At the beginning of the chapter, several zone types were identified and described. Two principal zone types in Windows Server 2003 are primary and Active Directory-integrated. There are good reasons for using both types of zones. However, one type will be more appropriate than the other depending on how your DNS needs to function once the design has been implemented. This section will describe each zone type and where it would be most appropriately used.
Primary and secondary zones are standard (that is, non-Active Directory-integrated) zones. The principal difference between the two is the ability to add records. A standard primary zone is hosted on the master servers in a zone replication scheme. Primary zones are the only zones that can be edited, whereas secondary zones are read-only and are updated only through zone transfer. DNS master servers replicate a copy of their zones to one or more servers that host secondary zones, thereby providing fault tolerance for your DNS servers. DNS standard zones are the types of zones you need to use if you do not plan on integrating Active Directory with your DNS servers.
An Active Directory-integrated zone is basically an enhanced primary DNS zone. An -Active Directory-integrated zone is a primary DNS zone that is stored in Active Directory and thus can, unlike all other zone types, use multi-master replication and Active Directory security features. It is an authoritative primary zone in which all of the zone data is stored in Active Directory. As mentioned previously, zone files are not used or necessary. Integrating DNS with Active Directory produces the following additional benefits:
■ Speed Directory replication is much faster when DNS and Active Directory are integrated. This is because Active Directory replication is performed on a per-prop-erty basis, meaning that only changes that apply to particular zones are replicated. Because only the relevant information is to be replicated, the time required to transfer data between zones is greatly reduced. On top of this, a separate DNS replication topology is eliminated because Active Directory replication topology is used for both ADI zones and AD itself.
■ Reduced Administrative Overhead Anytime you can reduce the number of management consoles that you have to work with, you can reduce the amount of time needed to manage information. Without the advantage of consolidating the management of DNS and Active Directory in the same console, you would have to manage your Active Directory domains and DNS namespaces separately. Moreover, your DNS domain structure mirrors your Active Directory domains. Any deviation between Active Directory and DNS makes management more time-consuming and creates more opportunity for mistakes. As your network continues to grow and become more complex, managing two separate entities becomes more involved. Integrating Active Directory and DNS provides you with the ability to view and manage them together as a single entity.
■ Automatic Synchronization When a new domain controller is brought online, networks that have integrated DNS and Active Directory have the advantage of automatic synchronization. Even if a domain controller will not be used to host the DNS service, the ADI zones will still be replicated, synchronized, and stored on the new domain controllers.
■ Secure Dynamic DNS Additional features have been added that enhance the security of secure dynamic updates.These features will be discussed in the "DNS Security Guidelines" section later in this chapter.
Was this article helpful?