Reject of W2K gc._msdcs...

Craig Mason cmason at masontechnology.com
Thu Mar 2 04:43:55 UTC 2000


Hi Mark,


I've received some additional steps from Tim Maestas (Bind Users) to try,
listed below. My problem is that I need to get subzones - any subzones other
than example.com - to accept new DDNS information into their zone files. I
was missing the NS records listed below, so I'm going to try these tomorrow.

Sorry, yes indeed I did mean update { any; }; - that is what I have in
named.conf.


I'll attempt some testing, in my next posting I'll put the named.conf that I
finally make work (or not work).

I also have a meeting with an Active Directory expert from Microsoft
tomorrow. I will attempt to gain additional insights on other W2K installs
and share with the group.

Here are Tim's recommendations:


> Hi Tim,
>
> Could you give me an example of - say - sales.example.com - the SOA, NS,
and
> A records recommended?


sales.example.com on the master server for the domain:

@ 	IN SOA masternameserver.sales.example.com. root.example.com. (
			x ; serial
			x ; Refresh
			x; Retry
			x ; Expire
			x ); Min TTL (negative)
	IN NS	masternameserver.sales.example.com.
masternameserver	IN	A	x.x.x.x


Then, in named.conf, check-names ignore, allow-update
{ip.of.win2k.pdc;};.

The Win2k DC's will point their DNS to masternameserver's ip address.
Everything should go smoothly after this.

-Tim



Lastly, attached is some text from the Microsoft Windows 2000 deployment
guide, posted on their web site. See if it makes sense, I've read it several
times:



Distributing the Forest Wide Locator Records

Each domain controller in the forest registers two sets of locator records:
a set of domain-specific records that end in <DNS-domain-name>, and a set of
forest-wide records that end in _msdcs.<DNS-forest-name>. The forest-wide
records are interesting to clients and domain controllers from all parts of
the forest. For example, the global catalog locator records, and the records
used by the replication system to locate replication partners, are included
in the forest-wide records.

For any two domain controllers to replicate between each other, including
two domain controllers from the same domain, they must be able to look up
forest-wide locator records. In order for a newly created domain controller
to participate in replication, it must be able to register its forest-wide
records in DNS, and other domain controllers must be able to look up these
records. For this reason, it is important to make the forest-wide locator
records available to every DNS server in every site.

To do this, create a separate zone called _msdcs.<DNS-forest-name>, and
replicate that zone to every DNS server. If you are using the simple Active
Directory-integrated configuration, you can place the primary copy of this
zone in the forest root domain along with the <DNS-forest-name> zone. You
can then replicate the zone to DNS servers outside the domain using standard
DNS replication.

Generally, it is not sufficient to replicate the zone to only one DNS server
per site. If a DNS server does not have a local copy of the
_msdcs.<DNS-forest-name> zone, it must use DNS recursion to look up a name
in that zone. For a DNS server to perform recursion, it contacts a DNS
server that is authoritative for the root of the namespace (a DNS root
server) and proceeds down the delegations in DNS until it finds the record
in question. If there is no DNS root server in a site, and the links between
that site and other sites are down, a DNS server cannot perform recursion.
Thus, it will not be able to find any DNS servers that are authoritative for
_msdcs.<DNS-forest-name>, even if those DNS servers are in the same site.


Cheers

Craig





-----Original Message-----
From: marka at isc.org [mailto:marka at isc.org]On Behalf Of
Mark.Andrews at nominum.com
Sent: Wednesday, March 01, 2000 5:59 PM
To: cmason at masontechnology.com
Cc: Barry Finkel; bind-users at isc.org
Subject: Re: Reject of W2K gc._msdcs...



>
> Continued testing of this subject.
>
> I could not get my BIND server to write information to any other zone
files.
> I tried creating the _msdcs.example.com zone, with the check-names -
ignore
> option... but nothing worked until I allowed the main zone - example.com -
> to include the check-names ignore option. Then the "gc" host gets added to
> example.com's zone file.
>

	It looks like Windoows 2000 is broken then.  It should be
	able to work out which is the most enclosing zone and update that
	rather than attempting to update the parent zone.  If it
	doesn't do this then it becomes impossible to implement
	different policy for the Active Directory to that of the
	containing zone.

> So... as long as example.com accepts names with underscores, the host "gc"
> makes it into my master zone file. The format is the same as Barry's (see
> below).
>
>
> As I continued to test, I also found that no zones would accept dynamic
> information into their zone files. I created sales.example.com, put an
entry
> for it in named.conf...
>
> 	e.g.
> 		zone "sales.example.com" {
> 			type master;
> 			file "sales.example.db";
> 			check-names ignore;
> 			allow-update { all; };
> 		};
>
>
> No hosts or W2K services ever make it into the zone file sales.example.db.
> I'm wondering what I am doing wrong.

