?
Solved

Question on AD-integrated DNS

Posted on 2004-11-23
15
Medium Priority
?
201 Views
Last Modified: 2011-09-20
should all of your DNS servers in AD be AD-integrated?

If i make them all AD integrated, I do not have to allow zone transfers because it happens
automatically right?


Also, what is the "typical" amount of Forward lookup zones a company has?  
thanks
0
Comment
Question by:dissolved
  • 8
  • 7
15 Comments
 
LVL 11

Expert Comment

by:cfairley
ID: 12661994
Once you enable AD integration of DNS, the DNS records automatically get replicated to all other DCs.  That means that and DC can resolve queries, but does not mean that they can make updates.  The DNS service has to be installed on the DC for it to write DNS info.

Zone transfers will happen at normal replication times.

Usually you will have a forward lookup zone for each domain you have.  If you are going to host your root domain, then you will have one to two additional zones.  You will also want to have a reverse lookup zone to handle request for names based off of IP address.
0
 

Author Comment

by:dissolved
ID: 12662076
"If you are going to host your root domain, then you will have one to two additional zones"

why is this?

Thanks! Great explanation by the way!
0
 
LVL 11

Expert Comment

by:cfairley
ID: 12662137
Thanks!

If the DNS name for your org will be microsoft.com, you will have a "." domain, "com", and "microsoft".  That's if you plan to host all of that yourself.  You will need forwarders to get requests from the outside world.  This is usually the setup for a private org.  A public org will just host the "microsoft" domain.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:dissolved
ID: 12662176
Wow, so microsoft.com requires 3 forward lookup zones??? (im confused)

  The "microsoft " one is the forward lookup zone for internal name resolution right? like
host a                  192.168.1.5

by the way, what do you mean by "host your own root domain?"

Thanks!
ps: new at this
0
 
LVL 11

Expert Comment

by:cfairley
ID: 12662257
If microsoft were a private org, they would have three zones.  The is explained in the link.

Yes.

I could explain further, but I'm sure I would make some mistakes along the way because it's pretty late and I'm actually removing a domain controller over VPN.  This DNS whitepaper is the best out there, I believe.  It will take a couple of days to digest.  Although, this is a must read for any IT professional.

http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
0
 

Author Comment

by:dissolved
ID: 12666908
Hey cfairley, what is the purpose of adding DNS servers to the DNS tab. Here is a screen shot of some settings at work (had to blur it for confidentiality purposes, but it gets my point across)

Looks like severeal DNS severs are listed. Do they get listed automatically?

http://mvpbaseball.cc/dns-servers.jpg
0
 
LVL 11

Expert Comment

by:cfairley
ID: 12667282
The servers listed in the Name Servers tab are servers that are configured to be authoritative for the zone.  If you go to the Zone Transfers tab, you can choose to do zone transfers to only servers listed in the name servers tab.

Also, as a tech tip, you can click on the "?" near the "X".  Your mouse will turn into a "?" and click the box the servers are listed in or any other button or tab and it will tell you what it does.  When I first started using DNS, I used this feature on every option and basically learned DNS that way.
0
 

Author Comment

by:dissolved
ID: 12668261
so all the servers listed are authorative for the forward lookup zone displayed? (we only have one forward lookup zone by the way). I'm guessing all DNS servers in AD are authorative if they all reside in the same domain?
Thanks!
0
 

Author Comment

by:dissolved
ID: 12668273
by the way, whats the purpose of even listing your authorative DNS servers in the Name Servers tab if you arent going to be doing zone transfers anyway (all of our DNS servers are AD integrated)
0
 
LVL 11

Expert Comment

by:cfairley
ID: 12668325
If you were not able to list the autouratative DNS servers, you would not have the option to just transfer to them.  If you don't use the option to only transfer to DNS servers listed, you or someone could set up a DNS server as a secondary and pull records from the AD Integrated zone.  We use this to transfer to a secondary DNS in a NT4 domain.  If we turned on the option to only transfer to DNS servers listed, our scenario would not work.
0
 

Author Comment

by:dissolved
ID: 12669107
So in a pure win2k environment (that uses AD-integrated DNS), you dont need to populate the NAME SERVER tab?
Looks like my place of employment is only

IF your DNS servers are all integrated, you do not need to transfer in between them right? AD replication does this? Am I correct?

thanks
0
 
LVL 11

Expert Comment

by:cfairley
ID: 12669345
Yes, you still need to populate the Name Server tab.  I think it does this automatically if it's AD integrated, I don't remember when I set it up.  I am looking for the exact answer of why it's needed.

You are right, you do not need to do a transfer, AD will take care of that.  It will not take care of any Primaries or Secondaries.
0
 
LVL 11

Accepted Solution

by:
cfairley earned 2000 total points
ID: 12669553
As of now, the only reason I am finding is that its need to restirct zone traffic to specific listed servers.  If I had my test lab running, I would take all the servers out of the list and see if they still update each other, which I'm sure they would.  Sorry I dont' have anything more concrete than that.  I'll send an update if I find something, even if it's after the question is closed.
0
 

Author Comment

by:dissolved
ID: 12670489
thanks!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month16 days, 19 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question