Active Directory Zone Replication

In this Video:
• Discuss the benefits of storing Zones in Active Directory
• Take a closer look at the Active Directory Zone Replication Scope
• Demonstrate Replication in a Domain, Forest Environment
• Use DNS Manager and ADSI edit to view Domain and Forest Zone Data
• Demonstrate how to remove Zone Data from Active Directory.
Prerequisites: You must have access to or have installed in your lab the following:

• Windows 2016 server with DNS and Active Directory installed and the server
promoted to a domain controller.
• Forward and Reverse lookup zone creation completed.
Adequate permissions will be needed.

• To configure a DNS server that is not running as a domain controller, you

must be a member of the Administrators group for that computer.
• To configure a DNS server that is running on a domain controller, you must
be a member of the DNS Administrators, Domain Administrators, or
Enterprise Administrators group

The Benefits of Storing Zone Data in Active Directory

• AD-integrated zones can only be configured on domain controllers.
• Domain controllers configured as a DNS server in a domain is the
authoritative server for that domain. So, DNS records can be updated on any
of these servers and the changes will be automatically replicated.
• Active Directory can compress replication data between sites and replicates
data securely, hence DNS replication also becomes fast, secure and efficient.
This works even over slow links.
• Redundancy - Because AD-integrated zones are replicated to either all
Domain controllers in the Domain or all Domain controllers in the forest this
provide redundancy thus, there’s no single point of failure in the DNS
design.
• Security - If secure dynamic update is enabled, only authorized clients can
update their records in DNS zone.

In order to understand how replication works, we must understand some

things about the structure of Active Directory. Here is an illustration.

1
• A simple domain structure – DE.DNS-ZONE.COM

• A Domain is a logical group of computers, users, and printers that share the
same database.

• Now let’s add a child Domain – DE.DNS-ZONE.COM

• This is considered a tree

2
 • In this example, Active Directory calls this structure a Forest, which in this
case is named DNS-ZONE.COM.

• Why, because in this example all the domains share the same schema.
A schema is an AD component that defines all the objects and attributes that
the directory service uses to store data.
• What we have is two domains and one Forest.
• We will now put this knowledge to work, to replicate DNS Zone data, first to
a domain then to a forest.

Active Directory Zone Replication Scope

After using the Zone wizard to create Forward and Reverse Lookup Zones, the third
step reveals three choices for replicating DNS data on our network.

• Forest - To all DNS servers on Domain Controllers in this Forest: DNS.COM

• To all DNS servers on Domain Controllers in this Domain: de.dns.com
• Windows 2000 Compatibility
• Directory Partition – A partition is a storage place for DNS zones, that
distinguishes data for different replication purposes. In this case, this option
is grayed out.

DNS Data Replication on all Domain Controllers in this Domain

Let’s start with Domain Replication, because it is the easiest to understand.

3
If we choose the second selection we will be replicating DNS data to every
Domain controller in the DE.DNS.COM domain. Even though in this case
there is only one Domain Controller.

4
We will now use DNS manager and ADSI edit to view Zone data at the Domain
level.

DNS Manager – Domain DNS data from the DE zone is displayed

• From DNS manager, take a look at the records that are present in the
DE.DNS Zone.

ADSI Edit
Now we will dig a little deeper and use ADSI I edit to view and manage raw objects
and attributes from within Active Directory. I recommend extreme caution when
using this tool.

ADSI Demonstration
1. From Server Manager, tools click on ADSIEDIT.
2. Right click ADSIEDIT and click connect to.

3. in connection menu click on select or type a Distinguished Name or Naming Context.

4. Type DC=DomainDNSZones ,DC=<domainname>,DC=com ( to check the Forest type

ForestDNSZones it in place of DomainDNSZones)

• Type DC=DomainDNSZones,DC=DE,DC=DNS,DC=COM
5. Expand CN=MicrosoftDNS container and browse.

5
ADSI Displays Active Directory DNS Data at the Domain Level
• If you compare the DE.DNS.COM Zone data from the DNS manager with what is
displayed below from ADSI edit you will see much more detailed information.

6
Replicate to all Domain Controllers in this Forest

If the first choice is selected we will be replicating all DNS Data to all Domain
Controllers in the Forest. In our example that is two servers. The US server and the
DE server.

• One Forest, Two Domains

7
DNS Manager – Forest Data from the DE zone is displayed

Take a look at the data from _msdcs. The primary purpose of msdcs zones are:

• Forest and Domain Wide. (DNS Data is located in both Forest and Domain)
• Also this zone is used to locate Domain controllers SVR records and facilitate
their replication using CNAME records.

Notice the last four numbers at the end of that long string of alphanumeric
characters, 6575 represents the US server and the ad3f represents the
DE server. We will see those numbers again in ADSI edit.

Now let’s go back to ADSI edit type in the distinguished name for the Forest,
ForestDNSZones,DC=DNS,DC=COM

8
ADSI Edit Displays DNS Data from the Forest

• Notice 6575, which is the US server and ad3f which is the DE server.

Here is a slide of all the DNS Zone data relevant to this lecture
generated by DNS Manager and ADSIedit.

9
How does Replication Occur – Overview of the SOA tab

• Refresh interval – Secondary Zone contacts primary zone every 15 minutes to

check for changes.
• Retry interval – If the secondary zone is not successful the secondary checks
back every 10 minutes
• Serial Number – Every time a change is made this number is incremented.
DNS compares the numbers on the primary zone with the numbers on the
secondary zone to see if any changes have been made. That is how the
secondary zone knows if the data it has is up to date.

Removing Zone Data from Active Directory

• Removing Zone data from Active Directory is not something that you would
normally do. But for the purposes of this lecture we need to explore what
happens to zone data if it is removed from Active Directory.
• Open Server Manager, tools, DNS.

10
• Double click on the Forward Lookup Zone, highlight in this case DNS.COM,
Right click then select Properties, select Change.

• Uncheck “Store the zone in Active Directory”

11
• Click yes, You receive this warning.

• Click yes, click apply, then ok.

Open windows explorer, C:\Windows\system32\dns\dns.com file

• Open with notepad
• The Zone Data has been successfully moved from Active Directory to the
Local DNS server.

Check out the highlighted areas. We have a forest name DNS.COM

Here you see the US server, the DE server and it’s IP address, and various
SRV records

12
 Active Directory Zone Replication

In this Video

• We discussed the benefits of storing DNS Zones in Active Directory

• We took a close look at the Active Directory Zone Replication Scope
• We demonstrated how Replication works in a Domain, and a Forest
environment.
• Used DNS Manager and ADSI edit to view Domain and Forest Zone Data
• Demonstrated how to remove Zone Data from Active Directory.

Congratulations, you made it through another video. I hope you found it

enjoyable as well as informative.

Thanks for watching and we will see you in the next lecture.

13