none
Can DNS Zones that are for External Resources Be AD Integrated

    Question

  • We have five domain controllers that all run DNS and on each of those servers we have three zones, one is our internal AD zone and is AD integrated the other two are for external resources but the address all point their internal IP addresses and we also have an external DNS server that has the public addresses for those resources.  Those two zones that are for external resources are setup and Primary/Secondary zones.

    My question is would it be ok to turn those zones into AD integrated zones so that I don't have to worry about primary/secondary server for each zone?

    Thanks!

    Tuesday, July 24, 2012 9:36 PM

Answers

  • Yes, you can. "AD Integrated" just means the zone is stored in the actual AD database and will replicate to other domain controllers based on the replication scope of the zone. A Standard Primary/Secondary zone files are stored as a text file in the system32\dns folder.

    The current DNS server holding the secondary zone must be a DC to get a replicated copy, of course depending on the replication scope. Otherwise, it will remain a secondary.

    .

    Active Directory-Integrated Zones:
    Updated: May 3, 2010 ... DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a ...
    http://technet.microsoft.com/en-us/library/cc772746(WS.10).aspx

    .

    Below are my notes on zone types. I hope they help.

    ==================================================================
    ==================================================================
    DNS Zones - AD Integrated Zones, Primary Zones, Secondary Zones, and Zone Transfers:

    Also discussed in:
    Technet forum question; "Secondary Zones?"
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c1b0f3ac-c8af-4f4e-a5bc-23d034c85400

    .

    The basics:
    •A Secondary is a read-only copy
    •A Secondary zone stores it's data in a text file (by default in the system32\dns folder)
    •A Seondary gets a copy of the zone data from the Primary
    •A Primary is the writeable copy
    •A Primary stores it's zone data in a text file (by default in the system32\dns folder)
    •There can only be one Primary, but as many Secondaries as you want.
    •You must allow zone transfer capabilities from the Primary zone if you want to create a Secondary.

    .

    Active directory Integrated Zones changes this a bit:
    •The "only one Primary Zone" rule is changed by introducing the Multi-Master Primary feature. This is because the data is not stored as a text file, rather it is stored in the actual, physical AD database (in one of 3 differenc logical locations or what we call the Replication Scope), and any DC that has DNS installed (based on the replication scope) will be a writeable copy.
    •The zone data is replicated to other DCs in the replication scope where the data is stored (based on one of the 3 logical locations)
    •Each DC in the replication scope that has DNS installed, will automatically make available the zone data in DNS
    •Each DC that hosts the zone can "write" to the zone, and the changes get replicated to other DCs in the replication scope of the zone/
    •The DC that makes a change becomes the SOA at that point in time, until another DC makes a change to the zone, then it becomes the SOA
    •An AD Integrated zone can be configured to allow zone transfers to a Secondary, but the Secondary CANNOT be a DC in the same replication scope as the zone you are trying to create as a Secondary, otherwise the DC you are attempting to create the Seconary on will automatically change it to AD integrated, since it "sees" it in the AD database. In some cases, if this is forced or done incorrectly, it can lead to duplicate zones in the AD database, which is problematic until fixed..


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Bemho Wednesday, July 25, 2012 4:36 PM
    Wednesday, July 25, 2012 5:33 AM
  • Good question. You would change the DC holding the Primary zone.

    As for the server hosting the Secondary, it depends if it's a DC or not.

    If that server is a DC, do nothing. It will automatically change itself to an AD integrated zone because it now "sees" the zone in the AD database. If this server is a DC, and you would try to create the zone on it, you can introduce a DUPLICATE ZONE scenario in the AD database. Please re-read the very last bullet point in my previous post.

    If that server is not a DC, then just leave it alone and continue hosting the secondary.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Bemho Wednesday, July 25, 2012 4:36 PM
    Wednesday, July 25, 2012 4:31 PM
  • Try restarting the DNS service on one of the DCs holding the secondary. If that doesn't work, if 2008/2008 R2, try rstarting the AD DS services, and if 2003, restart the DC. Last ditch is just delete the Secondary, but under no circumstances create the zone (or you will introduce a duplicate).

