Home > Articles > Operating Systems, Server > Microsoft Servers

Integrating DNS and Active Directory

In this article, Kevin Kocis describes some of the advantages and difficulties of combining the Domain Name Service (DNS) with Active Directory, non-Microsoft DNS servers, and WINS

Like this article? We recommend

Integrating DNS and Active Directory

The integration of DNS and Active Directory is a key feature of Windows 2000. Like DNS, Active Directory is a distributed database that can be partitioned and replicated. Active Directory domains and DNS domains use identical names for different namespaces. Active Directory uses DNS as its location service, enabling computers to find the location of domain controllers and other services on the network. LDAP is the protocol used to query and update Active Directory, and all domain controllers run an LDAP server.

You cannot install Active Directory without having DNS on your network because Active Directory uses DNS as its location service. However, you can install DNS separately, without Active Directory. If you install DNS on a domain controller, you can also choose whether or not to use Active Directory to provide storage and replication for DNS. Using Active Directory for storage and replication provides the following benefits:

  • Increased fault tolerance

  • Security

  • Easier management

  • More efficient replication of large zones

For DNS to function as a location service for Active Directory, you must have a DNS server to host the locator records (A, SRV, and CNAME).

You can configure your Windows 2000 DNS server automatically by using the Active Directory Installation Wizard, which performs all the installation and configuration necessary for DNS, and the Netlogon service adds the necessary locator records.

You can manually configure DNS if you want to set up a configuration other than the Active Directory default configuration (such as BIND).

For information about issues related to configuring DNS when you're using a third-party DNS server, see the later section "Heterogeneous Environments."

DNS Installation Wizard

The Active Directory Installation Wizard promotes the computer to the role of domain controller, installs Active Directory, and can install and configure the DNS server.

When you start the Active Directory Installation Wizard and choose to create a new domain, the wizard finds the DNS server that is authoritative for the name of the new Active Directory domain and then checks whether that server is going to accept dynamic updates. If the test is positive, the wizard does not install and configure a local DNS server.

If the Active Directory Installation Wizard cannot find the DNS server that is authoritative for the name, or if the server it finds does not support dynamic updates or is not configured to accept dynamic updates, the wizard asks whether you want it to automatically install and configure a local DNS server. If you answer yes, the wizard automatically installs and configures the DNS Server service.

During automatic configuration, the Active Directory Installation Wizard adds to the DNS server the forward lookup zone that will host the locator records and configures the DNS server to accept dynamic updates. (A forward lookup zone contains information needed to resolve names within the DNS domain.) If the server is the first in the forest, it becomes the root DNS server. If the server is not the first, the wizard queries for the root servers and primes the root hints with the root DNS server names.

After the Active Directory Installation Wizard is finished, you are prompted to restart the computer. After the computer restarts, Netlogon attempts to add locator resource records to the DNS server by sending a dynamic update request to the authoritative DNS server.

NOTE

The Netlogon service starts after the DNS server service. The SRV resource records may not be registered in the zone for up to 15 minutes. You can force registration of these records by stopping and restarting the Netlogon service.

NOTE

You can also invoke the Active Directory Installation Wizard by executing an answer file that contains all the settings you need to configure. An answer file is a file that a wizard uses to provide answers to questions where a user would normally need to respond or be prompted to input information.

Follow these steps to install and configure DNS and Active Directory:

  1. Log on with the appropriate administrative privileges. Depending on the type of DC promotion, the Eadmin account may be required.

  2. Check the TCP/IP advanced settings of your computer to make sure that it is configured to use a DNS server. If your computer is the first DNS server on the network, you can configure your computer to use itself as a DNS server.

  3. If the Windows 2000 Configure Your Server Wizard is not already open on your computer, click Start, Run, and then type dcpromo.

  4. The Active Directory Installation Wizard then guides you through the installation and configuration of the DNS server component.

  5. When you're directed to do so, restart your computer.

After you run the Active Directory Installation Wizard, you might need to add a delegation in the parent zone of the zone you created. If this server is a root DNS server, no parent zone exists; therefore, you do not need to add a delegation. However, if other DNS servers are running on the network, you should add a delegation if this zone will be managed outside of the root domain.

Follow these steps to add a delegation:

  1. In the DNS console, locate the subdomain where you want to create a zone delegation.

  2. From the Action menu, select New Delegation. Click Next.

  3. On the Delegated Domain Name page, specify the domain you want to create (select the recently created domain you just installed in DNS), and click Next.

  4. Specify the servers hosting the delegated zone, and click Next.

  5. Review your entered information, and click Finish.

Configuring Zones

The biggest part of configuring DNS involves configuring zones. After you have installed DNS, you will eventually be required to configure DNS zones. This next section addresses the Windows 2000 DNS console and how to configure various elements of zone creation.

Adding and Deleting Zones

As mentioned earlier, you can configure zones as standard primary, standard secondary, or Active Directory–integrated.

To add a standard primary zone, perform the following steps:

  1. Select Start, Programs, Administrative Tools, DNS.

  2. In DNS, locate the server designated to be the primary server for the new zone.

  3. Right-click the Forward Lookup Zone icon and select New Zone.

  4. At the zone selection screen, select Standard Primary, and click Next.

  5. Enter the domain name (this should correspond to your Active Directory namespace).

  6. Click the Create a New File button if you are not importing or working with a current file. (Note that the default name is the zone name with an appended .dns extension.) If you are using an existing file, it must be located in the root\system32\dns folder.

