Throughout this chapter, we've been working with standard DNS zones on a Windows Server 2003 member servera server that is not a Domain Controller. While there is nothing wrong (at a basic level) with this configuration and implementation of the Windows Server 2003 DNS service, to fully utilize the power and flexibility, you should use Active Directory-integrated DNS. Active Directory-integrated DNS offers several performance enhancements and is inherently more secure. Recall that the Security tab in the server Properties dialog box is unavailable for standard DNS servers; it is available only when DNS is running on a Domain Controller. Likewise, the Security tab in the zone Properties dialog box is available only when a zone is configured as Active Directory-integrated and running on a Domain Controller. Additionally, only when using Active Directory-integrated zones will you be able to configure Secure dynamic updates. Exam Alert: Securely Implementing DNS Using Windows Server 2003 Active Directory is more secure than a flat file, and updates and zone transfers occur as part of Active Directory replication activities, which are encrypted. As a result, an Active Directory-integrated zone is the most secure DNS implementation possible. Configuring Existing Zones for Active Directory IntegrationIf you have DNS running on your Domain Controller and have zones created, but have not created any Active Directory-integrated zones, then it is fairly painless to make the integration occur. Step by Step 3.9 presents the process you should follow. Note: Getting into the Zone If you completed Step by Steps 3.2, 3.5, and 3.6 on a DNS server that was running on a Domain Controller and did not integrate the zones into Active Directory, then you can proceed directly into Step by Step 3.9. If you need to create a new standard primary zone on your DNS server that is running on a Domain Controller, then repeat Step by Step 3.5 and create a primary zone named development.quepublishing.com. In Step by Step 3.9, we use that zone, although you can use the previous publishing.quepublishing.com zone if it meets the requirements discussed. Step By Step3.9. Changing Zone Replication and Dynamic Update Configuration
Exam Alert: About Secure Dynamic Updates When you enable Secure dynamic updates on a DNS zone, this results in a situation where there can be only one owner for a resource record, and only that one owner can update that resource record. Obviously this is an unacceptable and impossible condition when you may have multiple DHCP servers that are trying to register host (A) records on behalf of clients that cannot perform the action themselves since the DHCP server registering the record becomes the owner of that record. Without some other provision in place, only the DHCP server that originally registered the record could update the record in the future; thus, problems would soon ensue in your DNS zones. To avoid this problem, all authorized DHCP servers should be added to the DnsUpdateProxy security group. The servers that are a member of this special security group are blocked from recording ownership on any resource records they create or update in DNS. Since no ownership information is recorded on the record, any other DHCP server on your network can then make changes to that record as required. You should realize, however, that this solution does decrease the security offered by enforcing only secure dynamic updates because there is no owner specified for these records. Windows 2000 and Windows XP client computers will not cause this problem because they can register their own A records without any assistance from the DHCP server. As a new feature, you should expect to see a question relating to the DnsUpdateProxy security group on your 70-291 exam. Creating New Active Directory-Integrated ZonesIf you want to create a brand new Active Directory-integrated zone, you can do that easily enough. To complete that process, follow the steps outlined in Step by Step 3.10, which is very similar to the steps you completed previously in Step by Step 3.5. Step By Step3.10. Creating and Configuring a New Active Directory-Integrated Zone
The DNS and Active Directory RelationshipTo this point, we've discussed DNS in detail, including how to integrate DNS into Active Directory. As you've no doubt noticed, DNS is an important network service. Active Directory, as you've also likely noticed by now, is the heart and soul of a Windows Server 2003 network infrastructure. Thus, it only stands to reason that Active Directory cannot function without a reliable and functional DNS implementation in place. Here are some key points that emphasize the importance of DNS to Active Directory:
Of course, the list goes on, but the failures mentioned are some of the more important onesones that will likely bring your Active Directory domain to its knees. In short, without DNS, you won't have an Active Directory implementation. |