Kline Thursday, July 29, 2010 2:31 PM
    • Marked as answer by dave_home Friday, July 30, 2010 9:59 AM
    Thursday, July 29, 2010 11:43 AM
  • Another thing to keep in mind - Since all the records are not stored in AD you can install DNS services on all your domain controllers and have DNS as highly available as AD. You didn't say how many DCs you have in your domain so I'm hoping it's more than one...

    Also point the Domain Controllers DNS settings to the other domain controller for the primary DNS then for the secondary point it to itself. This will make your start up times a lot faster since the DC doesn't search for a DNS server that isn't available yet. Don't forget to make the appropriate changes in DHCP for your clients since you have more DNS servers.

     

    Thursday, July 29, 2010 2:14 PM
  • Integrating the DNS service in the Active Directory service will alow you to benefit from these advantages:

    -Avoid DNS record pollution attack.

    -Possibility to have more multiple DNS servers hosting the same primary zone

    -The use of the Active Directory replications to replicate changes

    This is a link that will give more informations about what I wrote: http://technet.microsoft.com/en-us/library/cc978010.aspx

    This is a link that will provide you the way to integrate the DNS service in the Active Directory service: http://www.windowsitpro.com/article/dns/how-do-i-configure-active-directory-integrated-dns-.aspx

    For your DNS secondary zone, you should install the Active directory on this server and then proceed by integrating the DNS service in the Active Directory service if you want to have another primary zone.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Best regards.

    • Marked as answer by dave_home Friday, July 30, 2010 9:59 AM
    Thursday, July 29, 2010 2:22 PM
  • Hi Guys,

    thanks a lot for taking the time to reply.

    When Marcin says "Remove Seconday", I take it that I just delete the Secondary DNS Server from the MMC DNS Snap-in on the secondary DC ? With the DNS Software already installed on that DC, replication will take care of everything else ?

    Yes, I do have two DCs - it's only a small network, but I have two DCs for redundancy and want to have DNS Servers too. I obviously made a mistake when I set the domain up - having Primary and Secondary, rather than ADI, but that's what I'm trying to fix now. I did not intend to have a Secondary Zone, just two DNS Servers servicing the same zone.

    Thanks for the pointers, looks like it's not too difficult or risksy.

    (Thanks for the links Malek, I'll follow those up).

    Regards

    Dave

    Friday, July 30, 2010 10:08 AM
  • You are always welcome. If you need other help about DNS zones, post here and we will help you.

    Best regards.

    Friday, July 30, 2010 1:13 PM