Mixed environments: DHCP Secure Update

Glenn Satchell Glenn.Satchell at uniq.com.au
Thu Mar 22 12:07:16 UTC 2007 

>Date: Wed, 21 Mar 2007 20:50:21 +0100
>From: "Michele Vetturi" <mvetturi at yahoo.it>
>
>> You won't be able to allow the Windows systems to do secure updates
>> to the Bind service.
>>
>> You have the option of delegating those to the Windows box - it's
>> more overhead but allows you to split the DNS for the main domain
>> done properly on Bind, and the AD stuff done on the MS server. Having
>> recently had another look at a Windows box, I'm "not impressed" !
>>
>
>I saw everyone answered as you. Probably this is the most acceptable
>compromise and the best implementation in such environments.
>
>I think I will follow your suggestions. And now, let's work on the
>QA/test environment...
>
>> [cut]
>
>Thank you all, once again, for your time.
>
>-- 
>Michele Vetturi
>
I have successfully run a mixed BIND/AD environment for several years.
This is a largish network (3500 clients, originally Win2000 now XP)
using AD, but all DNS is run using BIND, in this case running on
Solaris. Originally used Bind 8, now Bind 9.2.x.

These articles gives a pretty good run down on using AD and BIND: 

http://www.linux-mag.com/2001-03/bind_01.html
(seems you need to register to read this now)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/i
is/deploy/depovg/CfgBIND.asp (link no longer available)

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/active
directory/support/dnsw2kb.mspx
(general MS DNS articles)

http://support.microsoft.com/default.aspx?scid=kb;en-us;255913
(specific details about integrating AD into existing BIND setup)

On your DNS servers you create 4 extra zones for each main zone, and
allow the domain controllers access to update them. Make sure you
delegate them correctly.

         _udp.mydomain.com
         _tcp.mydomain.com
         _sites.mydomain.com
         _msdcs.mydomain.com

The domain controllers will add a number of SRV records and also A records in 
the top level zones. It was easier to just let them do this so that DNS worked 
properly. There is a tool called dcdiag.exe that you can run on the domain 
controller toverify that DNS is set up properly from AD's perspective.

The only option is to allow update by IP address, but hopefully the
Domain Controllers are fairly secure and no-one should be spoofing
their IP addresses. We didn't allow individual clients to do DNS updates.

For DNS management we used an open source web based tool downloaded from
dominium.sourceforge.net which we then hacked on pretty severely. I
haven't seen the original updated in a long time.

regards,
-glenn
--
Glenn Satchell     mailto:glenn.satchell at uniq.com.au | Some days we are
Uniq Advances Pty Ltd         http://www.uniq.com.au | the flies;  some
PO Box 70 Paddington NSW Australia 2021              | days we  are the
tel:0409-458-580  tel:02-9380-6360  fax:02-9380-6416 | windscreens...

More information about the dhcp-users mailing list