Active Directory DNS Zones explained

Active Directory depends on DNS for name resolution and locating resources on a network. DNS has a database that maintains resource records, which helps identify various servers, domains, and services on the network. Domain Name System (DNS) is a name resolution method that is used to resolve hostnames to IP addresses. It is used on TCP/IP networks and across the internet. DNS is a namespace. Active Directory is built on DNS. DNS namespace is used internet-wide while the Active Directory namespace is used across a private network. The reason behind the choice of DNS is that it is highly scalable and it is an internet standard.

Some of the common types of DNS resource records are:

  • A Record: Name to IP address mapping</li
  • CNAME: Maps an alias to the canonical name
  • MX Record: Used to identify mail servers
  • NS Record: Identifies the name servers for a particular zone
  • SOA: Start of Authority records
  • TXT: Allows any text to be inserted into a DNS record

There are many more record types, and without these records, everything would be accessed by an IP address.

DNS Zones provide us a way to maintain these records on one or more servers.
Active Directory Integrated Zones

Active Directory Integrated Zones stores its zone data in Active Directory. Integrated zones can be replicated to all domain controllers in the domain and forest. Active Directory integrated zones use multi-master replication, this means any domain controller running the DNS server service can write updates to the zone for which they are authoritative.

Advantages of Active Directory integrated Zones

  • Replication is faster, more secure and efficient.
  • Better redundancy due to zone data being copied to all Domain Controllers
  • Improved Security if secure dynamic update is enabled
  • No need to schedule or manage zone transfers

Primary Zone
This is the main zone and has a read/write copy of the zone data. All changes to the zone are made in the primary zone and are replicated to the secondary zones.

The zone data is stored in a text file located in this folder c:\windows\system32\DNS on the Windows server running DNS.

Secondary Zone
A secondary Zone is a read-only copy of the primary zone. This zone cannot process updates and can only retrieve updates from the primary zone. This zone can answer DNS name resolution queries from clients nodes, this helps reduce the workload on the primary zone. Secondary zones cannot be active directory integrated.

Stub Zone
Stub zones are like a secondary zone but only stores partial zone data. These zones are useful to help reduce zone transfers by passing the requests to authoritative servers. These zones only contain the SOA, NS and A records.

Forward Lookup Zone
A forward lookup zone provides hostname to IP address resolution.

When you access a system or website by its hostname such as mcirosoft.com DNS checks the forward lookup zone for the IP information related to the hostname.

Reverse Lookup Zone
Reverse lookup zones resolve IP addresses into hostnames.

For example, when you look up the IP 8.8.8.8 it resolves to google-public-dns-a.google.com. A reverse DNS record had to be created for the IP to resolve to the hostname.

Reverse lookup zones are not as common as forwarding lookups and in most cases are not needed.

Zone Transfers
Zone transfers take place when they are not integrated with Active Directory. A Zone transfer is where the master DNS servers transfer zone data from the master to secondary.

Zone transfers can occur during any of the following

  • When the refresh interval expires
  • When a master server notifies a change has occurred
  • When the server has rebooted or DNS service has restarted
  • A manual transfer has occurred from the DNS console