Month: April 2011

Overview

A partition is a data structure within Active Directory used to distinguish data for different replication purposes. Every domain controller contains the following three directory partitions: configuration, schema, and domain. A directory partition is also called the “naming context”. Domain controllers in the same forest but in different domains share the same configuration and schema data, but they do not share the same domain data.

In Windows 2000, if the DNS server is configured to use Active Directory Integrated zones, then the DNS zone data is stored in the domain naming context (DNC) partition of Active Directory. Conversely, in Windows Server 2003, application directory partitions enable storage and replication of the DNS zones stored in the non-domain naming context (NDNC) partition of Active Directory.

Every object created in the domain naming context, which includes DNS zones and nodes (DNS names, e.g., microsoft.com), are replicated to all the GC’s in the domain.
By using application directory partitions to store the DNS data, essentially all DNS objects are removed from the GC. This is a significant reduction in the number of objects that are normally stored in the GC.

Furthermore, when the DNS zone data is stored under the domain naming context of Active Directory (such as in Windows 2000), it is replicated to all DC’s in the domain irrespective of whether a DNS server is configured to run on the DC or not. This is an instance where full domain-wide replication is an over-kill.

It would be preferable to redefine the scope of replication of the DNS zone data to only the subset of DC’s in the domain that actually run DNS.
This can be done with domain-wide application directory partitions. Additionally, an application directory partition that is replicated to all DNS servers in the forest can be used for zones like _msdcs.<forestname> which should be visible to the entire forest.

This is ideal because all DC’s register their DsaGuid CNAME resource record in the _msdcs.<forestname> zone.

Zone Replication Options

There are four replication options for Active Directory-integrated DNS zones. These can be selected when the zone is created or when the administrator wants to change the storage method for an existing zone. When deciding which replication option to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if the administrator chooses to have Active Directory-integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single Active Directory domain in that forest. The following table describes zone replication options.

Table 1.1 Zone Replication Option Descriptions

Note: DNS zones stored in application directory partitions cannot be accessed by Windows 2000 Server domain controllers.

Forest-Wide Replication

Given any scenario one might be able to argue that replicating DNS zone data to every DNS server in a multiple domain forest might cause excessive traffic. However, the trade off is extreme ease of administration and deployment. Especially in organizations where a dedicated DNS team may not exist, configuring DNS for Active Directory can be difficult for most. In these situations, the best solution should be the easiest solution. Therefore, using forest-wide replication for any DNS zone is considered the best option. If every zone is replicated to all DNS servers in the forest, then a customer should not need to use stub zones, secondary zones, or forwarders when configuring internal DNS resolution within the Active Directory forest.

Default DNS Application Directory Partitions

Before any of the forest or domain wide application partition replication options can be used, the DNS application directory partitions must be created within Active Directory. By default, when the DNS Server service is started, it will attempt to locate and create (if necessary) the default DNS application directory partitions (ForestDnsZones.DnsForestName and DomainDnsZones.DnsDomainName) in Active Directory.

However, if the DNS Server service is unable to do this, an Enterprise Administrator can manually create the DNS application directory partitions as discussed below.

Note: Enterprise Admin credentials are required to create an application directory partition.

While it would be ideal to make a DNS server use the credentials of the administrator to create the DNS application partitions during the installation and configuration of DNS in DcPromo, it is impossible since Active Directory is not yet available until the computer is rebooted. To workaround this problem the following solution has been implemented (this is also true if the DNS service is installed on a computer that is already a DC):

When on startup a DNS server detects that the forest- and/or domain-wide application partitions do not exist, the DNS server attempts to create the DNS application partitions.

If it fails (which is usually the case since DNS does not have the appropriate credentials) when the first user logs in, a separate executable (waiting for the user to log in) will notify the DNS server that the user is logged in and will provide the DNS server with the credentials of the logged in user.

Next, the DNS server will check again whether the forest- and/or domain-wide application partitions exist. If at least one of them does not exist, then DNS will attempt to create the missing application directory partitions corresponding to the domain and forest of the DNS server using the user’s credentials.

Active Directory Integrated DNS Zones

DNS zones stored in application directory partitions must be of type Active Directory-integrated, secondary or other type of zones can’t be stored within Active Directory at, I recommends that those zones are left unchanged and stored the way they are today while Active Directory-Integrated Zones are moved to be stored in the application directory partitions (if there isn’t a specific reason to why not).

Windows 2000 Server Domain Controllers

DNS zones stored in application directory partitions cannot be accessed by Windows 2000 Server domain controllers, technically if a forest contains multiple domains and one or more of those domains contain at least only Windows Server 2003 DCs or later those can utilize the Domain-wide DNS application directory partition even if Windows 2000 Server domain controllers exists in other domains within the forest.

However I recommend that the entire forest consists of Windows Server 2003 DCs or later and that all Windows 2000 Server DCs has been removed prior to the implementation of DNS application directory partitions (So shouldn’t be running Windows 2000 anyway since it’s out of support).

Active Directory Replication Health

I recommend that you verify the Active Directory replication health prior to the implementation, using repadmin. (repadmin /showreps /v)

The operations implementations details outlines the necessary steps required to implement and/or move DNS zones to DNS Directory Application Partitions.

The operation requires Domain Admins rights and/or DNS Admins rights within the forest.

Change replication option of existing Active Directory-Integrated Zones

Using the DNS Manager MMC to perform the change:

1. Open DNS.
   
2. In the console tree, right-click the applicable zone, and then click Properties.
   
3. On the General tab, note the current zone replication type, and then click Change.
   
4. Select the following replication scope: Forest-wide DNS application directory partition.
   

Using the command line to perform the change:

dnscmd
ServerName
/ZoneChangeDirectoryPartition
ZoneName
NewPartitionName – The FQDN of the DNS application directory partition where the zone will be stored.