BIND 8 and Windows 2000 DNS

Barry Finkel b19141 at achilles.ctd.anl.gov
Mon Oct 23 14:53:02 UTC 2000 

fievel58 at my-deja.com wrote:

>We are working out some of the issues in a Lab. I do have Dynamic DNS
>running BIND 8.2.2 p5 on Solaris 2.7 working. It gets it's updates from
>the Active Directory server Windows 2000. It is a mess as far as
>administration because the Windows admins "want" the Master DNS
>controlled by the Active Directory. MicroSoft says you don't need a
>master DNS anymore just use Win2k and let it take care of everything.
>Looking at a full network rollout I am faced with how to have
>the "master" DNS controllable and recoverable and still allow Win2k to
>work. I know that the Active Directory server needs to register the
>services to DNS and they are in the same file as the addresses.
>Anyway, that's as far as I have gotten. I did get a good reaction by
>stating that I'll just write up a paper relinguishing my responsibility
>for DNS to the Win2k admins and wash my hands of the whole thing. Of,
>course then they want you to help fix things if they fall apart. Enough
>rattling. I hope this helps. I'll keep watching for input and let you
>know what I find as we work through this mess.

In our testbed we have decided against AD-integrated DNS, as all it
buys us is secure DDNS.  I do not mind placing the four "_" zones on a
MS DNS box, as those zones only contain SRV records, and I do not care
if those records get lost.  We have a number of issues with the MS DNS
software:

1) When we had some AD-integrated zones in our testbed, we rarely saw
   the same serial number when we used the DNS GUI to look at the
   zones on our three Domain Controllers.  This had been reported 
   previously on bind-users by another site.  We have decided not to
   pursue this with MS because AD-integration is not part of our
   plans (at least in the short-term).  When we decided against
   AD-integration, we converted these zones back to standard master
   on one of the three DCs.  When we did this for one zone, we got an
   error message on our BIND 8.2.2-P5 slave that the serial number on
   the master had decreased.  I do not understand this, as the slave 
   was retrieving the zone from the same machine on which we did the
   zone conversion.

2) When a MS DNS has standard master zones, and a DDNS update is
   processed, the MS code does not write the updated zone to disk
   in a timely manner.  I have seen it take over 24 hours for the
   zone to be re-written to disk.  With a manual update (via the GUI)
   there is an option that can be clicked to write the new zone to disk
   now.  This time delay can cause zone information to be lost if the
   machine crashes and is rebooted.  Our experience is that if the DNS
   process is shutdown cleanly, then the code writes all the updated
   zones to disk before shutdown.  We have not yet opened a support
   incident with MS.

3) We have the four "_" zones on a MS DNS:

        _msdcs.anl.gov
        _sites.anl.gov
        _tcp.anl.gov
        _udp.anl.gov
   
   Our anl.gov master zone still resides in a hidden BIND 8.2.2-P5
   master.  We set the zone properties for these zones:

        1) Allow DDNS.
        2) We set a list of authorized zone transfer IP addresses.

   When the DNS process is restarted, this information is lost.  We
   have an open support incident with MS; I believe that MS has not
   been able to reproduce this problem in their test labs.

My major concern with zones on a MS DNS box is reliability.  Two of the
problems listed above are reliability-related.  The MS code is new code,
and I am not sure of its reliability.  (Has it gone though as much
testing as a new releaase of BIND?)  If MS trusted its DDNS code, then
there would be no need for a W2k workstation, after successful 
self-registration), to attempt self-registration every 24 hours.
And why should DCs continually re-register the SRV records?

As for control of the DNS boxes -- we have decided that the three of
us at ANL who get the hostmaster at anl.gov mail will control the DNS
process on the master Win2k DC and on the slave zones on the other
DCs.  (We decided to make the other DCs slaves, even though the MS
master and the W2k slaves are hidden, because we though we might need
to promote one of the other DCs to a master if the master DC is
unavailable due to an OS problem or due to an OS maintenance period.
I expect the Win2k boxes will not have the uptime that our BIND 
Sun Solaris servers do.  A few Win2k administrators will have 
administrative access to the DCs that have the DNS zones, but they
know that they are not supposed to make zone changes.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list