Active Directory integration
Active Directory integration
For Windows 2000 Server, the DNS Server service has been carefully integrated into the design and implementation of Active Directory, the next-generation directory service designed by Microsoft for networks using Windows NT technologies. Active Directory provides an enterprise-level tool for organizing, managing, and locating resources in a network.There are two significant changes when deploying Windows 2000 DNS servers together with Active Directory:
- DNS is required for locating Windows 2000 domain controllers.
The Netlogon service uses new DNS server support to provide registration of domain controllers in your DNS domain namespace.
- Windows 2000 DNS servers can use Active Directory for storing and replicating your zones.
By directory integrating your zones, you can take advantage of additional Windows 2000 DNS features such as secure dynamic updates and record aging/scavenging features.
For more information, see either Secure dynamic update and Understanding aging and scavenging
How DNS integrates with Active Directory
When you install Active Directory on a server computer, you promote the server to the role of a domain controller (DC) for a specified domain. When completing this process, you are prompted to specify a DNS domain name for the Active Directory domain for which you are joining and promoting the server.
If during this process, a DNS server authoritative for the domain that you specified either cannot be located on the network or does not support the DNS dynamic update protocol , you are prompted with the option to install a Windows 2000 DNS server. This option is provided because a DNS server is required to support the use of Active Directory and for WIndows 2000 computers to locate this server or other domain controllers for the domain. For more information on how Windows 2000 locates domain controllers using DNS, see the Windows 2000 Resource Kit
Once you have installed Active Directory, you have two options for storing and replicating your zones when operating the DNS server at the new domain controller:
- Standard zone storage, using a text-based file.
Zones stored this way are located in .Dns files that are stored in the %SystemRoot%\System32\Dns folder on each computer operating a DNS server. Zone file names correspond to the name you choose for the zone when creating it, such as Example.microsoft.com.dns if the zone name was "example.microsoft.com."
- Directory-integrated zone storage, using the Active Directory database.
Zones stored this way are located in the Active Directory tree under the domain object container. Each directory-integrated zone is stored in a dnsZone container object identified by the name you choose for the zone when creating it.
Benefits of Active Directory integration
For networks deploying DNS to support Active Directory, directory-integrated primary zones are strongly recommended and provide the following benefits:
- Multi-master update and enhanced security based on the capabilities of Active Directory.
In a standard zone storage model, DNS updates are conducted based upon a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone.
This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are conducted based upon a multi-master update model.
In this model, any authoritative DNS server, such as a domain controller (DC) running the Windows 2000 DNS Server service, is designated as a primary source for the zone. Because the master copy of the zone is maintained in the Active Directory database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any DC for the domain.
With the multi-master update model of Active Directory, any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a DC is available and reachable on the network.
Also, when using directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides granulated access to either the zone or a specified RR in the zone.
For example, an ACL for a zone RR can be restricted so that dynamic updates are only allowed for a specified client computer or a secure group such as a domain administrators group. This security feature is not available with standard primary zones.
Note that when you change the zone type to be directory-integrated, the default for updating the zone changes to allow only secure updates.
- Zones are replicated and synchronized to new DCs automatically whenever a new one is added to an Active Directory domain.
Although DNS service can be selectively removed from a DC, directory-integrated zones are already stored at each DC, so zone storage and management is not an additional resource. Also, the methods used to synchronize directory-stored information offer performance improvement over standard zone update methods, which can potentially require transfer of the entire zone.
- By integrating storage of your DNS zone databases in Active Directory, you can streamline database replication planning for your network.
When your DNS and Active Directory namespaces are stored and replicated separately, you need to plan and potentially administer each namespace separately. For example, when using standard DNS zone storage and Active Directory together, you would need to design, implement, test, and maintain two different database replication topologies. For instance, one replication topology is needed for replicating directory data between domain controllers, and another topology would be needed for replicating zone databases between DNS servers.
This can create additional administrative complexity for planning and designing your network and allowing for its eventual growth. By integrating DNS storage, you unify storage management and replication issues for both DNS and Active Directory, merging and viewing them together as a single administrative entity.
- Directory replication is faster and more efficient than standard DNS replication.
Because Active Directory replication processing is performed on a per-property basis, only relevant changes are propagated. This allows less data to be used and submitted in updates for directory-stored zones.
- Only primary zones can be stored in the directory. A DNS server cannot store secondary zones in the directory. It must store them in standard text files.
