none
DNS Integrated zone??

    Question

  • Hey guys me again,

    I am trying to figure out whether to use DNS integrated with AD,  I have my primary DNS server which is also a Domain controller, and on another subnet I have another DNS server which wasnt planned to be a domain controller.  As I understood one advantage of using integrated zone is that of replication, but as my second DNS server is not a DC its not going to work?
    What I do want is SECURE dynamic updates, am I right in saying that I can only do secure dynamic updates to a zone when it is integrated with AD?

    Would it be better to have the second DNS server as a DC so I can have the replication benefits and also use dynamic updates??
    Saturday, January 09, 2010 1:42 PM

Answers

  • one other thing to add to Jorge's reply - though that remote server is not a DC, you do have a second domain controller, correct?  if not, i would encourage you to either make that remote dns server a dc (and probably a gc if you have users out there) or at least promote another central site machine to a dc.

    microsoft adi dns offers the most secure dynamic updates available because it is protected by kerberos.  if you are sticking with a windows name server implementation and you want the remote server to be able to apply updates (as a secondary it will just refer the clients to the primary zone holder) then you should make it a dc.  you can use other dns implementations (eg BIND, infoblox, etc) and have secure updates but it will not have the same level of security as ad and it will mean some rearchitecture of your dns infrastructure.  i am assuming that you don't really want to head down this path for either of these reasons.

    one thing that i have found (though it doesn't fit every situation) is that if you need a dns server in a remote site to offload name queries, you typically need, or are close to needing, a domain controller to offload the user authentication.  this is usually not because of the load on dcs but rather the load on the network and the delay to the clients.  for that reason as well you may consider making that remote server a dc (read gc).

    /rich
    http://cbfive.com
    • Marked as answer by Wilson Jia Wednesday, January 13, 2010 1:53 AM
    Saturday, January 09, 2010 6:24 PM
  • What you can do is still have the zone as "Active Directory Integrated" on the DC and just create a secondary zone on the DNS server at the remote site.  Secondary zones can be used to replicate from AD Integrated zones.  On the AD Integrated zone, go to the zone transfer tab and set the correct configuration in regards to which IPs are allowed to transfer from.

    This will satifsy the "Secure Only" Dynamic DNS requirement AND the requirement to not make the remote server a DC, at least not yet.  You can always promote the server at the remote location to a DC if needed.
    Visit my blog: anITKB.com, an IT Knowledge Base.
    • Marked as answer by Wilson Jia Wednesday, January 13, 2010 1:53 AM
    • Edited by [JorgeM] Wednesday, March 03, 2010 4:00 AM
    Saturday, January 09, 2010 2:03 PM

All replies

  • What you can do is still have the zone as "Active Directory Integrated" on the DC and just create a secondary zone on the DNS server at the remote site.  Secondary zones can be used to replicate from AD Integrated zones.  On the AD Integrated zone, go to the zone transfer tab and set the correct configuration in regards to which IPs are allowed to transfer from.

    This will satifsy the "Secure Only" Dynamic DNS requirement AND the requirement to not make the remote server a DC, at least not yet.  You can always promote the server at the remote location to a DC if needed.
    Visit my blog: anITKB.com, an IT Knowledge Base.
    • Marked as answer by Wilson Jia Wednesday, January 13, 2010 1:53 AM
    • Edited by [JorgeM] Wednesday, March 03, 2010 4:00 AM
    Saturday, January 09, 2010 2:03 PM
  • one other thing to add to Jorge's reply - though that remote server is not a DC, you do have a second domain controller, correct?  if not, i would encourage you to either make that remote dns server a dc (and probably a gc if you have users out there) or at least promote another central site machine to a dc.

    microsoft adi dns offers the most secure dynamic updates available because it is protected by kerberos.  if you are sticking with a windows name server implementation and you want the remote server to be able to apply updates (as a secondary it will just refer the clients to the primary zone holder) then you should make it a dc.  you can use other dns implementations (eg BIND, infoblox, etc) and have secure updates but it will not have the same level of security as ad and it will mean some rearchitecture of your dns infrastructure.  i am assuming that you don't really want to head down this path for either of these reasons.

    one thing that i have found (though it doesn't fit every situation) is that if you need a dns server in a remote site to offload name queries, you typically need, or are close to needing, a domain controller to offload the user authentication.  this is usually not because of the load on dcs but rather the load on the network and the delay to the clients.  for that reason as well you may consider making that remote server a dc (read gc).

    /rich
    http://cbfive.com
    • Marked as answer by Wilson Jia Wednesday, January 13, 2010 1:53 AM
    Saturday, January 09, 2010 6:24 PM