  7. Review your information, and select Finish.

To create a secondary forward lookup zone, follow steps 1 through 5, and then enter the IP address(es) of the DNS server(s) from which you want to copy the DNS zone information. Click the Add button, and prioritize the list of DNS servers. Then review your information, and click Finish.

Adding a Reverse Lookup Zone

All zones (primary, secondary, and AD-integrated) can be either forward lookup or reverse lookup. A reverse lookup zone returns the host name when queried with the IP address.

To create a primary reverse lookup zone, perform the following steps:

  1. Select Start, Programs, Administrative Tools, DNS.

  2. In DNS, locate the server designated to be the primary server for the new zone.

  3. Right-click the Reverse Lookup Zone icon and select New Zone.

  4. At the zone selection screen, select Standard Primary, and click Next.

  5. Enter the network ID for the zone (or enter the name, which is the reversed network ID followed by .in-addr.arpa). For example, if the network ID is 10.1.1, the reverse lookup zone name would be .10.1.1.in-addr.arpa. Click Next.

  6. Click the Create a New File button if you are not importing or working with a current file. (Note that the default name is the zone name with an appended .dns extension.) If you are using an existing file, it must be located in the root\system32\dns folder.

  7. Review your information, and select Finish.

To delete a zone, simply right-click the desired zone in the DNS console, and select Delete.

Active Directory–Integrated Zones

Any zone you create is automatically replicated to all domain controllers in the zone. Therefore, do not create the same zone on more than one domain controller.

NOTE

If you create a zone on one domain controller and then create the same zone on a second domain controller before Active Directory has replicated the zone, Active Directory deletes the zone on the first domain controller. As a result, you lose any changes that you made to the version of the zone that you created on the first domain controller.

To create an Active Directory–integrated zone, perform the following steps:

  1. Select Start, Programs, Administrative Tools, DNS.

  2. In DNS, locate the server designated to be the primary server for the new zone.

  3. Right-click the Forward Lookup Zone icon, and select New Zone.

  4. At the zone selection screen, select Standard Active Directory–Integrated Zone, and click Next.

  5. Enter the domain name (this should correspond to your Active Directory namespace).

  6. Review your information, and click Finish.

You can store many zones in Active Directory, which will act as primary zones. These zones can be modified by any DNS server running on a domain controller in the respective zone.

If you delete an Active Directory–integrated zone from a domain controller and Load Zone Data on Startup is set to Registry, the DNS console asks whether you also want to delete the zone from Active Directory. If you click Yes, the zone is completely deleted from Active Directory and is no longer available to any domain controllers. If you click No, the zone is removed from the Registry but remains in Active Directory. The next time the DNS server polls the directory for changes, if Load Zone Data on Startup on the Advanced tab of the DNS server properties page in the DNS console is set to From Active Directory and Registry, the zone reappears (see Figure 1). If Load Zone Data on Startup is set to Registry, on the other hand, the zone does not reappear.

Figure 1

Setting the load zone data preference.

Converting Standard Zones to AD-Integrated Zones

You can convert either a standard primary or secondary zone to an Active Directory–integrated zone. When you integrate a zone with Active Directory, consider the following issues:

  • For a DNS server to use an Active Directory–integrated zone, that server must be running on a domain controller.

  • You cannot load Active Directory–integrated zones from other domains. If you want your DNS server to be authoritative for an Active Directory–integrated zone from another domain, the server can only act as a secondary server for that zone.

  • There is no such thing as an Active Directory–integrated secondary zone. All domain controllers can update the zone.

  • You cannot have at the same time both an Active Directory–integrated zone and a standard primary copy of the same zone.

Converting AD-Integrated Zones to Standard Zones

You can convert an Active Directory–integrated zone to either a standard primary or standard secondary zone (see Figure 2).

Figure 2

Converting an AD-integrated zone to a standard primary zone. You can use this same window in the General tab to convert back to AD-integrated.

If you convert an Active Directory–integrated zone to a standard secondary zone, the zone is copied to the name server on which you converted the zone. Although the server no longer loads the zone from Active Directory, it hosts its own secondary copy of the zone, and requests zone transfers from the primary server for the zone.

If you convert an Active Directory–integrated zone to a standard primary zone, the zone is copied to a standard file on that server and is deleted from Active Directory. The zone no longer appears on other Active Directory–integrated DNS servers.

Preventing Problems When Converting or Deleting Zones

When you delete a zone or convert an Active Directory–integrated zone to a standard secondary zone, configuration errors can result. For example, if you delete a copy of the zone from a server and a secondary server is configured to pull zone transfers from that server, the secondary server is no longer able to pull zone transfers.

Also, if you convert an Active Directory–integrated zone to a standard primary zone, the DNS server loading the new primary zone becomes the single master of the zone. Because Active Directory removes the converted zone from Active Directory, the zone is deleted from all domain controllers.

To prevent this problem, be sure to update all secondary servers for the zone that you are converting from an Active Directory–integrated zone to a standard primary zone. This problem occurs only if you delete a zone from a server or you are converting an Active Directory–integrated zone to a standard primary zone, and a secondary server is pointing at a server from which the zone was deleted. The problem does not occur if you are converting an Active Directory–integrated zone to a standard secondary zone because converting this way does not cause the zone to be deleted from any server.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020