Windows 2000 DNS
Windows 2000 DNS |
|
When you configure a primary zone to be Active Directory–integrated, the zone is stored in Active Directory.
Figure 6.12 shows this configuration.
Figure 6.12 Active Directory-Integrated Zone
The DNS server component contains only a copy of the zone. When it starts up, it reads a copy of the zone from Active Directory (step 1). Then, when the DNS server receives a change, it writes the change to Active Directory (step 2).
Through Active Directory replication, the zone is replicated to other domain controllers. Also, through standard zone transfer, the DNS server can send its copy of the zone to any secondary DNS servers that request it. The DNS server can perform both incremental and full zone transfers. Figure 6.13 shows how the same zone can be replicated by using both Active Directory replication and standard zone transfer.
Figure 6.13 Replication and Zone Transfer
By default, when an Active Directory–integrated DNS server starts up, it checks whether Active Directory is available and if it contains any DNS zones. If Active Directory does have zones, the DNS server loads zones from a location specified by the setting of Load data on startup in the properties page for the server within the DNS console. The DNS server can load zones from the following locations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\DNS\Zones
Note
The DNS server automatically writes back to the boot file at regular intervals. You can also update the boot file by clicking on the server from within the DNS console and then by clicking the Action menu and selecting Update Server Data Files. Alternatively, you can stop and restart the server to update the boot file by right-clicking on the server from within the DNS console, pointing to All Tasks in the context-sensitive menu, and then clicking Restart.
The DNS server also loads the root hints and server and zone parameters from different locations depending on the Load data on startup setting. Table 6.4 shows the locations from which the DNS server loads and to which it writes zones, root hints, and server and zone parameters depending on the setting of Load data on startup.
Table 6.4 How the DNS Server Loads Zones, Root Hints, and Parameters
| Load Data on Startup: Boot from File |
Load Data on Startup: Boot from Registry |
Load Data on Startup: Boot from Active Directory and Registry |
|
|---|---|---|---|
| Read root hints from: | Root hints file | If available, the root hints file. Otherwise, if the Directory is available and contains root hints, the Directory. | If the Directory is available and contains root hints, from the Directory. Otherwise, the root hints file. |
| Write root hints to: | Root hints file | Root hints file. | If the Directory is available, the Directory. |
| Read zones from: | Boot file | Registry. | The Directory (for Active Directory–integrated zones) and the registry. |
| Write zones to: | Boot file and the registry | Registry and, if the zone is Active Directory–integrated, the Directory. | Registry and, if the zone is Active Directory–integrated, the Directory. |
| Read server and zones parameters from: | Boot file and the registry | Registry and (for Active Directory–integrated zones) the Directory. | The Directory (for Active Directory–integrated zones) and the registry. |
| Write server and zones parameters to: | Boot file and the registry | Registry (for all zones) and (for Active Directory–integrated zones) the Directory. | The Directory (for Active Directory–integrated zones) and the registry. |
If you change the setting of Load data on startup, the DNS server first writes the root hints file, zones, and parameters to the locations specified in the original setting of Load data on startup and then reads them from the new setting.
If the server has loaded Active Directory–integrated zones, it periodically polls Active Directory for changes to those zones. The server also checks for the addition of new zones or the deletion of existing zones.
The DNS server can modify Active Directory if an administrator makes a change to the zone, or if the server is configured to accept dynamic updates and a dynamic update occurs. (Dynamic Update is described in "Dynamic Update and Secure Dynamic Update" later in this chapter.)
DNS servers update Active Directory by using the following procedure:
The Active Directory directory service is an object-oriented database that organizes network resources in a hierarchical structure. Every resource is represented by an object.
Each object has attributes that define its characteristics.
The classes of objects and the attributes of each object are defined in the Active Directory schema.
Table 6.5 shows the DNS objects in Active Directory.
Table 6.5 DNS Objects in Active Directory
| Object | Description |
|---|---|
| dnsZone | Container created when a zone is stored in Active Directory |
| dnsNode | Leaf object used to map and associate a name in the zone to resource data |
| dnsRecord | Multivalued attribute of a dnsNode object used to store the resource records associated with the named node object |
| dnsProperty | Multivalued attribute of a dnsZone object used to store zone configuration information. |
Figure 6.14 shows how DNS objects are represented in Active Directory.
Figure 6.14 DNS Objects in Active Directory
Within the MicrosoftDNS container object are the dnsZone container objects. In Figure 6.14, MicrosoftDNS contains the following dnsZone objects:
The dnsZone container object contains a dnsNode leaf object for every unique name within that zone. Figure 6.14 shows the following dnsNode objects within the dnsZone container object for reskit.com:
The dnsNode leaf object has a multivalued attribute called dnsRecord with an instance of a value for every record associated with the object's name. In this example, the dnsNode leaf object mailserver.reskit.com has an "A" attribute containing the IP address.
You can view the DNS objects from within the Active Directory Users and Computers console.
