bind and active directory.. ?
Kevin Darcy
kcd at daimlerchrysler.com
Wed May 24 20:26:28 UTC 2000
You could certainly put all of the *forward* entries for W2K servers and
clients into a separate domain, but that still leaves the *reverse* records,
which are likely to be interspersed with non-W2K records. What does one do
about those? And, as I hear it, you still have the problem of W2K boxes
stomping on each other's records if they're just using plain old RFC 2136 for
their updates. The only way I know of to solve *that* problem is to chuck
BIND and use the W2K DNS server instead, which implements GSS-TSIG to associate
records with their owners.
If W2K's Dynamic Update implementation weren't so CNAME-impaired, it should be
possible to just create aliases in the forward and reverse zones to one or more
zones mastered by W2K DNS servers, e.g. possibly 1 zone for forward entries and
1 zone for reverse entries. At least then one could still continue to use
BIND for most of the DNS infrastructure one has worked so hard to develop over
the years. But, as I understand it, W2K Dynamic Update simply *fails* when
encountering a CNAME where it expects an A or PTR record. It doesn't follow the
CNAME chain and then try to update the terminal record. I think it should.
Ultimately, one would hope that BIND could support GSS-TSIG so that
implementors would have a reasonable choice of which DNS software to use with
their W2K infrastructure.
- Kevin
Duane Cox wrote:
> HEY thanks a lot for your insite.
>
> If you could..
>
> We have the dns domain illicom.net which has several records, probably less
> than 50 and some child domains as well, all running on bind.
> I guess I might be a little confused, but I dont want illicom.net becoming
> "the active directory domain" for windows 2000 because then
> I would have to allow bind to update this zone dynamically WHICH would
> result into bind rewriting the zone file in a format that I can't control...
> not tab delemited, hard to follow and read etc. etc.
>
> So I guess in my case the best thing for me to do is create a child domain
> (right) and have active directory use this is its domain.. ?
> Is everybody else doing pretty much the same thing? creating a child
> subdomain instead of letting active directory use the subdomain ?
> If so what has been some childs people have used? NETWORK.domain.net,
> AD.domain.net ?
> I assume this will work right if both bind and active directory are setup
> correctly.
>
> Duane Cox
> dcox at coxnetwork.com
>
> -----Original Message-----
> From: Robert Weber <Robert.Weber at Colorado.EDU>
> To: Mark.Andrews at nominum.com <Mark.Andrews at nominum.com>
> Cc: bind-users at isc.org <bind-users at isc.org>
> Date: Tuesday, May 23, 2000 5:51 PM
> Subject: Re: bind 8.2.2p5 and rfc 2181 ?
>
> >
> >> >
> >> > Has anybody had good luck with tying win2k active directory into bind
> 8.2.2
> >> > ?
> >> >
> >> > Duane Cox
> >> > dcox at coxnetwork.com
> >> >
> >----------
> >Yes and no. I set up a slave zone on our solaris server called
> >ad.colorado.edu. Allowed updates from the master W2K server to get srv
> >records set up then made the solaris box master, turned off DNS on W2K then
> >set up some database building scripts that made the dynamic updates to the
> >ad zone from our centralized database. The setup works and since W2K
> >server will only add ldap records if you turn off DNS there doesn't seem to
> >be a conflict between my scripts and what W2k wants to do. I did have to
> >set
> >
> >check-names warn;
> >
> >in the named.conf but it functions fine. The only problems are management
> >of the dynamic zones gets a little hary with our particular host management
> >system but it all depends on your setup.
> >
> > Robert Weber
> > University of Colorado
> >
> >
> >
More information about the bind-users
mailing list