sending updates from windows 2k3 DNS to BIND

Barry Finkel b19141 at achilles.ctd.anl.gov
Fri Apr 21 14:05:20 UTC 2006 

Will Yardley <&- at no.spam.veggiechinese.net> wrote:
>
>Sorry if this question is dumb or missing information - I'm not at all a
>Windows / AD type person.
>
>Is there any way to have a Windows DNS server and AD domain controller
>"push" dynamic updates for the AD-specific stuff (the SRV / WKS records
>AD uses internally)? I imagine it's not too hard to have the DC push DNS
>updates for the individual hosts, but is it possible to have it send
>updates for more central information?
>
>For various reasons, I'm not allowed to open up traffic back to where
>the Windows DC is, so the main (BIND) DNS servers would need to be
>configured to accept (incoming) updates somehow.
>
>Is there any other way I can do some sort of "push" (rather than pull)
>transfer, without writing some kludgy scripts to do it for me?

The MS Windows DNS Server follows the DNS protocols.  If the AD zone is
mastered on an MS W2k+3 DNS Server, then that server will receive the
SRV updates from a DC.  The method for getting these records to a BIND
server is for the BIND server to be a slave server and for the MS DNS
Server to be configured to transfer the updated zone(s) to the BIND
slave.  There is no way to have the DCs send updates both to the
MS DNS Server master and the BIND server.

I suppose that you could make the BIND server the master for the zones
and have the MS DNS Server the slave, but then you would not be able to
have secure DDNS updates from the DC, as BIND currently does not
implement the security model that MS uses.  I see no security problems
in letting the MS DNS Server talk to BIND slaves over TCP/UDP port 53.

Another way - albeit manual - configure the DC to write a 

     netlogon.dns

file.  There is no way of knowing when this file has changed, so you
would have to periodically check for a new timestamp.  When updated,
you could manuallly import the records to the BIND server.  But the
updates would NOT be sent automatically to the MS DNS Server, and I
do not know offhand how one loads the netlogon.dns file into an MS
W2k+3 DNS Server.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list