Question on Zone Transfers with AD Integrated Zones

  • Thread starter Thread starter IanD
  • Start date Start date
I

IanD

All,

We just converted all of your DNS zones to Active Directory Integrated
and I have a question concerning Zone Transfers option for each zone.
I understand that once you convert your zones to AD Integrated that
all zone transfers are initiated via AD replication. If all DNS
servers are also DC's and no secondary zones will be configured, what
should the proper configuration be for the Zone Transfer options for
each zone ?

My assumption would be to allow zone transfers but only to the servers
listed on the Name Servers tab.

Thanks,

Ian
 
IanD said:
All,

We just converted all of your DNS zones to Active Directory Integrated
and I have a question concerning Zone Transfers option for each zone.
I understand that once you convert your zones to AD Integrated that
all zone transfers are initiated via AD replication.

And in some sense this is no longer "zone transfers" but rather DNS
replication or some such since is it now incremental by record and
folded into the AD replication for SUCH DNS/DC servers.
If all DNS
servers are also DC's and no secondary zones will be configured, what
should the proper configuration be for the Zone Transfer options for
each zone ?

Probably disallow all. Those settings are ONLY for non-AD zone
transfers.

You might need to enter some workstations or admin consoles in there
if you wish to use tools like NSLookup "List" which counts as a zone
transfers.
My assumption would be to allow zone transfers but only to the servers
listed on the Name Servers tab.

It's irrelevant for replication in the case you describe -- you only need to
enter the "secondaries" or admin console exceptions.
 
In
IanD said:
We just converted all of your DNS zones to Active Directory Integrated
and I have a question concerning Zone Transfers option for each zone.
I understand that once you convert your zones to AD Integrated that
all zone transfers are initiated via AD replication. If all DNS
servers are also DC's and no secondary zones will be configured, what
should the proper configuration be for the Zone Transfer options for
each zone ?

My assumption would be to allow zone transfers but only to the servers
listed on the Name Servers tab.

Your assumption is understandably incorrect, Active Directory DNS
replication is not reliant on the zone transfer setting on the zone transfer
tab. All DNS replication is done through AD replication. You should disable
zone transfers unless you are using secondary DNS zones.
 
In
IanD said:
All,

We just converted all of your DNS zones to Active Directory Integrated
and I have a question concerning Zone Transfers option for each zone.
I understand that once you convert your zones to AD Integrated that
all zone transfers are initiated via AD replication. If all DNS
servers are also DC's and no secondary zones will be configured, what
should the proper configuration be for the Zone Transfer options for
each zone ?

My assumption would be to allow zone transfers but only to the servers
listed on the Name Servers tab.

Thanks,

Ian

In addition to Herb and Kevin's comments, just to point out, DNS zone data
can be stored in different numerous ways. Namely with Windows, it can be
either as a text file or in AD's database. As for the text file, that is one
way and that is the old 'normal' text file way to do it, and in Windows, the
zonename.dns file is where it's stored, specifically in the system32\dns
folder. Other DNS services have other methods of storing their data. With
Active Directory, there's now an option to store it in the actual physical
Active Directory database. Portions of this database gets replicated to all
domain controllers in a forest and other portions get replicated to just the
domain controllers in that specific domain that that specific domain
controller is a domain controller for.

The physical database is broken down 'logically' in 3 sections, or
'containters'. The Domain NC (NC = Name Container), Configuration Container
and the Schema Container. The Schema and Config Containers are forest wide.
All DCs get a copy of these guys. However, the Domain NC is ONLY replicated
to DCs in that specific domain that the DCs are a DC for. This is the
container that the zone gets stored in when you make the zone AD Integrated.
Therefore, this container gets replicated and is now available on any DC in
that domain. So therefore, if you opt to install DNS on a DC in that domain,
and then create your zone name and specifiy it as AD Integrated, the zone
data gets pulled from the database.

With WIndows 2000 AD, if you try it with a DC that belongs to another domain
in the forest, the zone doesn't exist. In that case, if you need to have
that zone available, or on any other DNS server for that matter, (Windows or
not), then you'll need to create the zone as a secondary zone and only then
you would need to allow zone transfer either to ALL or to just that specific
DC or put it in the Name Server tab, etc.

With Windows 2003 AD, there's a new option to allow to replicate the zone to
other domains' in the forest.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
Back
Top