Home / server / Questions / 285021
Accepted
Bourne
Asked: 2011-06-29 10:51:57 +0800 CST

In a 2 DC environment, should both DCs host AD integrated primary zones to ensure DNS redundancy?

  • 772

I'm trying to clarify the relationship between SOA records and AD based DNS since we are switching towards an all AD integrated DNS scenario in our environment.

We have 2 DCs running Win 2008. The goal is to ensure DNS redundancy and give domain client machines the ability to update their records directly on whatever server is available if one goes down...or both servers if they are both available.

  1. Should both DCs host these primary integrated zones? Or should one host a primary integrated and the other a secondary (and hence integrated) version of it?

  2. How does this work with SOA records? If you have two primary integrated zones does that not imply the possibility of two SOA records since both zones are directly updateable? Can you have more than one SOA record per domain?

  3. Or can you only have one SOA record corresponding to the DC that hosted the integrated primary zone first, independent of whether the other DC has a primary or secondary zone of the same domain?

What is the best setup for such situation? What would you do?

Thank you in advance.

domain-name-system active-directory

4 Answers

  1. Best Answer

    With AD-integrated zones, there is no concept of "primary" or "secondary" zones; an integrated zone gets replicated to all DCs in the domain(*), and all of them are authoritative for it and can modify it, either by admin intervention or by dynamic updates from domain computers; whenever the zone gets modified, the AD replication process takes care of synchronizing the changes between all involved DCs.

    This of course implies that all DCs which are also DNS servers get a SOA record for AD-integrated zones; and this is perfectly fine, as all of them actually are authoritative DNS servers for that zone.

    And, indeed, it is considered best practice to use AD-integrated DNS zones, make all of your DCs (or most of them) DNS servers, replicate the zones to all of them and have all domain computers use two or more of them as their DNS servers. DNS is critical to proper AD operation, so that's a service you most definitely don't want to fail.

    (*) This is the usual behaviour, but it can be changed depending on the zone replication scope.

    • 9

  2. If the zones are integrated then they're neither primary nor secondary in the traditional sense. You can consider both servers to be primary for the integrated zones and as such each will be listed as the SOA in their copy of the integrated zones. Since the zones are integrated there isn't a local zone file on each server for each zone, the zones are stored in the Domain partition of the AD database on each server. DNS records can be created, updated, refreshed, or deleted from any server that holds a copy of the integratede zones and those changes will be replicated to all other servers holding a copy of the zones through the normal AD replication process.

    • 4

  3. 1) You should have more than one copy of your ADI zones, it's best-practice to have at least two DCs running integrated zones. No need for a secondary zone.

    2) Each DNS server will have a SOA record for itself. It works fine.

    3) See #2

    • 2

  4. The notions of "primary" and "secondary" content DNS servers simply don't apply to the kind of DNS database replication that occurs with Active Directory integrated zones. SOA resource records are not the worry that, nor as important as, you think them to be. Four of the fields of SOA resource records have no meaning at all for Active Directory DNS database replication. And the variance of the MNAME field is perfectly fine in multi-master setups.

    • 1