Zone transfer tab and Active directory integrated DNS

[Guest]

My question is that if you have only win2k and or Win2k3 DC's running
integrated DNS on a single domain forest, does having the "Allow Zone
transfers" check box cleared have any effect on zone data replication via AD?
My logic tells me that this setting is only useful if you are using true
"secondaries" that are NOT AD integrated, as the multimaster replication is
not filtered for certain data types, unless you are native win2k3 and are
setting dns replication scopes to only dc's that are running dns. the other
telling point is that there is no schema entry for "allow zone transfer", so
if you don't check it how does it filter the replication of AD updates to do
all the other AD info EXCEPT for the DNS data? Any responses will be
appreciated.

 

[Ace Fekay [MVP]]

In

My question is that if you have only win2k and or Win2k3 DC's running
integrated DNS on a single domain forest, does having the "Allow Zone
transfers" check box cleared have any effect on zone data replication
via AD? My logic tells me that this setting is only useful if you are
using true "secondaries" that are NOT AD integrated, as the
multimaster replication is not filtered for certain data types,
unless you are native win2k3 and are setting dns replication scopes
to only dc's that are running dns. the other telling point is that
there is no schema entry for "allow zone transfer", so if you don't
check it how does it filter the replication of AD updates to do all
the other AD info EXCEPT for the DNS data? Any responses will be
appreciated.

Your logic is correct. That's only for true zone transfers and has nothing
to do with AD replication.

In Win2000 AD, an AD Integrated zone is stored in the Domain NC partition.
That is one of 3 possible partitions. The Domain NC is specific to each
domain. Each domain has it's own (that's where users, comp, groups and other
domain specific objects are stored). The Domain NC will replicate between
other DCs in that specific domain. It will replicate changes, and not the
whole thing. The other 2 partitions are the Schema and the Configuration
container, which have nothing to do with AD Integrated zones. These
partitions replicate to ALL DCs in a forest.

In Win2003, there are additonal places (application partitions) to store an
AD Integrated zone that you choose by setting the replication scope. That
will replicate to other DCs depending on the replication scope set.

In a mixed 2000/2003 DC/DNS environment, you would want to choose the bottom
button in the replication scope properties of a 2003 DNS zone properties to
be compatible with 2000 DNS AD Integration. This is because 2000 DCs/DNS
servers does not undertand the application partitions. If you mix the
settings on a 2003 and 2000 server for that zone, it will create a
conflicting zone issue which can be resolved, but takes multiple steps to
fix it.

There's much more, but that's the jest of it.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================