Active Directory Integrated DNS Zones

Some benefits of running DNS on Domain Controllers

In my last posting I mentioned that it’s not necessarily a good idea to always separate AD DS (Active Directory Domain Services) and DNS on different systems. Let’s now take a closer look at why that might be the case. If you run DNS on domain controllers, you have the opportunity to use something called Active Directory Integrated zones, or ADI zones. In classical DNS, the zone information is stored in text files that sit on the hard drive. Yes, they’re protected by NTFS, but you don’t have the ability to impose per-record security. When you create an ADI zone, the zone information (and all the associated resource records) are imported into the AD database, NTDS.DIT. The zones and zone records become objects in AD. This has a variety of benefits (and potentially some downsides as well). From the security standpoint, you now have the ability to protect individual DNS records, should you want to do so. You can also get those DNS files out of their well-known hard drive locations and into AD, which is somewhat more complicated to peek inside. With an ADI zone, DNS must run on a domain controller, because only DC’s have a copy of NTDS.DIT. Note that this does not mean that all DC’s automatically become DNS servers. Only systems that have the DNS service installed can be DNS servers. Another security benefit of ADI zones in AD is something called “secure updates,” which we’ll discuss tomorrow!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10