Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DNS Question: AD Integrated Zones (Any Other Method in .NET DNS)

0 views
Skip to first unread message

SeerHawk[SG]

unread,
Oct 31, 2002, 2:52:04 PM10/31/02
to
Any method of replicating .NET DNS Servers creating
writable copies of the DNS on both machines without
enabling "Active Directory Integrated Zones". The problem
is I would like to leave the .NET DNS Servers as non
DC's. Is the only option to use Primary and Seconday DNS
Zones if I want to leave them as standalone DNS Servers
(In this way making them not both writable copies)?

Help!

Ace Fekay [MVP]

unread,
Oct 31, 2002, 9:17:48 PM10/31/02
to

"SeerHawk[SG]" <seer...@hotmail.com> wrote in message
news:8cded263.0210...@posting.google.com...

From what I have seen so far of .NET, I don't believe there is, unless
someone else knows any better. That is an AD Integrated feature where the
zone exists in the Domain NC partition of the AD database and follows the
domain controllers rules of all of them being a master (multi-master), all
based on AD replication rules. However, there are some cool new features
with .NET DNS services.

--
Ace
Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--


Michael Buchardt

unread,
Nov 2, 2002, 11:28:57 AM11/2/02
to
Hi

You can only host an Active Directory Integrated zone on a Domain Controller
in Windows .NET 2003.
So if you want to run the DNS service on a Member Server then you are
"struck" with Primary/Secondary Zones.


Kind Regards

Michael Buchardt

"Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&LastNa...@hotmail.com>
skrev i en meddelelse news:e7#BB0UgCHA.2476@tkmsftngp10...

William Stacey [MVP]

unread,
Nov 2, 2002, 12:12:33 PM11/2/02
to
Correct. If you don't want DCs, then you need to use standard primary and
secondary zones. You could use two primaries and script some kind of
synchronization process, but not what you want to do I'm sure.

--
William Stacey, MCSE
Windows MVP (DNS/DHCP/WINS)

"SeerHawk[SG]" <seer...@hotmail.com> wrote in message
news:8cded263.0210...@posting.google.com...

Ace Fekay [MVP]

unread,
Nov 2, 2002, 8:31:48 PM11/2/02
to

"William Stacey [MVP]" <sta...@mvps.org> wrote in message
news:#lcNQLpgCHA.2340@tkmsftngp08...

> Correct. If you don't want DCs, then you need to use standard primary and
> secondary zones. You could use two primaries and script some kind of
> synchronization process, but not what you want to do I'm sure.
>
> --
> William Stacey, MCSE
> Windows MVP (DNS/DHCP/WINS)
>
>


Thanks William, just as I thought.

Ace Fekay [MVP]

unread,
Nov 2, 2002, 8:31:23 PM11/2/02
to

"Michael Buchardt" <jum...@image.dk> wrote in message
news:u3oAoyogCHA.2672@tkmsftngp09...

> Hi
>
> You can only host an Active Directory Integrated zone on a Domain
Controller
> in Windows .NET 2003.
> So if you want to run the DNS service on a Member Server then you are
> "struck" with Primary/Secondary Zones.
>
>
> Kind Regards
>
> Michael Buchardt
>


Thanks Michael, so that part hasn't changed. I thought there might have
added something new to "stretch" it out, something like the way BIND will
allow you to create multiple "views", and allow/disallow queries by IP. That
would be a neat feature to add to DNS under Windows!!

SeerHawk[SG]

unread,
Nov 4, 2002, 3:20:05 PM11/4/02
to
Thanks for everyone's feedback, the real reason I am asking this
question (DNS Authorizative Zones Writable without being DC's). One
other not so related question I need answered where can I find out
some good information on the features of the "DNS Admins" group
privledge and what this group privledge can/cannot do on a domain
controller or members server dns. The problem is we are trying to
restrict DNS Admin privledge (Since our DNS Admin group will not be
focusing on really anything other than the DNS zones) from doing other
things in AD.

SeerHawk[SG]

unread,
Nov 4, 2002, 3:21:23 PM11/4/02
to
Whoa after reading that last message I need to change a few words:

Thanks for everyone's feedback,

(DNS Authorizative Zones Writable without being DC's)

One other not so related question I need answered where can I find out

Ace Fekay [MVP]

unread,
Nov 4, 2002, 8:21:40 PM11/4/02
to

"SeerHawk[SG]" <seer...@hotmail.com> wrote in message
news:8cded263.02110...@posting.google.com...

Hi SeeHawk

The DNSAdmin group is just that. Just for DNS. Similar to the Print
Operators or Group Policy Admin Groups. They are resticted to those specific
tasks.

