Bind 8.22 and Win2k

Kevin Darcy kcd at daimlerchrysler.com
Tue Sep 19 00:06:02 UTC 2000 

zabbas at my-deja.com wrote:

> We are currently running at Bind 8.22 p5 and are in the process of
> rolling
> out Win2K with active directory.  I wanted to find out what types of
> entires I will need in my named.conf file to make this work.
>
> Currently I have the following :
>
> options {
>                 check-names master ignore;
> }
>
> zone "xxx.company.com" in {
>     type master;
>     file "xx.company";
>     check-names master ignore ;

I believe this is a syntax error. Within a zone statement, you just say
"check-names ignore". You don't need to specify "master", since the parser
already knows this to be a master zone. This syntax error could potentially
be causing the load of the master zone to fail, which would also kill
Dynamic Update attempts.  What do your logs say?

>     allow-update {specific ip addresses for Win2k domain controllers};
> };
>
> We are coming across situations where a new domain controller is being
> created with active directory and when it comes time to configure AD the
> error message pops up saying that it can't tell if the DNS server allows
> dynamic updates.  Although as you can see from above I have included any
> specific
> server ip addresses that would update the DNS server.

> Do I need to specifically define subdomains (zones) in my named.conf
> for each of
> the types that Active Directory registers ?  eg. _msdcs subdomain, SRV
> records to a
> _udp, a _tcp and a _sites subdomain (e.g. _ldap._tcp.{domain name}).

It is not mandatory to delegate these subzones, but many folks like to do
this so that they can segregate the AD stuff from their regular DNS zone
data. This is especially desirable if they are using some other,
non-DDNS-based maintenance tool(s) for their zone data, since once you
convert a zone to Dynamic Update, you basically have to use *only* Dynamic
Update to maintain the zone data, or risk having your data be overwritten
by the next maintenance dump into the zonefile. Another reason for
segregation, I understand, is that if you have Win2K's automatic client
registration turned on, a large number of clients can generate a
significant number of updates to the zone(s), thus necessitating frequent
zone transfers to slaves. Segregating the zones reduces this overhead. And,
last but not least, if you want to do Secure Dynamic Update with Win2K,
currently you have to delegate DNS zones to MS-DNS servers, since the
flavor of Secure Dynamic Update that Win2K uses is not supported by BIND.
Understandably, those in this position generally prefer to only delegate
Win2K-specific subzones rather than their whole DNS namespace.


- Kevin

More information about the bind-users mailing list