Integrating Active Directory and DNS

Throughout this chapter, we've been working with standard DNS zones on a Windows Server 2003 member servera server that is not a Domain Controller. While there is nothing wrong (at a basic level) with this configuration and implementation of the Windows Server 2003 DNS service, to fully utilize the power and flexibility, you should use Active Directory-integrated DNS. Active Directory-integrated DNS offers several performance enhancements and is inherently more secure. Recall that the Security tab in the server Properties dialog box is unavailable for standard DNS servers; it is available only when DNS is running on a Domain Controller. Likewise, the Security tab in the zone Properties dialog box is available only when a zone is configured as Active Directory-integrated and running on a Domain Controller. Additionally, only when using Active Directory-integrated zones will you be able to configure Secure dynamic updates.

Exam Alert: Securely Implementing DNS Using Windows Server 2003

Active Directory is more secure than a flat file, and updates and zone transfers occur as part of Active Directory replication activities, which are encrypted. As a result, an Active Directory-integrated zone is the most secure DNS implementation possible.

Configuring Existing Zones for Active Directory Integration

If you have DNS running on your Domain Controller and have zones created, but have not created any Active Directory-integrated zones, then it is fairly painless to make the integration occur. Step by Step 3.9 presents the process you should follow.

Note: Getting into the Zone

If you completed Step by Steps 3.2, 3.5, and 3.6 on a DNS server that was running on a Domain Controller and did not integrate the zones into Active Directory, then you can proceed directly into Step by Step 3.9. If you need to create a new standard primary zone on your DNS server that is running on a Domain Controller, then repeat Step by Step 3.5 and create a primary zone named development.quepublishing.com. In Step by Step 3.9, we use that zone, although you can use the previous publishing.quepublishing.com zone if it meets the requirements discussed.

Step By Step

3.9. Changing Zone Replication and Dynamic Update Configuration

1.	Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.
2.	Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS.
3.	Select the zone to be configured, right-click it, and select Properties from the context menu. The zone Properties dialog box opens to the General tab, as seen in Figure 3.46. Figure 3.46. You will change the zone replication and dynamic update configuration from the General tab of the zone Properties dialog.
4.	Click the Change button in the Type area of the General tab to open the Change Zone Type dialog box, as seen in Figure 3.47. Figure 3.47. The configuration change to Active Directory-integrated requires only one check box to be clicked.

5.	Click the Store the Zone in Active Directory check box and click OK to accept the configuration change. You will be prompted to confirm that you really want to make the change; click Yes to make the change.
6.	The General tab of the zone Properties dialog box will now reflect the change you've made and allow you to configure the replication scope of the zone, as seen in Figure 3.48. Figure 3.48. Note the changes to the General tab of the zone Properties after changing the zone to Active Directory-integrated.
7.	To change the replication scope of the zone, click the Change button in the Replication section of the General tab. The Change Zone Replication Scope dialog box opens, as seen in Figure 3.49. Figure 3.49. You can configure how the zone is replicated in your Active Directory environment.
8.	The option to replicate the zone to all Domain Controllers in the domain is usually the best option. Click OK to close the Change Zone Replication Scope dialog box.

9.	The last configuration you need to make is to configure to allow only Secure dynamic updates from the Dynamic updates drop-down list. After this has been completed and applied, your zone settings should look like those seen in Figure 3.50. Figure 3.50. This zone is now configured for optimal operation.

Exam Alert: About Secure Dynamic Updates

When you enable Secure dynamic updates on a DNS zone, this results in a situation where there can be only one owner for a resource record, and only that one owner can update that resource record. Obviously this is an unacceptable and impossible condition when you may have multiple DHCP servers that are trying to register host (A) records on behalf of clients that cannot perform the action themselves since the DHCP server registering the record becomes the owner of that record.

Without some other provision in place, only the DHCP server that originally registered the record could update the record in the future; thus, problems would soon ensue in your DNS zones. To avoid this problem, all authorized DHCP servers should be added to the DnsUpdateProxy security group. The servers that are a member of this special security group are blocked from recording ownership on any resource records they create or update in DNS. Since no ownership information is recorded on the record, any other DHCP server on your network can then make changes to that record as required.