	You most probably have not defined the acl "all". Did you meany "any"
	here?
>
>
> Craig

	Mark
>
>
>
>
>
> -----Original Message-----
> From: Mark.Andrews at nominum.com [mailto:Mark.Andrews at nominum.com]
> Sent: Friday, February 25, 2000 3:00 PM
> To: Barry Finkel
> Cc: bind-users at isc.org
> Subject: Re: Reject of W2K gc._msdcs...
>
>
>
> > "Craig Mason" <cmason at masontechnology.com> wrote:
> >
> > >I too am getting this. I'm working with Mark Andrews from the list to
> > >resolve. I think I'm also going to call in Microsoft at some point to
get
> > >their take on this. Please keep the list informed on any progress.
> > >
> > >Thanks!
> > >
> > >Craig
> > >
> > >
> > >
> > >-----Original Message-----
> > >From: news at news.gigabell.net [mailto:news at news.gigabell.net]On Behalf
Of
> > >Falko Mach
> > >Sent: Thursday, February 24, 2000 3:45 AM
> > >To: comp-protocols-dns-bind at moderators.isc.org
> > >Subject: Reject of W2K gc._msdcs...
> > >
> > >
> > >Whats wrong if I see this in my log ?
> > >
> > >default: warning: owner name "gc._msdcs.gtz.de" IN (primary) is
invalid -
> > >rejecting
> > >
> > >It seems, that all works fine.
> > >
> > >Tnx,
> > >falko
> > >
> > >mailto:    falko.mach at gtz.de
> >
> > This topic was covered earlier this week and last week.  Mark Andrews,
> > Sam Wilson, and Brian Miller  wrote about the RFCs - 952, 1183, and
> > 2181.  There was also mention of the relevant MS Technet articles.
> > Here is a summary.
> >
> > 952 says that the underscore character is illegal.  952 IS A STANDARD.
> > 1183 (IIRC) says that an initial numeric character is now legal.
> >      1183 IS A STANDARD.
>
> 	1123 you mean
>
> > 2181 says that almost any character is legal.  2181 is NOT a standard;
> >      it is standards-track.
>
> 	These RFCs are all consistant.  Hostnames are a *subset* of
> 	domainnames. RFC952 and RFC1123 are talking about hostnames,
> 	RFC1182 is talking about domainnames.
>
> 	The terms domainname and hostname are *not* interchangable.
> 	All hostnames are domainnames. All domainnames are not hostnames.
> >
> > Microsoft decided that it would follow 2181 and use an underscore in
> > an "A" record.  BIND 8.2.2-p5 by default does not allow the underscore,
> > but you can change the options parameters to allow it.
>
> 	or zone.
>
> 	I suspect the real reason why Microsoft choose _msdcs was so
> 	and to *not* collide with any legal hostname.  However they
> 	attempt to put a hostname (gc._msdcs.example.com) within this
> 	zone (Catch 22).
>
> 	What Craig and I were doing was verifing that creating a seperate
> 	zone for _msdcs and not just using the parent zone would not break
> 	things (Craig was not necessarilly aware of what I was doing).
> 	This reduces the namespace that does not get checked however the
> 	lack of checking within _msdcs should not be a problem as only W2K
> 	boxes should care about what is in there and it is MS job to make
> 	sure that things don't break for themselves when they step outside
> 	of the RFCs.  This shouldn't break unless MS have stuffed up.
>
> 	e.g.
> 		zone "_msdcs.example.com" {
> 			type master;
> 			file "_msdcs.example.db";
> 			check-names ignore;
> 			allow-update { localnets; };
> 		};
> >
> > I had posted a query twice in the past months about this.  In my case,
> > the name with the underscore was not in DNS as an entire string; it
> > was split on two lines
> >
> >      $ORIGIN _msdcs.w2k.anl.gov.
> >      gc      600     IN      A       130.202.224.143
>
> 	This is master file format.  These is nothing strange about that
> 	as BIND and being using it for years.
> >
> > The error message from BIND complained about the name
> >
> >      gc_msdcs.w2k.anl.gov
>
> 	You mean gc._msdcs.w2k.anl.gov
> >
> > and I could not locate that string in the zone.
> > ----------------------------------------------------------------------
> > Barry S. Finkel
> > Electronics and Computing Technologies Division
> > Argonne National Laboratory          Phone:    +1 (630) 252-7277
> > 9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
> > Building 221, Room B236              Internet: BSFinkel at anl.gov
> > Argonne, IL   60439-4844             IBMMAIL:  I1004994
> >
> >
> >
> --
> Mark Andrews, Nominum Inc. / Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com
>
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com




More information about the bind-users mailing list