Active Directory and DNS on the Same System

Sometimes combining roles is a good thing

I’ve found the AD/DNS relationship to be one of the least understood aspects of Active Directory, and the literature is full of misinformation and half-truths. I was surprised to realize that in this blog, we’ve never taken a closer look at how DNS supports the inner workings of Active Directory in Windows Server 2008 and Server 2003. So, to right that wrong, the next few entries will do just that. And a logical place to begin might be the potential benefits of combining DNS and AD on the same computer.

Conventional wisdom suggests that role separation – the dividing of network functions to either physically or logically separate machines and/or virtual machines – can have many benefits. The usually cited ones include performance; configuration optimization; troubleshooting; reduced impact of any one system’s downtime; and simplicity of setup. While those are all often true, occasionally the conventional wisdom is incorrect, and it is often so with DNS and Active Directory.

For while it’s not necessary to integrate DNS with AD, doing so brings a variety of benefits. Domain controllers spend a reasonable amount of time consulting DNS, so there’s an advantage in network bandwidth utilization if a DC can consult itself instead of putting queries out on the wire. But more than the synergy of putting two roles together in one machine when those roles typically require frequent communications between them, running DNS on the same system as Active Directory Domain Services (AD DS) opens up the possibility of creating Active Directory Integrated (ADI) zones, with their attendant security benefits. For example, with integrated DNS, you can specify security down to the individual DNS resource record if you want – a capability that you can’t easily achieve in an environment where DNS and AD run on separate systems.

This merits further analysis, but for now, let’s just say that DNS and AD go together like beans and cornbread, and the advantages of running these services on the same system, be it physical or virtual, can be significant. In upcoming posts, we’ll see how AD relies on DNS for far more than just a naming system, and we’ll consider the performance and security effects of choosing to bring these two services together. We’ll also take a look at how AD relies on DNS for service locations and site awareness.

• Active Directory
• AD DS
• DNS
• domain name service
• Domain Name System