Active Directory Integrated DNS Zones
Some benefits of running DNS on Domain Controllers
By Glenn Weadock on Thu, 11/12/09 - 12:03pm.
In my last posting I mentioned that it’s not necessarily a good idea to always separate AD DS (Active Directory Domain Services) and DNS on different systems. Let’s now take a closer look at why that might be the case.
If you run DNS on domain controllers, you have the opportunity to use something called Active Directory Integrated zones, or ADI zones. In classical DNS, the zone information is stored in text files that sit on the hard drive. Yes, they’re protected by NTFS, but you don’t have the ability to impose per-record security.
When you create an ADI zone, the zone information (and all the associated resource records) are imported into the AD database, NTDS.DIT. The zones and zone records become objects in AD. This has a variety of benefits (and potentially some downsides as well). From the security standpoint, you now have the ability to protect individual DNS records, should you want to do so. You can also get those DNS files out of their well-known hard drive locations and into AD, which is somewhat more complicated to peek inside.
With an ADI zone, DNS must run on a domain controller, because only DC’s have a copy of NTDS.DIT. Note that this does not mean that all DC’s automatically become DNS servers. Only systems that have the DNS service installed can be DNS servers.
Another security benefit of ADI zones in AD is something called “secure updates,” which we’ll discuss tomorrow!
- About Glenn Weadock on Windows Server 2008
Glenn Weadock is a longtime instructor for Global Knowledge and teaches Windows 7, Server 2008, and Active Directory. He has recently co-developed with Mark Wilkins two advanced Server 2008 classes in the Microsoft Official Curriculum. Glenn also consults through his Colorado-based company Independent Software, Inc. and is technical director of MarketCoach Investment Education Software LLC.
Sponsored Links
- Take the Netezza TwinFin TestDrive!- Netezza
- Getting to One 10-minute Webcast, Cloud Computing: Beyond the Hype- Novell
- Watch a step-by-step demo of how Chinese hackers compromised brand name US high-tech companies like Google. - Zscaler
- Cisco Webcast: Leveraging 802.11n, Is your WLAN ready for Enterprise Video?- Cisco
- Turn your desk phone and mobile phone into one with Sprint Mobile Integration.- Sprint
- Discover the Four Trends Driving the Future of Data Centers - Emerson Network Power
- Visit Oberon for more information- Oberon Wireless
- Next-generation firewalls control applications and prevent threats.- Palo Alto Networks
- Troubleshoot in Minutes! Search & Report on all Network data - Free Download.- Splunk Inc.
- MoneyGram leverages Windows/Novell InteropAbility- Novell Microsoft
-
Network World, Inc
The Leader in Network Knowledge
One more thing...
You can set security on individual DNS records in an ADI zone by right-clicking the record in the DNS console, choosing Properties, and clicking the Security tab. You will notice that in a "classical" DNS zone (i.e. non-ADI), when you look at the properties of an individual record, there's no Security tab.
What's the benefit of setting record- level security?
What does this get you in real life?
Mainly administrative control.
Because most everything in AD has an ACL, once DNS records and zones become objects in AD, they have ACL's too. Now I have rarely seen this facility used to control access to individual records - after all, most DNS records get autogenerated through dynamic update - but I have seen it used to control administrative access to zones. You can have very detailed control over what groups in your organization can perform specific actions in a given DNS zone. You can use this capability either to relax control by extending DNS zone permissions beyond the usual groups (DNS admins, domain admins, enterprise admins) or to tighten control by restricting permissions.
Post new comment