What dns solution supports secure dynamic dns?
Active Directory-Integrated DNS
Active Directory-integrated DNS enables Active Directory storage
and replication of DNS zone databases. Windows 2000 DNS server, the
DNS server that is included with Windows 2000 Server, accommodates
storing zone data in Active Directory. When you configure a
computer as a DNS server, zones are usually stored as text files on
name servers - that is, all of the zones required by DNS are stored
in a text file on the server computer. These text files must be
synchronized among DNS name servers by using a system that requires
a separate replication topology and schedule called a zone transfer
However, if you use Active Directory-integrated DNS when you
configure a domain controller as a DNS name server, zone data is
stored as an Active Directory object and is replicated as part of
domain replication.
note-icon Note
Only DNS servers that run on domain controllers can load Active
Directory-integrated zones.
To use DNS integration within Active Directory, assign the zone
type Active Directory-integrated when you create the zone.Objects
that represent zone database records are created in the Microsoft
DNS container within the System container (visible in the Advanced
Features view in Active Directory Users and Computers), and the
contents are replicated to all domain controllers in the domain.
When you have Active Directory-integrated DNS zones, all Active
Directory domain controllers that run Windows 2000 DNS server and
are appropriately configured function as primary name servers.
When DNS data is stored in Active Directory, each DNS zone is an
Active Directory container object (class dnsZone ). The dnsZone
object contains a DNS node object (class dnsNode ) for every unique
name within that zone. These unique names include the variations
assigned to a specific host computer when it functions, for
example, as a primary domain controller or as a Global Catalog
server. The dnsNode object has a dnsRecord multivalue attribute
that contains a value for every resource record that is associated
with an object's name.
When other non-Windows 2000 DNS servers are already in place and
Active Directory domains represent only part of the overall DNS
namespace, standard zone transfer still can be used to synchronize
zone data between Active Directory and other DNS servers
When Windows 2000 DNS server is installed on at least one domain
controller and has Active Directory-integrated zones, the zone data
is always replicated to every domain controller in the domain.
How DNS integrates with Active Directory
When you install Active Directory on a server, you promote the
server to the role of a domain controller for a specified domain.
When completing this process, you are prompted to specify a DNS
domain name for the Active Directory domain for which you are
joining and promoting the server.
If during this process, a DNS server authoritative for the
domain that you specified either cannot be located on the network
or does not support the DNS dynamic update protocol, you are
prompted with the option to install a DNS server. This option is
provided because a DNS server is required to locate this server or
other domain controllers for members of an Active Directory
domain.
Once you have installed Active Directory, you have two options
for storing and replicating your zones when operating the DNS
server at the new domain controller:
* Standard zone storage, using a text-based file.
Zones stored this way are located in .Dns files that are stored
in the systemroot\System32\Dns folder on each computer operating a
DNS server. Zone file names correspond to the name you choose for
the zone when creating it, such as abc.com.dns if the zone name was
"abc.com."
* Directory-integrated zone storage, using the Active Directory
database.
Zones stored this way are located in the Active Directory tree
under the domain or application directory partition. Each
directory-integrated zone is stored in a dnsZone container object
identified by the name you choose for the zone when creating
it.
Benefits of Active Directory integration
For networks deploying DNS to support Active Directory,
directory-integrated primary zones are strongly recommended and
provide the following benefits:
* Multimaster update and enhanced security based on the
capabilities of Active Directory.
In a standard zone storage model, DNS updates are conducted
based upon a single-master update model. In this model, a single
authoritative DNS server for a zone is designated as the primary
source for the zone.
This server maintains the master copy of the zone in a local
file. With this model, the primary server for the zone represents a
single fixed point of failure. If this server is not available,
update requests from DNS clients are not processed for the
zone.
With directory-integrated storage, dynamic updates to DNS are
conducted based upon a multimaster update model.
In this model, any authoritative DNS server, such as a domain
controller running a DNS server, is designated as a primary source
for the zone. Because the master copy of the zone is maintained in
the Active Directory database, which is fully replicated to all
domain controllers, the zone can be updated by the DNS servers
operating at any domain controller for the domain.
With the multimaster update model of Active Directory, any of
the primary servers for the directory-integrated zone can process
requests from DNS clients to update the zone as long as a domain
controller is available and reachable on the network.
Also, when using directory-integrated zones, you can use access
control list (ACL) editing to secure a dnsZone object container in
the directory tree. This feature provides granulated access to
either the zone or a specified RR in the zone.
For example, an ACL for a zone RR can be restricted so that
dynamic updates are only allowed for a specified client computer or
a secure group such as a domain administrators group. This security
feature is not available with standard primary zones.
Note that when you change the zone type to be
directory-integrated, the default for updating the zone changes to
allow only secure updates. Also, while you may use ACLs on
DNS-related Active Directory objects, ACLs may only be applied to
the DNS client service.
* Zones are replicated and synchronized to new domain
controllers automatically whenever a new one is added to an Active
Directory domain.
Although DNS service can be selectively removed from a domain
controller, directory-integrated zones are already stored at each
domain controller, so zone storage and management is not an
additional resource. Also, the methods used to synchronize
directory-stored information offer performance improvement over
standard zone update methods, which can potentially require
transfer of the entire zone.
* By integrating storage of your DNS zone databases in Active
Directory, you can streamline database replication planning for
your network.
When your DNS namespace and Active Directory domains are stored
and replicated separately, you need to plan and potentially
administer each separately. For example, when using standard DNS
zone storage and Active Directory together, you would need to
design, implement, test, and maintain two different database
replication topologies. For example, one replication topology is
needed for replicating directory data between domain controllers,
and another topology would be needed for replicating zone databases
between DNS servers.
This can create additional administrative complexity for
planning and designing your network and allowing for its eventual
growth. By integrating DNS storage, you unify storage management
and replication issues for both DNS and Active Directory, merging
and viewing them together as a single administrative entity.
* Directory replication is faster and more efficient than
standard DNS replication.
Because Active Directory replication processing is performed on
a per-property basis, only relevant changes are propagated. This
allows less data to be used and submitted in updates for
directory-stored zones.
Taiga
Steve
Judy
