AD records in BIND
Barry Finkel
b19141 at achilles.ctd.anl.gov
Fri Feb 27 14:20:16 UTC 2004
>Jeff Stevens <jstevens at vnet.ibm.com> wrote:
>
>I sometimes get asked about how to make Windows AD work with BIND, but I
>am not familiar with AD nor how the Domain Controller is setup to insert
>SRV and CNAME records into the BIND zone. I understand how to setup
>BIND just fine, but if someone were to give me the short version how to
>setup AD, I might be able to play with one and learn something new...
I have read the replies in the daily digest, and I have additional
information.
You can configure your BIND server to allow dynamic DNS updates from
the Domain Controller(s). But these updates will not be secure, as
BIND does not implement the security scheme that MS has implemented
(and recently documented in an RFC).
You can also have the Netlogon service on the DC write a file
netlogon.dns
(IIRC), that contains the SRV records. You can then FTP that file
to your BIND server and $INCLUDE it into an existing zone. The SRV
records will not change much after the initial configuration of the DC,
so you probably will not need to FTP an updated file very often. The
_msdcs.example.com
zone will contain CNAME records for all of the DCs in the AD forest,
so if you add or remove DCs, this zone will change.
Or you can keep the four (six for W2003) AD zones on a W2k DNS Server
and slave the zones on your BIND box. Check the archives of this list
and of its sister list bind9-users at isc.org for more details.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list