You should realize, however, that this solution does decrease the security offered by enforcing only secure dynamic updates because there is no owner specified for these records. Windows 2000 and Windows XP client computers will not cause this problem because they can register their own A records without any assistance from the DHCP server. As a new feature, you should expect to see a question relating to the DnsUpdateProxy security group on your 70-291 exam.

Creating New Active Directory-Integrated Zones

If you want to create a brand new Active Directory-integrated zone, you can do that easily enough. To complete that process, follow the steps outlined in Step by Step 3.10, which is very similar to the steps you completed previously in Step by Step 3.5.

Step By Step

3.10. Creating and Configuring a New Active Directory-Integrated Zone

1.	Log on to Windows Server 2003 using the Administrator account or another account that has administrator privileges.
2.	Open the DNS console by selecting Start, Control Panel, Administrative Tools, DNS. Right-click the Forward Lookup Zones container and select New Zone from the context menu. The Welcome to the New Zone Wizard appears. Click Next to dismiss the Wizard's opening page and continue to the Zone Type screen, which was shown in Figure 3.23.
3.	Select Primary zone to make this DNS server authoritative for the zone you are creating. Also ensure that you select the check box to make the zone Active Directory-integrated. Click Next to continue to the Active Directory Zone Replication Scope page, as seen in Figure 3.51. Figure 3.51. You'll get to configure how the zone is replicated this time.
4.	Typically, you'll be fine selecting the To All Domain Controllers in the Domain option. Make your selection and click Next to continue to the Zone Name screen, as was shown in Figure 3.24.

5.	Enter the name of the domain for which you will be resolving names into the Zone Name field. In this example, I'm using marketing.quepublishing.com, but you can use something else if you like. Click Next and the Dynamic Update screen appears, as seen in Figure 3.52. Figure 3.52. You'll also get to configure how dynamic updates to the zone are handled.
6.	On the Dynamic Update screen, select Only Allow Secure Dynamic Updates. After making your selection, click Next. The Completing the New Zone Wizard dialog box appears, as seen in Figure 3.53. This screen allows you to review the configurations you selected and either go back to correct mistakes or cancel the wizard before the changes are committed. Figure 3.53. You need to double-check your information before committing the changes you just made.
7.	Click Finish to complete the configuration. Notice that the zone that was configured by the wizard now appears in the DNS console.

The DNS and Active Directory Relationship

To this point, we've discussed DNS in detail, including how to integrate DNS into Active Directory. As you've no doubt noticed, DNS is an important network service. Active Directory, as you've also likely noticed by now, is the heart and soul of a Windows Server 2003 network infrastructure. Thus, it only stands to reason that Active Directory cannot function without a reliable and functional DNS implementation in place.

Here are some key points that emphasize the importance of DNS to Active Directory:

Without a properly working DNS infrastructure, Domain Controllers will not be able to replicate information about the domain among themselves.
Without a properly working DNS infrastructure, Windows 2000 and Windows XP client computers will experience long logon times or possibly the inability to log on at all.
Without a properly working DNS infrastructure, Exchange Server 2003 and Exchange 2000 Server will not be able to work, and servers will likely fail to start critical services properly.

Of course, the list goes on, but the failures mentioned are some of the more important onesones that will likely bring your Active Directory domain to its knees. In short, without DNS, you won't have an Active Directory implementation.

Configuring Existing Zones for Active Directory Integration

Step By Step

3.9. Changing Zone Replication and Dynamic Update Configuration

Figure 3.46. You will change the zone replication and dynamic update configuration from the General tab of the zone Properties dialog.

Figure 3.47. The configuration change to Active Directory-integrated requires only one check box to be clicked.

Figure 3.48. Note the changes to the General tab of the zone Properties after changing the zone to Active Directory-integrated.

Figure 3.49. You can configure how the zone is replicated in your Active Directory environment.

Figure 3.50. This zone is now configured for optimal operation.

Creating New Active Directory-Integrated Zones

Step By Step

3.10. Creating and Configuring a New Active Directory-Integrated Zone

Figure 3.51. You'll get to configure how the zone is replicated this time.

Figure 3.52. You'll also get to configure how dynamic updates to the zone are handled.

Figure 3.53. You need to double-check your information before committing the changes you just made.

The DNS and Active Directory Relationship