As for mutlimaster DNS (mulitple writeable copies) that is only a feature
available on a DC. The RFCs don't allow multiple Primary zones. The AD
Integrated feature is an "enhancement" to the RFCs that allow that since it
is really only one copy that is "copied" to other DCs because it is within
the "one" AD database in a domain (where each DC has a copy of this "one"
database).

SeerHawk[SG]

unread,
Nov 5, 2002, 2:35:08 PM11/5/02
to
Thanks Ace,

Do you know if this DNS Admins group privleges will allow this group
of users the ability to change service states (Stop, Start). In
addition these conceptual DNS Servers will also serve as our DHCP
Servers (Each with seperate scopes, due to our current subnetting
strategy). The problem I worry about also is that if we are trying to
enforce loopback policies on all the servers including DC's. And if
the loopback policy will take precedence over the "Domain Controller
Policy", I think I remember hearing that this is not the case.

Ie: Do I or even can I build a custom Domain Controller Policy around
the DNS Admins and DHCP Admins and have another around all other AD
administrators on the DC's.

LMK if this doesn't make sense.

Ace Fekay [MVP]

unread,
Nov 5, 2002, 8:36:29 PM11/5/02
to

"SeerHawk[SG]" <seer...@hotmail.com> wrote in message
news:8cded263.02110...@posting.google.com...
> Thanks Ace,
>
> Do you know if this DNS Admins group privleges will allow this group
> of users the ability to change service states (Stop, Start).

They could stop the service by rt-clicking the DNS server name in the MMC
and stop it but not necessarily goto the Services console, IIRC.

> In addition these conceptual DNS Servers will also serve as our DHCP
> Servers (Each with seperate scopes, due to our current subnetting
> strategy). The problem I worry about also is that if we are trying to
> enforce loopback policies on all the servers including DC's. And if
> the loopback policy will take precedence over the "Domain Controller
> Policy", I think I remember hearing that this is not the case.

I have not tried loopback with DCs. Usually we create a separate OU for
machines that need a specific shell or some other implementation that we
want to lock it down with loopback or get the computer portion of the GP to
re-run and apply. If there are any security setttings in the GP that will
lock out admins, this may be detrimental, but then again I haven;t tested
that.

>
> Ie: Do I or even can I build a custom Domain Controller Policy around
> the DNS Admins and DHCP Admins and have another around all other AD
> administrators on the DC's.

Instead of creating your own DC policy, there are specific types of
templates you can use that are supplied to offer different levels of
security. Have you looked at the Security & Configuration Analysis snap-in
and the Security Templates snap-in? You can use on of the supplied ones or
you can customize them or create your own in there.

I wouldn't say that you need to be able to do build a custom Domain
Controller Policy around them. If you check, the DNS Admins have FC in DNS
(if you have an AD Integrated zone, check the security tab). That is the
only place they have FC. Likewise for DHCP Admins. They have no access
elsewhere. IS that what you are trying to accomplish?

>
> LMK if this doesn't make sense.

I think I got it. LMK if I misunderstood.

SeerHawk[SG]

unread,
Nov 6, 2002, 9:32:08 AM11/6/02
to
Hi Ace,

Yes it looks like you got the bulk of it.. I am in "conceptual"
planning stage but I have a mock enviroment to try some of this stuff
on. Yes I have seen the default templates included with Security
Configuration & Analysis although I really haven't looked into them
(other than the compatibility template). I just think from a design
point of view DNS AD Integrated Zones on Non-DC's should be available.
Making a DNS Server a DC just to add the writeable zones on both
servers seems to me to be a little extreme but maybe Im just barking
because I don't fully understand it. Anyways I will try some of this
stuff out an let you know.. Thanks Very much for your help.

Ace Fekay [MVP]

unread,
Nov 6, 2002, 11:25:45 PM11/6/02
to
"SeerHawk[SG]" <seer...@hotmail.com> wrote in message
news:8cded263.02110...@posting.google.com...
> Hi Ace,
>
> Yes it looks like you got the bulk of it..

See, sometimes I *do* understand stuff !!!!
;-)


> I am in "conceptual"
> planning stage but I have a mock enviroment to try some of this stuff
> on. Yes I have seen the default templates included with Security
> Configuration & Analysis although I really haven't looked into them
> (other than the compatibility template). I just think from a design
> point of view DNS AD Integrated Zones on Non-DC's should be available.

Nice theory but this would be impossible because the actual zone file is
stored within the Domain partition (one of the 3 logical partitions of AD)
of the AD database and is only available if on a DC. The AD database
(ntds.dit) can only exist on a DC, therefore, the AD Integrated zone can
only exist in DNS that is running on a DC. One other thing, that an AD
Integrated zone can only live on DCs in the same domain since the Domain
partition only replicates between DCs of a specific domain and is not forest
wide.

