Mixed environments: DHCP Secure Update
Glenn Satchell
Glenn.Satchell at uniq.com.au
Thu Mar 22 14:02:25 UTC 2007
>Date: Thu, 22 Mar 2007 14:34:12 +0100
>From: "Michele Vetturi" <mvetturi at yahoo.it>
>
>> I have successfully run a mixed BIND/AD environment for several years.
>> This is a largish network (3500 clients, originally Win2000 now XP)
>> using AD, but all DNS is run using BIND, in this case running on
>> Solaris. Originally used Bind 8, now Bind 9.2.x.
>>
>> These articles gives a pretty good run down on using AD and BIND:
>>
>> http://www.linux-mag.com/2001-03/bind_01.html
>> (seems you need to register to read this now)
>>
>>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/i
>> is/deploy/depovg/CfgBIND.asp (link no longer available)
>>
>>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/active
>> directory/support/dnsw2kb.mspx
>> (general MS DNS articles)
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;255913
>> (specific details about integrating AD into existing BIND setup)
>>
>> On your DNS servers you create 4 extra zones for each main zone, and
>> allow the domain controllers access to update them. Make sure you
>> delegate them correctly.
>>
>> _udp.mydomain.com
>> _tcp.mydomain.com
>> _sites.mydomain.com
>> _msdcs.mydomain.com
>>
>> The domain controllers will add a number of SRV records and also A records in
>> the top level zones. It was easier to just let them do this so that DNS
worked
>> properly. There is a tool called dcdiag.exe that you can run on the domain
>> controller toverify that DNS is set up properly from AD's perspective.
>>
>> The only option is to allow update by IP address, but hopefully the
>> Domain Controllers are fairly secure and no-one should be spoofing
>> their IP addresses. We didn't allow individual clients to do DNS updates.
>>
>> For DNS management we used an open source web based tool downloaded from
>> dominium.sourceforge.net which we then hacked on pretty severely. I
>> haven't seen the original updated in a long time.
>
>Great *How-To*... :) Thank you.
>
>I appreciate all your efforts to support me.
No problem - this was something I had saved from about 5 years ago, I
only had to follow up the links as the old ones had disappearred.
regards,
-glenn
More information about the dhcp-users
mailing list