Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Integrating Active Directory and DNS

Integrating Active Directory and DNS

Active Directory domains use DNS to implement their naming structure and hierarchy. Active Directory and DNS are tightly integrated, so much so that you should install DNS on the network before you can install Active Directory Domain Services.

During installation of the first domain controller on an Active Directory network, you have the opportunity to automatically install DNS if a DNS server can’t be found on the network. You can also specify whether DNS and Active Directory should be integrated fully. In most cases, you should respond affirmatively to both requests.

With full integration, DNS information is stored directly in Active Directory, which enables you to take advantage of Active Directory’s capabilities.

Understanding the difference between partial integration and full integration is very important:

? Partial integration With partial integration, the domain uses standard file storage. DNS information is stored in text-based files that end with the.dns extension. The default location of these files is %SystemRoot%System32Dns. Updates to DNS are handled through a single authoritative DNS server. This server is designated as the primary DNS server for the particular domain or an area within a domain called a zone . Clients that use dynamic DNS updates through DHCP must be configured to use the primary DNS server in the zone. If they aren’t, their DNS information won’t be updated. Likewise, dynamic updates through DHCP can’t be made if the primary DNS server is offline.

? Full integration With full integration, the domain uses directory-integrated storage. DNS information is stored directly in Active Directory and is available through the container for the dnsZone object. Because the information is part of Active Directory, any domain controller can access the data, and you can use a multimaster approach for dynamic updates through DHCP. This enables any domain controller running the DNS Server service to handle dynamic updates. Furthermore, clients that use dynamic DNS updates through DHCP can use any DNS server within the zone. An added benefit of directory integration is the ability to use directory security to control access to DNS information.

If you look at the way DNS information is replicated throughout the network, you will find more advantages to full integration with Active Directory. With partial integration, DNS information is stored and replicated separately from Active Directory. By having two separate structures, you reduce the effectiveness of both DNS and Active Directory and make administration more complex. Because DNS is less efficient than Active Directory at replicating changes, you might also increase network traffic and the amount of time required to replicate DNS changes throughout the network.

In early releases of the DNS Server service for Windows servers, restarting a DNS server could take an hour or more in large organizations with extremely large AD DS-integrated zones. The operation took this much time because the zone data was loaded in the foreground while the server was starting the DNS service. To ensure that DNS servers can be responsive after a restart, the DNS Server service for Windows Server 2008 R2 and later has been enhanced to load zone data from AD DS in the background while the service restarts. This ensures that the DNS server is responsive and can handle requests for data from other zones.

At startup, DNS servers running Windows Server 2008 R2 and later perform the following tasks:

? Enumerate all zones to be loaded.

? Load root hints from files or AD DS storage.

? Load all zones that are stored in files rather than in AD DS.

? Begin responding to queries and Remote Procedure Calls (RPCs).

? Create one or more threads to load the zones that are stored in AD DS.

Because separate threads load zone data, the DNS server is able to respond to queries while zone loading is in progress. If a DNS client performs a query for a host in a zone that has already been loaded, the DNS server responds appropriately. If the query is for a host that has not yet been loaded into memory, the DNS server reads the host’s data from AD DS and updates its record list accordingly.

Оглавление книги

Оглавление статьи/книги

Генерация: 2.724. Запросов К БД/Cache: 3 / 1
поделиться
Вверх Вниз