AD Integrated Zone over standard Primary zone

jescabjescab Inactive Imported Users Posts: 1,321
When do you use Active Directory Integrated Zone over the standard Primary zone? Is there something special that will tell you which one to use?


  • Danman32Danman32 Member Posts: 1,243
    Active directory integrated has the zone replicate using the AD replication mechanism. Also being AD integrated has all zome replicas be masters, as AD is a multi-master model of replication.
    In order to be AD integrated, the zone has to be on a DC.

    A standard primary zone has its database stored as a text file. There can only be one standard primary zone for a domain. Zone changes can only be made on a primary zone. The replicas of such a zone would be secondary zones that are read-only except for zone transfers from the primary zone. A standard zone does not have to be on a DC or even a member server. Heck, it doesn't even have to be on an MS OS.
    An AD integrated zone can act as a standard primary for the purposes of zone transfers to standard secondary zones
  • agustinchernitskyagustinchernitsky Member Posts: 299
    AD integrated is used when you install DNS on a DC. The key benefit is that it stores everyting in AD and it uses AD replication model to propagate changes... and... it generates the least admin effort!

    You normally use non-AD integrated zones when you have a standalone server (ie for a public network).

    So, if they ask you:
    you have installed a root DC and you want install another DC as backup. You also want to configure in this new DC the DNS servers for redundancy, what to do:

    1.- Create a STD primary zone on the second DC DNS service
    2.- Create a STD secondary zone on the second DC DNS service
    3.- Create a Stub zone on the second DC DNS service
    4.- Create a AD integrated zone on the second DC DNS service

    What would you answer?
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Unless you have NT4.0 as a DC, there is really no reason to ever use Standard-Primary over ADI. There are a few circumstances where a Standard-Primary should be used but I doubt you will ever see that; it deals with perimeter networks and DMZs.
  • Danman32Danman32 Member Posts: 1,243
    One can install a standard primary/secondary zone on a DC.

    When there are AD replication issues, thats what I have clients do until the AD issues are fixed. Otherwise you can get a chicken or egg situation. DNS can't replicate properly if AD isn't replicating properly since DNS uses AD replication. AD can't replicate properly because DNS information is not properly replicated, so AD has a conflict in where to find its resources.

    One additional benefit of AD integrated is security. The data is in AD which is fairly secure, as opposed to being stored in a text file. Zone transfers occur over AD replication (since it is part of AD database), so standard zone transfers can be disabled.
  • agustinchernitskyagustinchernitsky Member Posts: 299
    I completely forgot about security... good point.

    When in AD integrated mode, you can choose to allow secure dynamic updates.
  • Danman32Danman32 Member Posts: 1,243
    I completely forgot about security... good point.

    When in AD integrated mode, you can choose to allow secure dynamic updates.

    Yes, that too. I almost added that to my post.
Sign In or Register to comment.