15

This has been bugging me for a while.

We all know Active Directory is a LDAP database.

We also know that the Windows DNS service, when running on a domain controller, can store its data in AD instead of plain text zone files, thus taking advantage of AD automatic replication and removing the need for primary/secondary DNS servers.

The question: where and how are DNS data actually stored in Active Directory?

Can they be accessed using LDAP tools such as ADSIEdit?
Is any DNS entry an actual LDAP object?
An attribute in an object?
Something entirely different?

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • 1
    LDAP is a network protocol. It does not specify how data is stored. So Active Directory has a database the is exposed trough a LDAP interface. – Mircea Vutcovici Dec 18 '12 at 19:04

1 Answers1

18

Here is an article I found that may get you started. I can never remember the path to the records off the top of my head.

As it mentions basically you can find your DNS information in the AD at this path.

DC=<ZoneName>,cn=MicrosoftDNS,cn=System,<DomainDN>,

So if you had a domain example.org you would see it at.

DC=example.org,CN=MicrosoftDNS,CN=System,DC=example,DC=org

Your questions:

Is any DNS entry an actual LDAP object?

Your zones will have a object class of dnsZone. Under the zone there will be all your records stored as the class dnsNode.

Can they be accessed using LDAP tools such as ADSIEdit?

Yes, fire up adsiedit or ldp and browse to the above location.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 7
    I'm accepting this answer because it pointed me in the right direction, howewer it isn't completely right: as the article mentions, the cn=MicrosoftDNS,cn=System, container is used only on Windows 2000 domains; from Windows 2003 onward things are different and you find DNS data in the DomainDnsZones and ForestDnsZones directory partitions (accessible through ADSIEdit by conncting to the LDAP paths "DC=DomainDnsZones," and "DC=ForestDnsZones,"). – Massimo Aug 13 '10 at 08:28
  • 2
    Those are the default DNS application partitions in the directory; they can be changed too (just so you're aware). – Chris S Aug 13 '10 at 12:31
  • @Massimo After 2003 or newer, the record could still be under cn=MicrosoftDNS - it's all about what you select when you create AD-integrated zones. You can either select, "replicate to all DNS servers in domain/forest", or "all DCs in domain/forest". This will put the zone either in MicrosoftDNS or Domain/ForestDNSZones – strongline Sep 14 '16 at 19:39