    .

    I'm TRULY surprised that it hasn't shown up. Read the following quote from the link underneath it:

    Configure AD Integrated Zones
    "Only primary zones can be stored in the directory. If a zone is configured on other domain controllers as a secondary zone, these zones will be converted to primary zones when you convert the zone to AD integrated. This is because the multimaster replication model of Active Directory removes the need for secondary zones when a zone is stored in Active Directory. Conversion of the zone from secondary to primary will occur when AD DS is restarted."
    http://technet.microsoft.com/en-us/library/ee649181(v=ws.10)

    .

    .

    Due to it not automatically changing on the other DCs, and assuming you've already restarted at least one of the DCs, this leads me to think there is something else going on with AD.

    Are there any errors in the event logs, in any of the event logs on any of the DCs? Check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. Post the Event ID# and Source name in the event, and the server name it came from.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Bemho Tuesday, July 31, 2012 2:58 PM
    Tuesday, July 31, 2012 1:10 AM

All replies

  • Yes, you can. "AD Integrated" just means the zone is stored in the actual AD database and will replicate to other domain controllers based on the replication scope of the zone. A Standard Primary/Secondary zone files are stored as a text file in the system32\dns folder.

    The current DNS server holding the secondary zone must be a DC to get a replicated copy, of course depending on the replication scope. Otherwise, it will remain a secondary.

    .

    Active Directory-Integrated Zones:
    Updated: May 3, 2010 ... DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a ...
    http://technet.microsoft.com/en-us/library/cc772746(WS.10).aspx

    .

    Below are my notes on zone types. I hope they help.

    ==================================================================
    ==================================================================
    DNS Zones - AD Integrated Zones, Primary Zones, Secondary Zones, and Zone Transfers:

    Also discussed in:
    Technet forum question; "Secondary Zones?"
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c1b0f3ac-c8af-4f4e-a5bc-23d034c85400

    .

    The basics:
    •A Secondary is a read-only copy
    •A Secondary zone stores it's data in a text file (by default in the system32\dns folder)
    •A Seondary gets a copy of the zone data from the Primary
    •A Primary is the writeable copy
    •A Primary stores it's zone data in a text file (by default in the system32\dns folder)
    •There can only be one Primary, but as many Secondaries as you want.
    •You must allow zone transfer capabilities from the Primary zone if you want to create a Secondary.

    .

    Active directory Integrated Zones changes this a bit:
    •The "only one Primary Zone" rule is changed by introducing the Multi-Master Primary feature. This is because the data is not stored as a text file, rather it is stored in the actual, physical AD database (in one of 3 differenc logical locations or what we call the Replication Scope), and any DC that has DNS installed (based on the replication scope) will be a writeable copy.
    •The zone data is replicated to other DCs in the replication scope where the data is stored (based on one of the 3 logical locations)
    •Each DC in the replication scope that has DNS installed, will automatically make available the zone data in DNS
    •Each DC that hosts the zone can "write" to the zone, and the changes get replicated to other DCs in the replication scope of the zone/
    •The DC that makes a change becomes the SOA at that point in time, until another DC makes a change to the zone, then it becomes the SOA
    •An AD Integrated zone can be configured to allow zone transfers to a Secondary, but the Secondary CANNOT be a DC in the same replication scope as the zone you are trying to create as a Secondary, otherwise the DC you are attempting to create the Seconary on will automatically change it to AD integrated, since it "sees" it in the AD database. In some cases, if this is forced or done incorrectly, it can lead to duplicate zones in the AD database, which is problematic until fixed..


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Bemho Wednesday, July 25, 2012 4:36 PM
    Wednesday, July 25, 2012 5:33 AM
  • Hi Bemho,

    Thanks for posting here.

    No doubt, we can of course have these external DNS zones where hosted on DC became AD integrated technically .

