Cache locking

Another method for preventing cache poisoning is with cache locking. Cache locking prevents cached responses from being overwritten during their Time to Live (TTL). Cache locking is configured as a percentage of the TTL. So if the TTL is 3600 seconds, a cache-locking percentage of 50 would prevent the cached value from being overwritten for 1800 seconds,or 50 percent of the TTL. You can configure cache locking by using the CacheLockingPercent registry key or the dmscmd tool.

Disjoint namespaces
A disjoint namespace has a different Active Directory domain and DNS domain suffix. For example, a DNS suffix of corp.adventure-works.com with an Active Directory domain of int.corp .adventure-works.com is in a disjoint namespace. Domain members register resource records in the domain in which they’re members—int.corp.adventure-works.com in the example. The domain controller then registers both global and site-specific service (SRV) records into the DNS domain. The SRV records are also placed in the _msdcs zone.

Disjoint namespaces are used when business rules dictate that namespace separation needs to occur. However, applications to be used in a disjoint namespace should be tested because they may expect that the domain and DNS suffix match and therefore may not work.
Disjoint namespaces require additional administration overhead because of the manual processes involved to manage the DNS and Active Directory information.
The following configurations support disjoint namespaces:
– In a multi-domain Active Directory forest with a single DNS namespace or zone
– In a single Active Directory domain that’s split into multiple DNS zones
On the other hand, a disjoint namespace won’t work in the following configurations:
– When a suffix matches an Active Directory domain in the current or another forest
– When a certification authority (CA) domain member changes its DNS suffix
DNS interoperability
Microsoft’s implementation of DNS complies with the relevant DNS-related RFCs, thus making interoperability possible with other servers. The Enable BIND Secondaries check box on the Advanced tab of the DNS server Properties sheet enables the Windows-based DNS server to interact with a server running the BIND name server. Refer to Figure 2-9 for a screenshot of this tab.