bind and active directory.. ?

Wed May 24 22:03:28 UTC 2000

Seems like that should work, assuming the W2K clients are using static
addresses.

Bear in mind, though, that we haven't actually started our
W2K<->DNS integration here yet. Maybe there are some gotchas buried in that
strategy that I don't know about.

- Kevin

Duane Cox wrote:

> Thanks Kevin for your information, but would this work... ?
>
> create a forward master zone called ad.illicom.net on the Win2K DNS server.
> On the UNIX BIND server create a NS record for ad.illicom.net and point that
> ns3.illicom.net (win2k server)
> and create an A record for ns3.illicom.net which is 12.15.125.15
>
> MANUALLY create the reverse PTR records on the BIND server for the win2k
> box(es)
> and allow the dynamic update on the win2k dns server for the active
> directory domain.
>
> ???
>
> Duane Cox
> dcox at coxnetwork.com
>
> -----Original Message-----
> From: Kevin Darcy <kcd at daimlerchrysler.com>
> To: BIND List <comp-protocols-dns-bind at moderators.isc.org>
> Date: Wednesday, May 24, 2000 3:29 PM
> Subject: Re: bind and active directory.. ?
>
> >You could certainly put all of the *forward* entries for W2K servers and
> >clients into a separate domain, but that still leaves the *reverse*
> records,
> >which are likely to be interspersed with non-W2K records. What does one do
> >about those? And, as I hear it, you still have the problem of W2K boxes
> >stomping on each other's records if they're just using plain old RFC 2136
> for
> >their updates. The only way I know of to solve *that* problem is to chuck
> >BIND and use the W2K DNS server instead, which implements GSS-TSIG to
> associate
> >records with their owners.
> >
> >If W2K's Dynamic Update implementation weren't so CNAME-impaired, it should
> be
> >possible to just create aliases in the forward and reverse zones to one or
> more
> >zones mastered by W2K DNS servers, e.g. possibly 1 zone for forward entries
> and
> >1 zone for reverse entries. At least then one could still continue to use
> >BIND for most of the DNS infrastructure one has worked so hard to develop
> over
> >the years. But, as I understand it, W2K Dynamic Update simply *fails* when
> >encountering a CNAME where it expects an A or PTR record. It doesn't follow
> the
> >CNAME chain and then try to update the terminal record. I think it should.
> >
> >Ultimately, one would hope that BIND could support GSS-TSIG so that
> >implementors would have a reasonable choice of which DNS software to use
> with
> >their W2K infrastructure.
> >
> >
> >- Kevin
> >
> >Duane Cox wrote:
> >
> >> HEY thanks a lot for your insite.
> >>
> >> If you could..
> >>
> >> We have the dns domain illicom.net which has several records, probably
> less
> >> than 50 and some child domains as well, all running on bind.
> >> I guess I might be a little confused, but I dont want illicom.net
> becoming
> >> "the active directory domain" for windows 2000 because then
> >> I would have to allow bind to update this zone dynamically WHICH would
> >> result into bind rewriting the zone file in a format that I can't
> control...
> >> not tab delemited, hard to follow and read etc. etc.
> >>
> >> So I guess in my case the best thing for me to do is create a child
> domain
> >> (right) and have active directory use this is its domain.. ?
> >> Is everybody else doing pretty much the same thing? creating a child
> >> subdomain instead of letting active directory use the subdomain ?
> >> If so what has been some childs people have used?  NETWORK.domain.net,
> >> AD.domain.net ?
> >> I assume this will work right if both bind and active directory are setup
> >> correctly.
> >>
> >> Duane Cox
> >> dcox at coxnetwork.com
> >>
> >> -----Original Message-----
> >> From: Robert Weber <Robert.Weber at Colorado.EDU>
> >> To: Mark.Andrews at nominum.com <Mark.Andrews at nominum.com>
> >> Cc: bind-users at isc.org <bind-users at isc.org>
> >> Date: Tuesday, May 23, 2000 5:51 PM
> >> Subject: Re: bind 8.2.2p5 and rfc 2181 ?
> >>
> >> >
> >> >> >
> >> >> > Has anybody had good luck with tying win2k active directory into
> bind
> >> 8.2.2
> >> >> > ?
> >> >> >
> >> >> > Duane Cox
> >> >> > dcox at coxnetwork.com
> >> >> >
> >> >----------
> >> >Yes and no.  I set up a slave zone on our solaris server called
> >> >ad.colorado.edu.  Allowed updates from the master W2K server to get srv
> >> >records set up then made the solaris box master, turned off DNS on W2K
> then
> >> >set up some database building scripts that made the dynamic updates to
> the
> >> >ad zone from our centralized database.  The setup works and since W2K
> >> >server will only add ldap records if you turn off DNS there doesn't seem
> to
> >> >be a conflict between my scripts and what W2k wants to do.  I did have
> to
> >> >set
> >> >
> >> >check-names warn;
> >> >
> >> >in the named.conf but it functions fine.  The only problems are
> management
> >> >of the dynamic zones gets a little hary with our particular host
> management
> >> >system but it all depends on your setup.
> >> >
> >> > Robert Weber
> >> > University of Colorado
> >> >
> >> >
> >> >
> >
> >
> >
> >
> >
> >