    However for security reason  we ‘d better separate our internal and external name resolution into different infrastructures, for example we can have a dedicate non-domain joined DNS server at DMZ for providing name resolution to external . Please also refer to the link :http://technet.microsoft.com/en-us/library/cc736626(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support


    • Edited by Tiger Li Wednesday, July 25, 2012 9:24 AM
    Wednesday, July 25, 2012 9:16 AM
  • Well that is good news.  One quick question then.  To change the zone to AD integrated to I just have to change the primary zone to AD integrated or will have to change the primary and then all secondary servers as well?

    Thanks for all the help/information.

    Wednesday, July 25, 2012 3:40 PM
  • Good question. You would change the DC holding the Primary zone.

    As for the server hosting the Secondary, it depends if it's a DC or not.

    If that server is a DC, do nothing. It will automatically change itself to an AD integrated zone because it now "sees" the zone in the AD database. If this server is a DC, and you would try to create the zone on it, you can introduce a DUPLICATE ZONE scenario in the AD database. Please re-read the very last bullet point in my previous post.

    If that server is not a DC, then just leave it alone and continue hosting the secondary.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Bemho Wednesday, July 25, 2012 4:36 PM
    Wednesday, July 25, 2012 4:31 PM
  • Hi Ace,

    Question for you.  I've gone ahead and changed one of the zones to be AD integrated and I haven't changed any of the secondary zones, but they don't appear to be changing to AD integrated.  How long should this process take?

    Thanks!

    Monday, July 30, 2012 8:47 PM
  • Almost immediately, depending on AD replication if they are in the same AD site or remote. ANd they are DCs of the same domain or forest, correct?

    I assume you closed, and re-opened the DNS console?

    Note - this doesn't count for DNS on non-DCs.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, July 30, 2012 9:40 PM
  • They are in the same AD site as the primary that was changed to AD integrated.  They are all DC's and they are in the same forest.  The DC I changed it one (which was the primary before) show the site as being AD integrated but none of the others servers show it as such.  I have closed and reopened the DNS console


    Thanks for the help.


    • Edited by Bemho Monday, July 30, 2012 9:56 PM
    Monday, July 30, 2012 9:55 PM
  • Try restarting the DNS service on one of the DCs holding the secondary. If that doesn't work, if 2008/2008 R2, try rstarting the AD DS services, and if 2003, restart the DC. Last ditch is just delete the Secondary, but under no circumstances create the zone (or you will introduce a duplicate).

    .

    I'm TRULY surprised that it hasn't shown up. Read the following quote from the link underneath it:

    Configure AD Integrated Zones
    "Only primary zones can be stored in the directory. If a zone is configured on other domain controllers as a secondary zone, these zones will be converted to primary zones when you convert the zone to AD integrated. This is because the multimaster replication model of Active Directory removes the need for secondary zones when a zone is stored in Active Directory. Conversion of the zone from secondary to primary will occur when AD DS is restarted."
    http://technet.microsoft.com/en-us/library/ee649181(v=ws.10)

    .

    .

    Due to it not automatically changing on the other DCs, and assuming you've already restarted at least one of the DCs, this leads me to think there is something else going on with AD.

    Are there any errors in the event logs, in any of the event logs on any of the DCs? Check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. Post the Event ID# and Source name in the event, and the server name it came from.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Bemho Tuesday, July 31, 2012 2:58 PM
    Tuesday, July 31, 2012 1:10 AM
  • Hi Ace,

    Thanks for the fast and accurate reply.  Restarting the DNS server service on the DC's worked and now the zone shows up as AD integrated on all DC's.

    Thanks for all the help.

    Tuesday, July 31, 2012 2:59 PM
  • Hi Ace,

    Thanks for the fast and accurate reply.  Restarting the DNS server service on the DC's worked and now the zone shows up as AD integrated on all DC's.

    Thanks for all the help.

    Good to hear. I knew it had to be something easy. :-)

    Cheers!


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, July 31, 2012 3:26 PM