DNS Zone Replication

Windows 2003 introduced the ability to move Active-Directory integrated DNS zones from the default AD partition to dedicated partitions.  You do this through the DNS MMC snap-in by right-clicking on a DNS zone and choosing Properties.  On the General tab of the properties dialog box, click Change next to the Replication line.  This brings up the Change Zone Replication Scope dialog box which allows you to choose one of the following:

  • To all DNS server in the Active Directory forest
  • To all DNS server in the Active Directory domain
  • To all domain controllers in the the Active Directory domain
  • To all domain controllers specified in the scope of the following directory partition

image image

So what is the difference between these and why would would want to move your zones?

Each choice specifies which AD partition is used to store the zone’s data.  AD partitions are separate areas of storage within AD itself; each individually named partition can have its own security and replication configuration.  The third choice in the list, To all domain controllers specified in the scope of the following directory partition, is equivalent to how zones were stored in a Windows 2000 AD; the partition used is the default AD partition where all User and Computer objects are also stored.

The first two choices create or use a new application partition in AD and stores the DNS zone there.  The main purpose for this is to prevent the replication of the DNS zone and its records to domain controllers that do not need it, specifically to DC’s without DNS installed.  The second option also limits the replication scope by not replicating the zone to DC’s outside of the local domain in the forest.  If you have a single domain forest, there is no effective difference between these two.  In smaller network implementations, the reason for doing this is not evident, but when you are dealing with thousands or ten of thousands of dynamically updated records, replication latency and replication bandwidth usage become issues.

The third option allows you to define a custom application partition for advanced control over the replication scope or schedule.

Each zone is configured separately and all zone types have these options available as long as they are AD integrated.

To verify the actual AD storage of a zone, use ADSIEdit (built into Windows 2008 or loaded from the Windows Server 2003 support tools).  Zones are always stored in a parent container called MicrosoftDNS.  The table below contains the DN of this container for the three primary zone locations.  Every zone will have a sub-container that contains all the records for the zone.  The standard caveat for editing AD data using ADSIEdit applies: if you don’t know what you are doing, look, but don’t touch.

Location

DN
To all DNS server in the Active Directory forest CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=local
To all DNS server in the Active Directory domain CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local
To all domain controllers in the the Active Directory domain CN=MicrosoftDNS,CN=System,DC=domain,DC=local

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current ye@r *