Windows Server Guides

Active Directory Hosting Its Own DNS Namespace

• Woodworking Plans With Step-by-step Instructions

The next option is similar in design to the option just described, with the exception that the Active Directory namespace connects to another internal rather than an external namespace. Active Directory-integrated zones can be used for the Active Directory namespace, but in the event that the Active Directory-integrated namespace needs to replicate with a non-Active Directory namespace, standard zones must be used for replication between the Active Directory namespace and the third-party namespace.This makes integration somewhat more difficult, and may limit the number of features available to those that are supported by the third -party DNS service. In our example, vanc.nru.corp is an Active Directory-integrated zone that is hosted by Windows Server 2003, but it is delegated to from an existing DNS hierarchy that is using BIND.

In our example, as shown in Figure 5.3, the organization has an internal namespace with the domain name nru.corp, and vanc.nru.corp is a subdomain, or child domain, of the nru.corp root.The internal subdomain will be the parent domain for additional child domains that will be created in the future. Because child domains are immediately subordinate to the domain name of the parent, the child domain for the finance department in Vancouver in our example, when added to the vanc.nru.corp namespace might have the domain name fin.vanc.nru.corp.

Figure 5.3 vanc.nru.corp in its Own Namespace

There are several advantages to this option. First, only one name needs to be registered with a domain registrar if the internal namespace needs to be publicly accessible. Second, all internal domain names are globally unique because the namespace is contiguous. Finally, the delegation administration is more straightforward because the internal and external domains can be managed separately.

The main disadvantage is that there will be zone files to manage. However, zone files were probably being used already and this option would add one more for replication for the Active Directory-integrated zone. Furthermore, zone transfers between the child domain and the parent, or in our example, the domain root, are unsecured. Finally, while the Active Directory-integrated zone can enjoy the benefits of being integrated with Active Directory, these benefits cannot be extended to the rest of the DNS infrastructure.