DNS Zones

I have few questions about what I see in our DNS console:

1- In our DNS, I see a zone named _msdcs.XYZ.com then under it the yellow folder icons named dc,domains,gc,pdc
if I delete the _msdcs zone or any of the other folders under it, would that cause a problem?

2-I see a zone name and under it a white folder icon _msdcs, then yellow folders _sites,_tcp,_tls,_udp
can you tell me what this white folder icon _msdcs means and what's the meaning of the yellow folder _tls?

3-I see a zone that doesn't have the _sites,_tcp,_udp yellow folders at all,
it looks like this hierarchy:
  - Yelloy folder Zone name
           -Yello folder com
               -yellow folder XYZ

           - Yellow folder net
               - yellow folder xyz

xyz is the name of our domain.
can you explain to me what that mean?

4-I see different zone names as AD Integrated zones, I thought DNS which is also a DC can have just one AD integrated zone, which represents the zone name of the AD to which DNS server belongs to.

5-How can I tell from DNS console that a certain yellow folder icon means a child domain zone?

Who is Participating?
Chris DentPowerShell DeveloperCommented:

To an extent it does. AD Integrated Zones tend to be easier to setup and maintain if they can be used.

As a comparison, if you needed a new DNS zone for internal use, and it had to be available on all DNS servers in your Forest then AD Integrated is the way to go.

AD Integrated:

1. Create the AD Integrated zone
2. Set the replication scope to all DNS servers in the Forest
3. Grab a coffee

Standard Primary with Secondaries:

1. Create the Standard Primary zone
2. Check and verify the SOA record
3. Enable and configure Zone Transfers and Notify
4. Connect to each DNS server in the forest and create a new Secondary zone
5. Check for successful transfer on each Secondary

The more servers you have the more work you have to do for the Standard Primary / Secondary setup. With AD Integrated it doesn't change.

The downside to AD Integrated zones are that they are completely unsuitable for public zones (that is, zones you want the public to use over the Internet). And that each DNS server must be a Domain Controller to be able to host the zone.

Which is appropriate to use depends on the scenario.

Chris DentPowerShell DeveloperCommented:

1. Only if you also see a grey (almost white) version of _msdcs under XYZ.com. You will need to delete both if you delete any.

2. The grey / white folder is a Delegation. It states that the _msdcs folder is hosted on a specific list of Name Servers. You should see a number of NS records if you select it.

Regarding _TLS. Something will have created that if you didn't. Cisco Call Manager?

3. Sounds liks an attempt has been made to add a record to the zone using a full name. e.g. Right click, New Host (A) Record then enter "www.xyz.com" in the box. The program will create a it like xyz.com\com\xyz\www and it will resolve with "nslookup www.xyz.com.xyz.com".

4. No, you can have as many AD Integrated Zones are you like. AD Integration is simply a place to store a zone, a zone does not have to have anything to do with AD to be stored there.

5. No such thing as a "child domain zone", there's no differentiation between a zone called xyz.com and another called sub.xyz.com.

However, knowing that DNS is a hierarchical structure we can say that:

com is a child of .
xyz is a child of com
sub is a child of xyz

If we look at an example of this for a public domain, "." must know where the servers for "com" are and be able to provide directions. "com" must know where the servers for "xyz" are and, again, be able to provide directions. And "xyz" must be able to provide directions to "sub".

Back to the private networks, that means that the only way to resolve hosts in sub.xyz.com is either:

1. For xyz.com to contain directions (a Delegation) to the servers hosting sub.xyz.com
2. For the client to query the server hosting sub.xyz.com directly (that is, the servers for sub.xyz.com must be listed as DNS servers in TCP/IP configuration).

jskfanAuthor Commented:
4- if you have a a domain ABC.com and you want to replicate an AD Integrated zone from XYZ.com to ABC.com, how can you do that other than creating a secondary zone for XYZ.com in ABC.com DNS console?
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Chris DentPowerShell DeveloperCommented:

You can't. AD Integrated Zones won't replicate accross Forests (only within), so you have to fall back on the techniques native to DNS which are:

1. Secondary Zones
2. Stub Zones
3. Conditional Forwarders
4. Public hierarchies (delegation from parent, com)

In this case, if you wanted a full copy of xyz.com on the name servers for abc.com your only choice is a Secondary Zone. However, Secondary Zones cannot be stored in Active Directory (AD Integrated).

jskfanAuthor Commented:
after looking at the zones in DNS, I realized that the ABC.com is AD Integrated zone and it's the same name as the AD domain.
They created another AD Integrated zone named it XYZ.com and in the start of Authority I see primary server is the same as the primary server of the ABC.com zone.
Chris DentPowerShell DeveloperCommented:

That's to be expected, you cannot control the SOA (Start of Authority) field if the zone is AD Integrated. It will always set to the servers identity as it believes it to be (the name of the server as it sees within AD).

You will also find that if you look on the other DCs that the SOA record always references the server you're viewing the zone on.

That is, SOA for xyz.com on server1.abc.com will be server1.abc.com; on server2.abc.com it will be server2.abc.com, and so on.

That applies to any AD Integrated zone you create no matter what domain name is used. The only way to take back control of the SOA record is to change it to Standard Primary (and disable Dynamic Updates if enabled) then modify the values as you see fit.

jskfanAuthor Commented:
so you can create many AD integrated zones in a DNS servers, I am not sure what's the purpose. it sounds like it achieves the same purpose as  secondary zone, other than it's saved in AD.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.