AD DNS Zone Replication

Hello all:

I have a brief question on AD integrated zones.

I know AD zones are supposed to be automatically replicated via AD. This is supposed to eliminate the need for zone transfers.

I want to be sure I have this down right, after I run DCPROMO on a secondary domain controller, and install the DNS service will the zones automatically begin to replicate to the new domain controler once DNS is installed?

I was experimenting on on my home network I did the steps before however only the reverse look-up zone came up. I made the secondary domain controller a global catalog server and all of a sudden the forward zone came up. (This was a total fresh install on the secondary box of Enterprise Ed).

Was this step required for the replication? Or was it a pure coincidence that it happened right after I did that?

Here is another situation I'd like help with:

Say I have three non-AD servers one primary and two secondaries. If I convert the primary to ADI (after a promoting it to a DC), could I delete the secondary zones on the other servers, disable standard zone transfers (on the new DC). Then promote the former secondary zone services to DC's and have them replicate the new ADI zone (for fault tolorence).

Would this work correctly given those steps?

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

Smallguy

In short yes as lnog as the sones are setup to allow dynamic updates
take a look at

http://support.microsoft.com/kb/227844

and

"When you use the DNS Microsoft Management Console (MMC) to configure zones on a Windows 2000 DNS server, you can configure an Active Directory integrated zone with the same name on DNS servers that are located in different Windows 2000 domains. If the zones are configured to accept dynamic updates, the DNS server permits clients to register in the zone, as expected. This registration data is replicated to other domain controllers and DNS servers that are members of the same Windows 2000 domain."

taken from
http://support.microsoft.com/kb/286753

Danman32

The data can be there, depending on the AD integrated model chosen, it's just a matter of configuring the DNS server service to use that zone.

ScubaSteveTXST

Danman32 wrote:

The data can be there, depending on the AD integrated model chosen, it's just a matter of configuring the DNS server service to use that zone.

So lets say I replicate to Domain DNS server's only. Will the zone automatically appear if not what steps need to be taken?

royal

Hopefully this will answer your question:

1. Promote first server to 1st DC in a new forest. DNS won't be detected and will prompt you to install DNS on itself which will then install DNS on itself as well as point the Preferred DNS IP to 127.0.0.1 which is the loopback ip which means itself.

2. You then build a 2nd server which you intend on promoting to a 2nd DC. You configure the Preferred DNS IP to the 1st DC. This way when you're joining it to the already existing domain, it can pull AD information as well as DNS information. You can either manually install DNS right now or install DNS later. Since you're pointing the dns ip to the 1st server, the dcpromo won't prompt you to install DNS. You now run dcpromo and install AD and all the AD information will be pulled over to the new DC.

3. Now after the 2nd DC is rebooted you can install DNS. Since you are using AD-integrated DNS, you will NOT have to manually create a zone. DNSDomainZone is built into ntds.dit (Active Directory database file) and hence the zones are automatically pulled over as part of Active Directory replication. So all you have to do is install dns, and in a little bit, you'll automatically see the zones copied over as well as a new NS record for the new DC. All of this will automatically be shown through the DNS console without any user intervention other than installing DNS.

theseman

Basically ScubaSteve, it was a coincidence. AD integrated zones do not rely on a GC. The FLZ should have shown up whenever a replication between the servers took place. Sometimes AD can be a bit stubborn and patience can really pay off (found this out the hard way). You can jumpstart this replication in AD Sites and Services, or just wait. (Since both DC's are in the same site by default it will not take long for them to replicate)

ScubaSteveTXST

Thanks all for the great info,

I toyed with it some more. I got zone replication to work after I forced AD replication b/w the two domain controllers. As for deletion of a zone to take effect on another DC that seemed to take awhile.