Active Directory Integrated DNS Zones: Explained

Windows Server hosts that have been promoted to domain controller can store DNS zone data in the Active Directory Domain Services (ADDS) rather than in a zone text file. This is known as an AD-integrated DNS zone. Integrated DNS zones can only be created on an AD domain controller that has the DNS server role installed.

Advantages of Active Directory integrated DNS zones:

• DNS zone data is transferred to other DNS servers in the domain and forest using the standard Active Directory replication mechanism rather than classic zone transfer method. Multi-master replication mode used for AD-integrated zones, meaning that any domain controller can write updates to the zone. When a DNS zone is replicated, only the changes between the domain controllers are transferred, not the entire zone.
• Secure update mode is supported for integrated zones. In this mode, only authorized clients can update their records in the DNS zone.
• In order to restrict the access to the records in the DNS zone, Access Control Lists are used.
• The DNS zone and the DNS records are stored in the Application Directory Partition in the AD database.

To create a new integrated DNS zone in your AD domain:

1. Open the DNS Manager snap-in (dnsmgmt.msc);
2. Connect to a domain controller, right-click Forward Lookup Zones, and select New Zone;
   
3. Select the Primary zone type and enable the option Store this zone in Active Directory (available only if DNS server is a writale domain controller).
   Note. Secondary and Stub DNS zones cannot be AD-integrated.
4. Specify whether to allow the DNS zone to be replicated to all DCs in the domain or in the Active Directory forest;
   
5. Type the zone name: theitbros.loc;
   
6. Choose whether you want to allow only dynamic updates. For Active Directory, it is recommended that you always use the Allow only security dynamic updates option;
7. Click Next > Finish and a new primary AD-integrated zone will appear in the DNS console;
   This zone will be automatically replicated to all of the other domain controllers in the AD.
   Hint. In the same way, you can create an AD-integrated reverse lookup DNS zone.

AD-integrated zones are stored in one of the following ADDS LDAP partitions: DC=DomainDNSZones,DC=contoso,DC=com or DC=ForestDNSZones,DC=contoso,DC=com. This depends on the replication scope you have selected for the zone.

You can connect to and manage the AD directory partition that stores integrated zones using the ADSIEdit console.

1. Open the adsiedit.msc MMC snap-in;
2. Select Connect to > Connection Point > type a Distinguished name: DC=DomainDNSZones,DC=contoso,DC=com
3. Expand your domain DN > CN=MicrosoftDNS. An object of the dnsZone class must be created in this section for each DNS-integrated zone.
   
4. When you expand the dnsZone object, you will see a list of records for that DNS zone in the form of separate dnsNode objects;
5. You can use the built-in attribute editor for AD objects to manually change the parameters of any DNS zone record;

You can also use PowerShell to create an integrated primary DNS zone:

Add-DnsServerPrimaryZone -Name theitbros.local -ReplicationScope “Forest” –PassThru

Add the reverse lookup zone AD-integraded zones:

Add-DnsServerPrimaryZone -NetworkID “10.24.0.0/24” -ReplicationScope “Forest”

List integrated DNS zones:

Get-DnsServerZone|where IsDsIntegrated -eq True