To view zones stored in Active Directory
Although you can see the zone objects from within the Active Directory Users and Computers component, the Active Directory Users and Computers component cannot interpret the values of the dnsRecord attribute. If you want to view the DNS domain hierarchy and associated records, you do so from within the DNS console. For information about the DNS console, see "Setting Up DNS for Active Directory" earlier in this chapter. Alternatively, if you want to view the zones, you can retrieve them by using Nslookup. For more information about Nslookup, see "Troubleshooting" later in this chapter.
You can store any number of zones in Active Directory. Zones stored in Active Directory act like primary zones: Any DNS server running on a domain controller in the domain can modify the zone.
To store a zone in Active Directory, you can either create an Active Directory–integrated zone or convert a primary or secondary zone to be Active Directory–integrated. You can also convert Active Directory–integrated zones back to standard primary or secondary zones. This section explains issues you need to consider when you create, convert, and delete zones. For information about how to create, convert, and delete zones, see Windows 2000 Server Help.
Any zone you create is automatically replicated to all domain controllers in the zone. Therefore, do not create the same zone on more than one domain controller.
Caution
If you create a zone on one domain controller, and then create the same zone on a second domain controller before Active Directory has replicated the zone, Active Directory deletes the zone on the first domain controller. As a result, you lose any changes that you made to the version of the zone that you created on the first domain controller.
You can convert either a standard primary or secondary zone to an Active Directory–integrated zone. When you integrate a zone with Active Directory, consider the following issues:
You can convert an Active Directory–integrated zone to either a standard primary or standard secondary zone.
If you convert an Active Directory–integrated zone to a standard secondary zone, the zone is copied to the name server on which you converted the zone. That server no longer loads the zone from Active Directory, but it has its own secondary copy of the zone. It requests zone transfers from whatever server you specified as the primary server for the zone.
If you convert an Active Directory–integrated zone to a standard primary zone, the zone is copied to a standard file on that server and is deleted from Active Directory. The zone no longer appears on other Active Directory–integrated DNS servers.
If you delete an Active Directory–integrated zone from a domain controller and Load data on startup is set to Registry, the DNS console asks you whether you also want to delete the zone from Active Directory. If you click Yes, the zone is completely deleted from Active Directory and is no longer available to be loaded onto any domain controllers. If you click No, the zone is removed from the registry but remains in Active Directory. The next time that the DNS server polls the directory for changes, if Load data on startup, on the Advanced tab of the DNS server properties page in the DNS console, is set to From Active Directory and registry, the zone reappears. If Load data on startup is set to Registry, on the other hand, the zone does not reappear.
If you delete a standard secondary zone from a domain controller, it is generally deleted from that domain controller. However, if a corresponding Active Directory–integrated zone exists, and you have configured the DNS server to load data on startup from Active Directory and the registry, the zone reappears as an Active Directory–integrated primary zone. You can then delete the Active Directory–integrated zone from the computer or from Active Directory.
It is possible to integrate a zone in Active Directory and then add a secondary copy of the zone on another DNS server. You might want to create a secondary copy of an Active Directory–integrated zone; for example, if you have a remote site from which your users need to be able to resolve names, but you do not want to increase your network traffic by adding a domain controller, you might want to create a secondary copy of the zone.
When you delete a zone, or convert an Active Directory–integrated zone to a standard secondary zone, you can cause configuration errors. For example, if you delete a copy of the zone from a server and a secondary server is configured to pull zone transfers from that server, the secondary server is no longer able to pull zone transfers.
In another example, if you convert an Active Directory–integrated zone to a standard primary zone, the DNS server loading the new primary zone becomes the single master of the zone. Therefore, Active Directory removes the converted zone from Active Directory, which means that the zone is deleted from all domain controllers.
This can cause problems for secondary servers in some configurations. For example, suppose domain the noam.reskit.com has two Active Directory–integrated name servers, DC1.noam.reskit.com and DC2.noam.reskit.com; the domain has one secondary name server, SecondaryNS.noam.reskit.com, that has a secondary copy of the zone for noam.reskit.com and that points to DC2.noam.reskit.com as the master server for the zone. Figure 6.15 shows this configuration.
Figure 6.15 Sample Domain Structure
Now, suppose that a user with the proper permissions logs on to DC1.noam.reskit.com and converts the zone from an Active Directory–integrated zone to a standard primary zone. As Figure 6.16 shows, DC1.noam.reskit.com will have a standard primary zone, and DC2.noam.reskit.com will not have a copy of the zone. Even though the zone is deleted from DC2.noam.reskit.com, SecondaryNS.noam.reskit.com still points to DC2.noam.reskit.com as the master server from the zone, and SecondaryNS.noam.reskit.com has no way to get a copy of the zone by using zone transfers.
Figure 6.16 Orphaned Secondary Server
To prevent this problem, be sure to update all secondary servers for the zone that you are converting from an Active Directory–integrated zone to a standard primary zone.
This problem occurs only if you delete a zone from a server or you are converting an Active Directory–integrated zone to a standard primary zone, and a secondary server is pointing at a server from which the zone was deleted. The problem will not occur if you are converting an Active Directory–integrated zone to a standard secondary zone, because converting an Active Directory–integrated zone to a standard secondary does not cause the zone to be deleted from any server.