> Making a DNS Server a DC just to add the writeable zones on both
> servers seems to me to be a little extreme but maybe Im just barking
> because I don't fully understand it.

See above.

> Anyways I will try some of this
> stuff out an let you know.. Thanks Very much for your help.

Wish you luck. Remember, it's usually alot easier if you stick with the KISS
method.

SeerHawk[SG]

unread,
Nov 7, 2002, 12:06:37 PM11/7/02
to
Hi Ace,

Re: Forest Wide Replication of DNS Zones

Can't .NET support forest wide replication of DNS zones from a
different domain I was also thinking about possibly creating a new
domain setting up AD, making a ADIZ DNS pair and then setting up some
forest wide replication of that DNS on our root "dummy" domain (Really
for recovery purposes in case of a disaster or reconfiguration /
collapsing/ expansion of the dns zones) Is this possible?

Jeff Westhead [MS]

unread,
Nov 7, 2002, 2:50:12 PM11/7/02
to
Yes, in .NET a zone can be replicated to any subset of DCs in the forest.
The feature is designed so that replicating a zone to either all DCs in a
specifc domain or all DCs in the forest is more or less a one-click
operation.

--

This posting is provided "AS IS" with no warranties, and confers no rights.


"SeerHawk[SG]" <seer...@hotmail.com> wrote in message
news:8cded263.02110...@posting.google.com...

William Stacey [MVP]

unread,
Nov 7, 2002, 10:00:03 PM11/7/02
to
Point-an-click and Good things happen. :-)

--
William Stacey, MCSE
Windows MVP (DNS/DHCP/WINS)

"Jeff Westhead [MS]" <jwesth@no_spam.online.microsoft.com> wrote in message
news:uDAJ1aphCHA.2308@tkmsftngp12...

Ace Fekay [MVP]

unread,
Nov 8, 2002, 1:13:11 AM11/8/02
to

"William Stacey [MVP]" <sta...@mvps.org> wrote in message
news:OQK8xKthCHA.1756@tkmsftngp12...

> Point-an-click and Good things happen. :-)
>
> --
> William Stacey, MCSE
> Windows MVP (DNS/DHCP/WINS)
>


I prefer a VUI (Voice User Interface).
"Computer, please set DNS glue record for zone...."
And have Majel Barrett Roddenberry answer with a confirmation.

NT Canuck

unread,
Nov 8, 2002, 2:23:30 AM11/8/02
to
"Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&LastNa...@hotmail.com>
wrote in message news:u#jhQ4uhCHA.1864@tkmsftngp11...

> I prefer a VUI (Voice User Interface).
> "Computer, please set DNS glue record for zone...."
> And have Majel Barrett Roddenberry answer with a confirmation.

Ok Ace,
working onit but still some rough spots...
(my computer's interface name is Crystal)

NTCanuck: Crystal, can you set a DNS glue record for a zone if I give you
the parameters?
Crystal: I'll tell me when you set a new record.

'Seek and ye shall find'
NT Canuck
http://ntcanuck.com
BIND-PE, DNS "fail-safe" for NT clients


Ace Fekay [MVP]

unread,
Nov 8, 2002, 7:10:39 AM11/8/02
to
"NT Canuck" <ntca...@hotmail.com> wrote in message
news:SDJy9.678849$v53.28...@news3.calgary.shaw.ca...

> NTCanuck: Crystal, can you set a DNS glue record for a zone if I give you
> the parameters?
> Crystal: I'll tell me when you set a new record.

Did I miss something here in Crystal's response?

Ace


NT Canuck

unread,
Nov 8, 2002, 11:54:39 PM11/8/02
to
"Ace Fekay [MVP]" <PleaseSubstituteMyFirstName&LastNa...@hotmail.com>
wrote in message news:evPQAAyhCHA.2232@tkmsftngp09...

> Did I miss something here in Crystal's response?

I suppose I look with different "eyes" Ace, this one
is supposed to give "help" in regards syntax and what
to open/adjust based on scanned/analyzed system.
Hopefully AI can do part of job one day to ease burden
on sysadmins or give them automatic forensics status.
Is maybe a bit of "dream", but feels good to try. ;-)

I put AI in background now (learning mode) until next
Spring (2003) and see if I have done training/data correctly.

Thank you for patience...just hard to get professional feedback.

Ace Fekay [MVP]

unread,
Nov 9, 2002, 2:09:02 AM11/9/02
to
"NT Canuck" <ntca...@hotmail.com> wrote in message
news:jy0z9.724905$f05.29...@news1.calgary.shaw.ca...

No prob.

> Crystal: I'll tell me when you set a new record.

I was just lightly commenting on Crystal's syntax. Nothing meant by it.

Wish you luck with everything.
;-)

0 new messages