Supporting domaindnszones forestdnszones in Active Directory

Barry Finkel b19141 at achilles.ctd.anl.gov
Thu Jul 8 13:08:27 UTC 2004 

Martin McCormick <martin at dc.cis.okstate.edu> wrote:

>	One of the models for supporting Microsoft Active Directory
>with bind is to create 6 zones of the form _msdcs.ad.my.domain,
>_sites.ad.my.domain, etc.  I am looking at the zone file from a
>running MS DNS and most of it fits right in to the way DNS and Bind
>4TH Edition describes it as well as some helpful souls on this list
>who had related their experiences.  One thing confuses me, however,
>and I must figure it out if we are to begin providing service for our
>AD environment.
>
>	I defined two more zones called
>
>_domaindnszones.ad.my.domain and _forestdnszones.ad.my.domain but when 
>I look at the actual zone transfer output, I see something like:
>
>DomainDnsZones.ad.my.domain. 600 IN	A	169.254.241.253
>
>_ldap._tcp.OZX._sites.DomainDnsZones.ad.my.domain. 600 IN SRV	
>0 100 389 OZXdc02.ad.my.domain.
>
>	It looks like there is a bunch of records in the domain
>domaindnszones.ad.my.domain.  I do not see the word forest anywhere in
>any form in the zone so I assume this server isn't using that domain.
>
>	The question is whether or not there needs to be an underscore _
>in that name like the 4 Windows 2000 zones or not?
>I certainly thought there was supposed to be one, but all the records
>for that domain have none.  The domain simply reads
>domaindnszones.ad.my.domain.
>
>	Is there a problem with the MS DNS or should I set up
>domaindnszones and forestdnszones sans _?
>
>	I am writing a shell script to filter out all those zones from
>the ad.my.domain zone and, of course, the bind dns must be looking for
>the right record names for it to work with those 2 Windows2003 zones.

The two extra zones needed for W2003 AD are

     DomainDNSZones.example.com
     ForestDNSZones.example.com

The zone names do NOT contain the "_" character.  In my two zones, I
have records

     _ldap._tcp.site1._sites  10M IN SRV  0 100 389 rhino221.anl.gov.
     _ldap._tcp.site2._sites  10M IN SRV  0 100 389 rhino221.anl.gov.
     _ldap._tcp.site3._sites  10M IN SRV  0 100 389 rhino221.anl.gov.
     _ldap._tcp.site4._sites  10M IN SRV  0 100 389 rhino221.anl.gov.

Where "siteN" refers to each of the four AD sites we have configured.
I am not sure why I see records for only one of my three DCs.

I did nothing special for these two new zones; I created them on my
W2k+3 DNS Server, and I slaved them on my BIND servers.  AD did all
the DDNS.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list