BIND 8.2.2 P5 DNS and W2K AD & Domain controllers

Wed Nov 1 00:30:20 UTC 2000

The impression I get from talking with our Microsoft reps is that the domain
structure is driven not so much by nameserver requirements, but actual
AD-replication requirements instead. There is a lot more stuff to replicate in
AD than there is in just the DNS part. So structure your AD to meet your
AD-replication requirements, and then accommodate your DNS to that structure.
Of course, I'm no expert on AD, so take that with a grain of salt.

Note that it is not _strictly_ necessary to allow domain controllers to
directly dynamically-update DNS. There has been talk here, and
experimentation, in just grabbing the
C:\WINNT\SYSTEM32\CONFIG\NETLOGON.DNS files from the domain controllers and
throwing their contents into the DNS zones. Then you wouldn't even have to
create those _tcp/_udp/etc. subzones, and you could control the timing of the
updates (and associated zone transfers, etc.) As a juicy bit of irony, since
I'm converting my maintenance systems over to Dynamic Update anyway, this
means that I'd still be writing the records using Dynamic Update, just like a
domain controller would, but those Dynamic Updates would be
strongly-authenticated using RFC 2845 TSIG, like domain controllers *cannot*.

- Kevin

Nguyen, Son . wrote:

> Hi All
>
> We are currently running BIND 8.2.2. P5 DNS on Sun Solaris for our single
> domain, with approx. 20,000 machines, consisting of about 15,000 Windows NT
> servers, workstations, domain controllers,and workstations.
>
> We are planning to upgrade most of our Windows NT to W2K by next year. We
> are testing to find the best implementation way to serve our W2K domain
> controllers without utilizing the W2K DNS and still can implement the W2K
> Group Policy and AD effectively. These W2K domain controllers will be
> located throught out the country, from East to West coasts at many of the
> organization's facilities.
>
> My question is because of the distance, should we use different zones for
> the East and West coasts for the 4 necessary zones for our W2K domain
> controllers to provide and update their SRV RRs for communications with
> their W2K clients?
>
> Our sample named.conf with fictious name and ip address is as shown below:
> ============
> zone "_msdcs.testagain.testy.com" in {
>         type master;
>         file "db._msdcs";
>         check-names ignore;
>         allow-update {xxx.xxx.xxx.xxx;};
> };
>
> zone "_tcp.testagain.testy.com" in {
>         type master;
>         file "db._tcp";
>         check-names ignore;
>         allow-update { xxx.xxx.xxx.xxx;};
> };
> zone "_udp.testagain.testy.com" in {
>         type master;
>         file "db._udp";
>         check-names ignore;
>         allow-update { xxx.xxx.xxx.xxx;};
> };
> zone "_sites.testagain.testy.com" in {
>         type master;
>         file "db._sites";
>         check-names ignore;
>         allow-update { xxx.xxx.xxx.xxx;};
> ================
>
> Should we have 2 zones, one for each coast, for each of the above listed
> zones for W2K, or one for each zone would be sufficient since each of W2K
> domain controllers will have only a few SRV RRs.
>
> Any help or suggestions is much appreciated.
>
> Regards,
> Son Nguyen