Changing an Active Directory-integrated zone to secondary reverts to Active Directory-integrated (268584)



The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

This article was previously published under Q268584

SYMPTOMS

When you a change your DNS Active Directory-integrated zone type to secondary and then restart your computer or stop and start the DNS service, the zone type may change back to Active Directory-integrated.

CAUSE

This issue can occur because, by default, any domain controller that is running the DNS service has Active Directory-integrated DNS zones. Although the zone type can be modified in DNS Manager, the zone type is changed back when you restart your computer or stop and start the DNS service.

RESOLUTION

To work around this issue if a secondary server is needed for a given DNS zone, use a member server for the secondary server for the DNS zone:

From the Windows 2000 Resource Kit

If you are using Active Directory, use directory-integrated storage for your zones.

In an integrated zone, domain controllers for each of your Active Directory domains correspond in a direct one-to-one mapping to DNS servers. When you troubleshoot DNS and Active Directory replication problems, the same server computers are used in both topologies, which simplifies planning, deployment, and troubleshooting.

Using directory-integrated storage also simplifies dynamic updates for DNS clients that are running Windows 2000. When you configure a list of preferred and alternate DNS servers for each client, you can specify servers that correspond to domain controllers that are located near each client. If a client fails to update with its preferred server because the server is unavailable, the client can then try an alternate server. When the preferred server becomes available, it loads the updated, directory-integrated zone that includes the updates that the client made.

If you are not using Active Directory integration, correctly configure your clients and understand that a standard primary zone becomes a single point of failure for dynamic updates and for zone replication.

Standard primary zones are required to create and manage zones in your DNS namespace if you are not using Active Directory. In this case, a single-master update model applies, with one DNS server designated as the primary server for a zone. Only the primary server, as determined in the SOA record properties for the zone, can process an update to the zone.

For this reason, make sure that this DNS server is reliable and available. Otherwise, clients cannot update their A or PTR resource records.

Consider using secondary or caching-only servers for your zones to offload DNS query traffic.

Secondary servers can be used as backups for DNS clients, but they can also be used as the preferred DNS servers for legacy DNS clients. For mixed-mode environments, this enables you to balance the load of DNS query traffic on your network and, thus, reserve your DNS-enabled primary servers for Windows 2000-based clients that need primary servers to perform dynamic registration and updates of their A and PTR resource records.

STATUS

This behavior is by design.

WORKAROUND

You can also get around this issue by deleting the zone from the Active Directory before you restart the DNS server. To do so:
  1. Once the zone has been changed back to secondary, before you restart, go to Active Directory Users and Computers.
  2. On the View menu, click Advanced Features.
  3. Expand the System folder, click MicrosoftDNS, and then delete the zone file object with the secondary zone name. If this step is not performed on the domain controller that hosts the secondary DNS zone, you must wait for the replication of the Active Directory to occur. You can force replication in the domain to make the change immediately.
  4. After the server has restarted, the Active Directory will not be aware of the zone and will not change it back to "Active Directory-integrated".
For additional information about how to initiate replication, click the article number below to view the article in the Microsoft Knowledge Base:

232072 Initiating Replication Between Direct Replication Partners


Modification Type:MinorLast Reviewed:6/13/2006
Keywords:kbnetwork kbnofix kbprb KB268584