- The Windows 2000 DNS server includes an option to initialize a DNS server running on a domain controller and to load all DNS zones and related configuration details stored in the Active Directory for the Active Directory domain. For more information, see Modifying server defau
Active Directory integration
For Windows 2000 Server, the DNS Server service has been carefully integrated into the design and implementation of Active Directory, the next-generation directory service designed by Microsoft for networks using Windows NT technologies. Active Directory provides an enterprise-level tool for organizing, managing, and locating resources in a network.
There are two significant changes when deploying Windows 2000 DNS servers together with Active Directory:
- DNS is required for locating Windows 2000 domain controllers.
The Netlogon service uses new DNS server support to provide registration of domain controllers in your DNS domain namespace.
- Windows 2000 DNS servers can use Active Directory for storing and replicating your zones.
By directory integrating your zones, you can take advantage of additional Windows 2000 DNS features such as secure dynamic updates and record aging/scavenging features.
For more information, see either Secure dynamic update and Understanding aging and scavenging
How DNS integrates with Active Directory
When you install Active Directory on a server computer, you promote the server to the role of a domain controller (DC) for a specified domain. When completing this process, you are prompted to specify a DNS domain name for the Active Directory domain for which you are joining and promoting the server.
If during this process, a DNS server authoritative for the domain that you specified either cannot be located on the network or does not support the DNS dynamic update protocol , you are prompted with the option to install a Windows 2000 DNS server. This option is provided because a DNS server is required to support the use of Active Directory and for WIndows 2000 computers to locate this server or other domain controllers for the domain. For more information on how Windows 2000 locates domain controllers using DNS, see the Windows 2000 Resource Kit
Once you have installed Active Directory, you have two options for storing and replicating your zones when operating the DNS server at the new domain controller:
- Standard zone storage, using a text-based file.
Zones stored this way are located in .Dns files that are stored in the %SystemRoot%\System32\Dns folder on each computer operating a DNS server. Zone file names correspond to the name you choose for the zone when creating it, such as Example.microsoft.com.dns if the zone name was "example.microsoft.com."
- Directory-integrated zone storage, using the Active Directory database.
Zones stored this way are located in the Active Directory tree under the domain object container. Each directory-integrated zone is stored in a dnsZone container object identified by the name you choose for the zone when creating it.
Benefits of Active Directory integration
For networks deploying DNS to support Active Directory, directory-integrated primary zones are strongly recommended and provide the following benefits:
- Multi-master update and enhanced security based on the capabilities of Active Directory.
In a standard zone storage model, DNS updates are conducted based upon a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone.
This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are conducted based upon a multi-master update model.
In this model, any authoritative DNS server, such as a domain controller (DC) running the Windows 2000 DNS Server service, is designated as a primary source for the zone. Because the master copy of the zone is maintained in the Active Directory database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any DC for the domain.
With the multi-master update model of Active Directory, any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a DC is available and reachable on the network.
Also, when using directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides granulated access to either the zone or a specified RR in the zone.
For example, an ACL for a zone RR can be restricted so that dynamic updates are only allowed for a specified client computer or a secure group such as a domain administrators group. This security feature is not available with standard primary zones.
Note that when you change the zone type to be directory-integrated, the default for updating the zone changes to allow only secure updates.
- Zones are replicated and synchronized to new DCs automatically whenever a new one is added to an Active Directory domain.
Although DNS service can be selectively removed from a DC, directory-integrated zones are already stored at each DC, so zone storage and management is not an additional resource. Also, the methods used to synchronize directory-stored information offer performance improvement over standard zone update methods, which can potentially require transfer of the entire zone.
- By integrating storage of your DNS zone databases in Active Directory, you can streamline database replication planning for your network.
When your DNS and Active Directory namespaces are stored and replicated separately, you need to plan and potentially administer each namespace separately. For example, when using standard DNS zone storage and Active Directory together, you would need to design, implement, test, and maintain two different database replication topologies. For instance, one replication topology is needed for replicating directory data between domain controllers, and another topology would be needed for replicating zone databases between DNS servers.
This can create additional administrative complexity for planning and designing your network and allowing for its eventual growth. By integrating DNS storage, you unify storage management and replication issues for both DNS and Active Directory, merging and viewing them together as a single administrative entity.
- Directory replication is faster and more efficient than standard DNS replication.
Because Active Directory replication processing is performed on a per-property basis, only relevant changes are propagated. This allows less data to be used and submitted in updates for directory-stored zones.
- Only primary zones can be stored in the directory. A DNS server cannot store secondary zones in the directory. It must store them in standard text files.
- The Windows 2000 DNS server includes an option to initialize a DNS server running on a domain controller and to load all DNS zones and related configuration details stored in the Active Directory for the Active Directory domain. For more information, see Modifying server defau
|
|
