Reject of W2K gc._msdcs...

Lee Flight lef at leicester.ac.uk
Thu Mar 9 14:18:08 UTC 2000 

We use Windows2000 with a zone for a Windows forest delegated to Microsoft
DNS server running on Windows2000 domain controllers. Not surprisingly this 
exhibits no problems with DDNS registration of  the gc._msdcs.<forest zone>
records. In the process of setting up a new forest I have tested the following 
scenario on Microsoft DNS on Windows2000 server and on BIND 8.2.2P5 running on 
Solaris2.7:

create a zone for the Windows2000 forest root (example.com) but do not
allow dynamic update on that zone,

create a seond zone _msdcs.example.com on the same server and allow
dynamic update on that zone

In the case of BIND the relevant snippet from named.conf was:

zone "example.com" {
        type master;
        file "zone.example.com";
};
zone "_msdcs.example.com" {
        type master;
        file "zone.msdcs.example.com";
        allow-update {123.456/16;};
};

where 123.456/16 was the our local network. In *both* cases (Microsoft and
BIND) the gc._msdcs record was correctly updated by the Windows2000 server 
into _msdcs.example.com zone. 
In fact I added an additional three zones ( _sites.example.com, _tcp.example.com 
and _udp.example.com) all with allow-update and all of them received the 
appropriate updates generated by the Windows2000 server.

Some things I noticed whilst working with the BIND configuration:

messages about unapproved updates to the example.com zone - these were all
due to the Windows2000 server attempting to plant an A RR into that zone. 
This was redundant as a static A RR had already been set in that zone for the server.

innocuous messages " named[539]: owner name "gc._msdcs.example.com IN
(primary) is invalid - proceeding anyway"
in syslogs

the configuration generated some "named[539]: suppressing duplicate notify 
("_msdcs.example.com" IN SOA)" 
messages in syslogs, presumably a result of hosting both zones on the same
server?

Something I noticed on the Windows2000 server is that ipconfig/registerdns
will attempt to re-register the A and PTR RRs for the server almost
immediately but is much slower at registering the SRV records 
(I mostly gave up waiting and rebooted the server which sends the updates
as part of network initialization).

I can only assume that the reason Microsoft made gc._msdcs.<forest> an A
RR rather than SRV is for some kind of backward compatibility, I did ask 
on the Windows2000 beta newsgroups but never got a reply.

Lee Flight
Network Support 
Computer Centre 
University of Leicester UK

More information about the bind-users mailing list