AD Integrated Zone over standard Primary zone

When do you use Active Directory Integrated Zone over the standard Primary zone? Is there something special that will tell you which one to use?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Danman32

Active directory integrated has the zone replicate using the AD replication mechanism. Also being AD integrated has all zome replicas be masters, as AD is a multi-master model of replication.
In order to be AD integrated, the zone has to be on a DC.

A standard primary zone has its database stored as a text file. There can only be one standard primary zone for a domain. Zone changes can only be made on a primary zone. The replicas of such a zone would be secondary zones that are read-only except for zone transfers from the primary zone. A standard zone does not have to be on a DC or even a member server. Heck, it doesn't even have to be on an MS OS.
An AD integrated zone can act as a standard primary for the purposes of zone transfers to standard secondary zones

agustinchernitsky

AD integrated is used when you install DNS on a DC. The key benefit is that it stores everyting in AD and it uses AD replication model to propagate changes... and... it generates the least admin effort!

You normally use non-AD integrated zones when you have a standalone server (ie for a public network).

So, if they ask you:

you have installed a root DC and you want install another DC as backup. You also want to configure in this new DC the DNS servers for redundancy, what to do:

1.- Create a STD primary zone on the second DC DNS service
2.- Create a STD secondary zone on the second DC DNS service
3.- Create a Stub zone on the second DC DNS service
4.- Create a AD integrated zone on the second DC DNS service

What would you answer?

RTmarc

Unless you have NT4.0 as a DC, there is really no reason to ever use Standard-Primary over ADI. There are a few circumstances where a Standard-Primary should be used but I doubt you will ever see that; it deals with perimeter networks and DMZs.

Danman32

One can install a standard primary/secondary zone on a DC.

When there are AD replication issues, thats what I have clients do until the AD issues are fixed. Otherwise you can get a chicken or egg situation. DNS can't replicate properly if AD isn't replicating properly since DNS uses AD replication. AD can't replicate properly because DNS information is not properly replicated, so AD has a conflict in where to find its resources.

One additional benefit of AD integrated is security. The data is in AD which is fairly secure, as opposed to being stored in a text file. Zone transfers occur over AD replication (since it is part of AD database), so standard zone transfers can be disabled.

agustinchernitsky

I completely forgot about security... good point.

When in AD integrated mode, you can choose to allow secure dynamic updates.

Danman32

agustinchernitsky wrote:

I completely forgot about security... good point.

When in AD integrated mode, you can choose to allow secure dynamic updates.

Yes, that too. I almost added that to my post.

nadda

I find it in Google:
diflucan 150 mg diflucan pill cheap diflucan alcohol diflucan diflucan online diflucan oral suspension diflucan and man buy diflucan generic diflucan over the counter diflucan and pregnancy diflucan buy diflucan how long does it take diflucan to work diflucan medication fluconazole diflucan cheapest diflucan diflucan and infant