bind and active directory.. ?

Robert Weber Robert.Weber at Colorado.EDU
Thu May 25 17:55:23 UTC 2000 

The way we do it on colorado.edu is that we have a centralized database
anyway, generate the forward/reverse files automatically and for the
dynamic ad domain run nsupdate commands insead of printf's in our code to
update the dynamic zone.  As long as Dynamic DNS updates are turned off in
the DHCP config for W2K, and W2K DNS is off the only updates made are LDAP
SRV records.  The reverse files are separate, and since the W2K machines
don't try to generate A,Cname,PTR records when DNS is turned off we can
generate the reverse lookups the way we have always done.  

						Robert Weber
						University of Colorado	

--------

> You could certainly put all of the *forward* entries for W2K servers and
> clients into a separate domain, but that still leaves the *reverse* records,
> which are likely to be interspersed with non-W2K records. What does one do
> about those? And, as I hear it, you still have the problem of W2K boxes
> stomping on each other's records if they're just using plain old RFC 2136 for
> their updates. The only way I know of to solve *that* problem is to chuck
> BIND and use the W2K DNS server instead, which implements GSS-TSIG to associa
te
> records with their owners.
> 
> If W2K's Dynamic Update implementation weren't so CNAME-impaired, it should b
e
> possible to just create aliases in the forward and reverse zones to one or mo
re
> zones mastered by W2K DNS servers, e.g. possibly 1 zone for forward entries a
nd
> 1 zone for reverse entries. At least then one could still continue to use
> BIND for most of the DNS infrastructure one has worked so hard to develop ove
r
> the years. But, as I understand it, W2K Dynamic Update simply *fails* when
> encountering a CNAME where it expects an A or PTR record. It doesn't follow t
he
> CNAME chain and then try to update the terminal record. I think it should.
> 
> Ultimately, one would hope that BIND could support GSS-TSIG so that
> implementors would have a reasonable choice of which DNS software to use with
> their W2K infrastructure.
> 
> 
> - Kevin
> 
> Duane Cox wrote:
> 
> > HEY thanks a lot for your insite.
> >
> > If you could..
> >
> > We have the dns domain illicom.net which has several records, probably less
> > than 50 and some child domains as well, all running on bind.
> > I guess I might be a little confused, but I dont want illicom.net becoming
> > "the active directory domain" for windows 2000 because then
> > I would have to allow bind to update this zone dynamically WHICH would
> > result into bind rewriting the zone file in a format that I can't control..
.
> > not tab delemited, hard to follow and read etc. etc.
> >
> > So I guess in my case the best thing for me to do is create a child domain
> > (right) and have active directory use this is its domain.. ?
> > Is everybody else doing pretty much the same thing? creating a child
> > subdomain instead of letting active directory use the subdomain ?
> > If so what has been some childs people have used?  NETWORK.domain.net,
> > AD.domain.net ?
> > I assume this will work right if both bind and active directory are setup
> > correctly.
> >
> > Duane Cox
> > dcox at coxnetwork.com
> >
> > -----Original Message-----
> > From: Robert Weber <Robert.Weber at Colorado.EDU>
> > To: Mark.Andrews at nominum.com <Mark.Andrews at nominum.com>
> > Cc: bind-users at isc.org <bind-users at isc.org>
> > Date: Tuesday, May 23, 2000 5:51 PM
> > Subject: Re: bind 8.2.2p5 and rfc 2181 ?
> >
> > >
> > >> >
> > >> > Has anybody had good luck with tying win2k active directory into bind
> > 8.2.2
> > >> > ?
> > >> >
> > >> > Duane Cox
> > >> > dcox at coxnetwork.com
> > >> >
> > >----------
> > >Yes and no.  I set up a slave zone on our solaris server called
> > >ad.colorado.edu.  Allowed updates from the master W2K server to get srv
> > >records set up then made the solaris box master, turned off DNS on W2K the
n
> > >set up some database building scripts that made the dynamic updates to the
> > >ad zone from our centralized database.  The setup works and since W2K
> > >server will only add ldap records if you turn off DNS there doesn't seem t
o
> > >be a conflict between my scripts and what W2k wants to do.  I did have to
> > >set
> > >
> > >check-names warn;
> > >
> > >in the named.conf but it functions fine.  The only problems are management
> > >of the dynamic zones gets a little hary with our particular host managemen
t
> > >system but it all depends on your setup.
> > >
> > > Robert Weber
> > > University of Colorado
> > >
> > >
> > >
> 
> 
> 
> 
> 

--------

----------
Status: by weberr Thu May 25 11:50:03 2000
----------

More information about the bind-users mailing list