Active Directory-Integrated Zones

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS and provides the following advantages:

  • Multiple masters are created for DNS replication. Therefore:

    • Any domain controller in the domain running the DNS server service can write updates to the Active Directory–integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed.
  • Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS.

Windows Server 2003 DNS Active Directory stores zone data in application directory partitions. The domain partition was the only Active Directory storage option in Windows 2000 Server, and it is available in Windows Server 2003 DNS for backward compatibility. The following DNS-specific application directory partitions are created during Active Directory installation:

  • A forest-wide application directory partition, called ForestDnsZones.

  • Domain-wide application directory partitions for each domain in the forest, named DomainDnsZones.

For more information about how Active Directory stores DNS information in application partitions, see the DNS Technical Reference ( and Windows Server 2003 Help and Support.