3.1.6.2 Directory server security descriptors reading and caching
If the server is directory server integrated, directory server security descriptors MUST be read from the directory server using LDAP every DsPollingInterval (section 3.1.1) after DNS server boot. After each read, the server MUST cache the security descriptors.
Additionally, a Zone Access Control List (section 3.1.1) security descriptor MUST be read from the directory server when the corresponding zone (or zone scope<295>) is loaded during server boot time. This security descriptor MUST also be read when the corresponding zone or zone scope is created through the ZoneCreate or CreateZoneScope operation (section 3.1.4.1) and when the corresponding zone's directory partition encounters the EnlistDirectoryPartition operation (section 3.1.4.1).
Additionally, an Application Directory Partition Access Control List (section 3.1.1) security descriptor MUST be read from the directory server when the corresponding application directory partition is loaded during server boot time. This security descriptor MUST also be read when the corresponding application directory partition encounters the EnlistDirectoryPartition or ZoneChangeDirectoryPartition operation (section 3.1.4.1).