Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, April 27, 2011 3:06 PM
I have four Windows 2008 R2 domain controllers, each a primary DNS server. All have high bandwidth connections. Currently only DC1 has "Allow Zone Transfers" enabled, and only on one Forward Lookup zone (our main domain name). DC2-4 do not have Zone Transfers enabled.
First, should Zone Transfers be enabled on all Forward Lookup zones? What about Reverse Lookup Zones?
Second, should each DC/DNS server also have Zone Transfers enabled on all the Forward or Reverse zones?
Thanks!
All replies (6)
Wednesday, April 27, 2011 4:00 PM ✅Answered
By default, IIRC, Zone transfers are not enabled with AD integrated zones. If you don't have any Secondary zones on any non-DCs pulling a copy of the zone (for whatever purpose), then no, I would disable it on all DC/DNS servers.
Zone transfers are not required for AD integrated zones because the zone is stored in the actual AD database and gets replicated to all DC/DNS servers in the replication scope of the zone (DomainNC partition, DomanDnsZones or ForestDnsZones application partitions).
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, April 28, 2011 2:38 AM ✅Answered
Hi MaxStr,
Thanks for posting here.
> First, should Zone Transfers be enabled on all Forward Lookup zones? What about Reverse Lookup Zones?
>Second, should each DC/DNS server also have Zone Transfers enabled on all the Forward or Reverse zones?
I go with Ace, since it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers because all zone data is replicated automatically by means of Active Directory replication.
Active Directory-Integrated DNS Zones
http://technet.microsoft.com/en-us/library/cc731204(WS.10).aspx
For more information please also refer to the link below:
DNS zone replication in Active Directory
http://technet.microsoft.com/en-us/library/cc779655(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact [email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thursday, February 21, 2013 7:20 AM
Hi,
Sorry for the late response, but I Have a small dude about this topic.
We have two forests with single domain each and a bi-directional trusting relationship between them. Each domain has its DNS domain zone for the domain and both are AD-Integrated with forest-wide scope.
I have currently the two zones transfered to the servers of the other domain, is that correct and a good practice?, how would you improve that environment?
Do you think it woulbe be better not to transfer the zones?
Thank you.
Thursday, February 21, 2013 8:56 PM
I think a conditional forwarder is a better choice than creating Secondaries on your domain for the partner, and vice versa. This way you do not need zone transfers to be allowed. Here's more on it that explains your options:
What should I use, a Stub, Conditional Forwader, Forwarder, or Secondary Zone??
http://blogs.msmvps.com/acefekay/2012/09/18/what-should-i-use-a-stub-conditional-forwader-forwarder-or-secondary-zone/
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, February 25, 2013 8:32 AM
I think a conditional forwarder is a better choice than creating Secondaries on your domain for the partner.
Why do you recommend using conditional forwarding?, just for security matters?
I see that is more secure to send conditional forwardings, but I'm speaking about trusted domains in the same organization.
Thank you.
Monday, February 25, 2013 10:59 PM
Even trusted domains - conditional forwarders work, less hassle to setup, no additional requirements to change settings on the Master when setting up a secondary.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.