Recipe13.6.Converting a Zone to an Active Directory-Integrated Zone

Recipe 13.6. Converting a Zone to an Active Directory-Integrated Zone

Problem

You want to convert a primary zone to an Active Directory-integrated zone. This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file, as is the case with a standard primary zone.

Solution

Using a graphical user interface

From the Administrative Tools, open the DNS snap-in (dnsmgmt.msc).
Connect to the DNS Server you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select The following computer and enter the target server name. Click OK.
If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you want to convert a reverse zone, expand the Reverse Lookup Zone folder.
Click on the zone you want to convert, then right-click it, and select Properties.
Beside Type, click the Change button.
Check the box beside Store the zone in Active Directory.
Click OK and click OK again.

Using a command-line interface

Use the following command to convert a standard primary zone to Active Directory-integrated:

> dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary

For example:

> dnscmd dns02 /zoneresettype myzone.com /DsPrimary

Using VBScript

' This code converts a zone to AD-integrated. ' ------ SCRIPT CONFIGURATION ------ strZone   = "<ZoneName>"    ' e.g., rallencorp.com strServer = "<ServerName>"  ' e.g., dc1.rallencorp.com ' ------ END CONFIGURATION --------- set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone.ContainerName=""" & _                           strZone & """,DnsServerName=""" & _                           objDNSServer.Name & """,Name=""" & strZone & """") strNull = objDNSZone.ChangeZoneType(0, True) objDNSZone.Put_ WScript.Echo "Converted " & strZone & " to AD-integrated"

Discussion

The only time DNS data is stored in Active Directory is if you have a zone that is Active Directory-integrated. Standard primary and secondary zones that are not Active Directory-integrated store DNS data locally on the file system of each DNS Server. If you have an Active Directory-integrated zone under Windows 2000, a container is created in Active Directory at cn=<ZoneName>,cn=MicrosoftDNS,cn=System,<DomainDN>, where <ZoneName> is the name of the zone.

For Windows Server 2003, you can use application partitions to store DNS data in an alternate location. By default, there are three options for storing DNS data in Windows Server 2003-based forests:

Store DNS data on all domain controllers in a domain (only option for Windows 2000).
Store DNS data on all domain controllers that are DNS Servers in the domain.
Store DNS data on all domain controllers that are DNS Servers in the forest.

The default location for the second option is dc=DomainDNSZones,<DomainDN> and for the third option, it is dc=ForestDNSZones,<ForestDN>. These two locations are actually application partitions that are replicated only to the domain controllers that are DNS Servers in the domain or forest, respectively.

Inside the cn=MicrosoftDNS container is a dnsZone object for each Active Directory-integrated zone. Inside of the dnsZone container are dnsNode objects, each of which store all resource records associated with a particular node. In the following textual representation of an A record, the dc1.rallencorp.com name is considered a node (generally the left side of the resource record).

dc1.rallencorp.com. 600 IN A 6.10.57.21

There could be multiple resource records associated with the dc1.rallencorp.com name, so each dnsNode object has a multivalued dnsRecord attribute. The dnsNode object represents the name and the values of the dnsRecord attribute for all of its resource records. Unfortunately, the contents of that attribute are stored in a binary format and are not directly readable.