bind and active directory.. ?

Wed May 24 21:47:40 UTC 2000

Thanks Kevin for your information, but would this work... ?

create a forward master zone called ad.illicom.net on the Win2K DNS server.
On the UNIX BIND server create a NS record for ad.illicom.net and point that
ns3.illicom.net (win2k server)
and create an A record for ns3.illicom.net which is 12.15.125.15

MANUALLY create the reverse PTR records on the BIND server for the win2k
box(es)
and allow the dynamic update on the win2k dns server for the active
directory domain.

???

Duane Cox
dcox at coxnetwork.com

-----Original Message-----
From: Kevin Darcy <kcd at daimlerchrysler.com>
To: BIND List <comp-protocols-dns-bind at moderators.isc.org>
Date: Wednesday, May 24, 2000 3:29 PM
Subject: Re: bind and active directory.. ?

>You could certainly put all of the *forward* entries for W2K servers and
>clients into a separate domain, but that still leaves the *reverse*
records,
>which are likely to be interspersed with non-W2K records. What does one do
>about those? And, as I hear it, you still have the problem of W2K boxes
>stomping on each other's records if they're just using plain old RFC 2136
for
>their updates. The only way I know of to solve *that* problem is to chuck
>BIND and use the W2K DNS server instead, which implements GSS-TSIG to
associate
>records with their owners.
>
>If W2K's Dynamic Update implementation weren't so CNAME-impaired, it should
be
>possible to just create aliases in the forward and reverse zones to one or
more
>zones mastered by W2K DNS servers, e.g. possibly 1 zone for forward entries
and
>1 zone for reverse entries. At least then one could still continue to use
>BIND for most of the DNS infrastructure one has worked so hard to develop
over
>the years. But, as I understand it, W2K Dynamic Update simply *fails* when
>encountering a CNAME where it expects an A or PTR record. It doesn't follow
the
>CNAME chain and then try to update the terminal record. I think it should.
>
>Ultimately, one would hope that BIND could support GSS-TSIG so that
>implementors would have a reasonable choice of which DNS software to use
with
>their W2K infrastructure.
>
>
>- Kevin
>
>Duane Cox wrote:
>
>> HEY thanks a lot for your insite.
>>
>> If you could..
>>
>> We have the dns domain illicom.net which has several records, probably
less
>> than 50 and some child domains as well, all running on bind.
>> I guess I might be a little confused, but I dont want illicom.net
becoming
>> "the active directory domain" for windows 2000 because then
>> I would have to allow bind to update this zone dynamically WHICH would
>> result into bind rewriting the zone file in a format that I can't
control...
>> not tab delemited, hard to follow and read etc. etc.
>>
>> So I guess in my case the best thing for me to do is create a child
domain
>> (right) and have active directory use this is its domain.. ?
>> Is everybody else doing pretty much the same thing? creating a child
>> subdomain instead of letting active directory use the subdomain ?
>> If so what has been some childs people have used?  NETWORK.domain.net,
>> AD.domain.net ?
>> I assume this will work right if both bind and active directory are setup
>> correctly.
>>
>> Duane Cox
>> dcox at coxnetwork.com
>>
>> -----Original Message-----
>> From: Robert Weber <Robert.Weber at Colorado.EDU>
>> To: Mark.Andrews at nominum.com <Mark.Andrews at nominum.com>
>> Cc: bind-users at isc.org <bind-users at isc.org>
>> Date: Tuesday, May 23, 2000 5:51 PM
>> Subject: Re: bind 8.2.2p5 and rfc 2181 ?
>>
>> >
>> >> >
>> >> > Has anybody had good luck with tying win2k active directory into
bind
>> 8.2.2
>> >> > ?
>> >> >
>> >> > Duane Cox
>> >> > dcox at coxnetwork.com
>> >> >
>> >----------
>> >Yes and no.  I set up a slave zone on our solaris server called
>> >ad.colorado.edu.  Allowed updates from the master W2K server to get srv
>> >records set up then made the solaris box master, turned off DNS on W2K
then
>> >set up some database building scripts that made the dynamic updates to
the
>> >ad zone from our centralized database.  The setup works and since W2K
>> >server will only add ldap records if you turn off DNS there doesn't seem
to
>> >be a conflict between my scripts and what W2k wants to do.  I did have
to
>> >set
>> >
>> >check-names warn;
>> >
>> >in the named.conf but it functions fine.  The only problems are
management
>> >of the dynamic zones gets a little hary with our particular host
management
>> >system but it all depends on your setup.
>> >
>> > Robert Weber
>> > University of Colorado
>> >
>> >
>> >
>
>
>
>
>
>