Which of the following is not an advantage of using active directory–integrated zones?

In this guide, I’ll provide a quick overview of the different DNS Zone types for Windows Server and Active Directory.

This will help you better understand and manage DNS and Active Directory.

DNS Zones store DNS resource record information. Some common DNS records include:

• A Record: Name to IP address mapping
• CNAME: Maps an alias to the canonical name
• MX Record: Used to identify mail servers
• NS Record: Identifies the name servers for a particular zone
• SOA: Start of Authority records
• TXT: Allows any text to be inserted into a DNS record

There are many more record types, and without these records, everything would be accessed by an IP address.

DNS Zones provide us with a way to maintain these records on one or more servers.

Let’s take a look at the different zone types.

Active Directory Integrated Zones

Active Directory Integrated Zones stores its zone data in Active Directory. Integrated zones can be replicated to all domain controllers in the domain and forest. Active Directory integrated zones use multi-master replication, this means any domain controller running the DNS server service can write updates to the zone for which they are authoritative.

Advantages of Active Directory integrated Zones

• Replication is faster, more secure and efficient.
• Better redundancy due to zone data being copied to all Domain Controllers
• Improved Security if secure dynamic update is enabled
• No need to schedule or manage zone transfers

Primary Zone

This is the main zone and has a read/write copy of the zone data. All changes to the zone are made in the primary zone and are replicated to the secondary zones.

The zone data is stored in a text file located in this folder c:\windows\system32\DNS on the Windows server running DNS.

Secondary Zone

A secondary Zone is a read-only copy of the primary zone. This zone cannot process updates and can only retrieve updates from the primary zone.  This zone can answer DNS name resolution queries from clients nodes, this helps reduce the workload on the primary zone. Secondary zones cannot be active directory integrated.

Stub Zone

Stub zones are like a secondary zone but only stores partial zone data. These zones are useful to help reduce zone transfers by passing the requests to authoritative servers. These zones only contain the SOA, NS, and A records.

Forward Lookup Zone

A forward lookup zone provides hostname to IP address resolution.

When you access a system or website by its hostname such as mcirosoft.com DNS checks the forward lookup zone for the IP information related to the hostname.

Reverse Lookup Zone

Reverse lookup zones resolve IP addresses into hostnames.

For example, when you look up the IP 8.8.8.8 it resolves to google-public-dns-a.google.com. A reverse DNS record had to be created for the IP to resolve to the hostname.

Reverse lookup zones are not as common as forwarding lookups and in most cases are not needed.

Zone Transfers

Zone transfers take place when they are not integrated with Active Directory. A Zone transfer is where the master DNS servers transfer zone data from the master to secondary.

Zone transfers can occur during any of the following

• When the refresh interval expires
• When a master server notifies a change has occurred
• When the server has rebooted or DNS service has restarted
• A manual transfer has occured from the DNS console

Related: How to Use NSLookup to Check DNS Records

Active Directory-Integrated Zones

Up to this point, I’ve treated the Windows Server 2003 DNS service as a traditional nameserver, mostly compliant with the relevant RFCs, which can act in both primary and secondary “modes” for a zone. However, Windows Server 2003 offers a third mode specific to Windows that, although not listed in an RFC, offers some distinct advantages if you’ve made an infrastructure investment in Active Directory and Windows.

The third mode, Active Directory-integrated DNS, offers two plusses over traditional zones. For one, the fault tolerance built into Active Directory eliminates the need for primary and secondary nameservers. Effectively, all nameservers using Active Directory-integrated zones are primary nameservers. This has a huge advantage for the use of dynamic DNS as well: namely, the wide availability of nameservers that can accept registrations. Recall that domain controllers and workstations register their locations and availability to the DNS zone using dynamic DNS. In a traditional DNS setup, only one type of nameserver can accept these registrations—the primary server because it has the only read/write copy of a zone. By creating an Active Directory-integrated zone, all Windows Server 2003 nameservers that store that zone in Active Directory can accept a dynamic registration, and the change will be propagated using Active Directory multi-master replication. All you need to do to set up this scenario is install Windows Server 2003 on a machine, configure it as a domain controller, install the DNS service, and set up the zone. It’s all automatic after that. Contrast this with the standard primary-secondary nameserver setup, where the primary server is likely to be very busy handling requests and zone transfers without worrying about the added load of dynamic DNS registrations. Active Directory-integrated zones relieve this load considerably. And to add to the benefits, Active Directory-integrated zones support compression of replication traffic between sites, which also makes it unnecessary to use the old-style “uncompressed” zone transfers.

Tip

As you read in the previous section, part of the dynamic DNS functionality provided in Windows Server 2003 is the scavenger process. Recall the no-refresh interval function, which was created to eliminate exorbitant amounts of traffic being passed between domain controllers for each DNS reregistration.

Active Directory-integrated zones also afford a big security advantage, in that they provide the capability to lock down dynamic DNS functionality by restricting the ability of users and computers to register records into the system—only computers that are members of the Active Directory domain that hosts the DNS records can add and update records dynamically to these zones. However, to have an Active Directory-integrated zone, your nameservers must be domain controllers for an Active Directory domain. If other nameservers are used that are not domain controllers, they can act as only traditional secondary nameservers, holding a read-only copy of the zone and replicating via the traditional zone transfer process.

If you’re already running a nameserver that is a domain controller with an active zone in service, it’s easy to convert that to an Active Directory-integrated zone. (And for that matter, it’s easy to revert to a primary or secondary zone—this isn’t a be-all and end-all.) Here’s how to go forward:

1. Open the DNS Management snap-in.

2. Right-click the zone folder you want to convert, and select Properties from the context menu.

3. Navigate to the General tab, as shown in Figure 4-20.

   

   Figure 4-20. Converting a zone to Active Directory-integrated mode

4. To the right of the Type entry—it should now say either Primary or Secondary—click the Change button. The Change Zone Type screen will appear, as shown in Figure 4-21.

   

   Figure 4-21. Storing a zone in Active Directory

5. Check the Store the zone in Active Directory checkbox.

6. Click OK.

You’ll note that your options expand once you’ve converted to Active Directory-integrated zones. Go back to the zone’s properties, and on the General tab, note a couple of things:

• The Dynamic Updates field now allows Secure Only updates.

• You have options for replicating zone changes throughout all domain controllers in Active Directory.

Let’s focus on the latter for a moment.

Replication Among Domain Controllers

Windows Server 2003 introduces a new feature that allows you to tune how Active Directory replicates DNS information to other domain controllers. Click the Change button beside the Replication field on the zone properties, and you’ll be presented with the Change Zone Replication Scope screen as shown in Figure 4-22.

Figure 4-22. Controlling DNS replication in Active Directory

The default setting is “To all domain controllers in the Active Directory domain,” which instructs Windows to behave exactly as it did in Windows 2000 Server: replicate DNS information to all domain controllers in Active Directory, regardless of whether they’re actually running the DNS service. Obviously, if you have 20 domain controllers in your domain, but only three domain controllers that run DNS, this is a lot of replication traffic that is just wasted. On this screen, you can select to replicate the DNS information only to domain controllers running DNS in either the forest or the domain. This is very helpful, and for large organizations, it should cut down on WAN traffic.

Which of the following are advantages that an Active Directory integrated zone?

What is Active Directory integrated zone?

What is the main security benefit of creating an integrated AD DNS primary zone?

Which advantages would you gain by switching to Active Directory?