One last W2K / Active Directory / BIND question

Simpson, John R john_simpson at reyrey.com
Thu Aug 2 23:05:10 UTC 2001 


Greetings,

	Please forgive yet another question on W2K/BIND integration.  I've
read through the FAQ's, Cricket's book (I have the 1st, 3rd, and 4th
editions -- 1st and 3rd are signed ;-), Microsoft KB, and many messages on
this mailing list and cannot find anyone who seems to have this problem.

	I'm attempting to allow Windows 2000 Active Directory to update the
_msdcs, _tcp, _udp, and _sites AD specific subdomains of example.com while
leaving example.com static -- basically the approach Cricket outlined in the
4th edition of DNS and BIND.  I've created zone definitions and db files for
example.com, _msdcs.example.com, _tcp.example.com, _udp.example.com, and
_sites.example.com.  

	If I give allow-update permission to the W2K server for all zones,
including example.com, the update works and all the SRV records get added to
_msdcs, etc.  However, I don't want the W2K server to have update permission
to example.com.

	If I don't give allow-update permission to the W2K server to
example.com, it fails with the message "The Wizard cannot contact the DNS
server that handles the name "example.com" to determine if it supports
dynamic update. Confirm your DNS configuration, or install and configure a
DNS server on this computer."  At the same time BIND logs an unauthorized
update for example.com.  It makes no attempt to update _msdcs.example.com,
etc.  As soon as I restore allow-update to example.com the updates proceed.

	The problem appears to be that the W2K server wants to add an A
record assigning its IP address to  the name "example.com." -- at least
that's the only new record.  The existing record for sp01.example.com was
not changed.  The new A record an annoying side effect in the lab, but in
our production environment it would be an error.

	The Windows 2000 server is W2K SP1, with the name sp01.example.com,
domain example.com.  The name server is a lab system running BIND 8.2.2-P5
(all our production servers are 8.2.4) on Solaris 7.  Just realized the BIND
version number on the lab system -- no wonder it was available.  I'll be
putting together an up to date server for testing tomorrow.

	Has anyone else encountered this behavior?  Is it due to my 8.2.2-P5
server or something on the W2K side?  I can provide any additional OS, BIND,
or config files that would be useful.  I'm virtually certain it's on the
Windows side, given the extraneous A record.

Regards,

John Simpson
--
John R. Simpson							The Reynolds
and Reynolds Co.
Sr. Network Engineer						800
Germantown Street OH10
Network Services, Network Architecture Team			Dayton, OH
45407
Voice (937) 485-2269 Fax (937) 485-2427
mailto:John_Simpson at reyrey.com

More information about the bind-users mailing list