One last W2K / Active Directory / BIND question

Danny Mayer mayer at gis.net
Fri Aug 3 14:27:07 UTC 2001 

"Simpson, John R" wrote:

>         I'm attempting to allow Windows 2000 Active Directory to update the
> _msdcs, _tcp, _udp, and _sites AD specific subdomains of example.com while
> leaving example.com static -- basically the approach Cricket outlined in the
> 4th edition of DNS and BIND.  I've created zone definitions and db files for
> example.com, _msdcs.example.com, _tcp.example.com, _udp.example.com, and
> _sites.example.com.
>
>         If I give allow-update permission to the W2K server for all zones,
> including example.com, the update works and all the SRV records get added to
> _msdcs, etc.  However, I don't want the W2K server to have update permission
> to example.com.
>
>         If I don't give allow-update permission to the W2K server to
> example.com, it fails with the message "The Wizard cannot contact the DNS
> server that handles the name "example.com" to determine if it supports
> dynamic update. Confirm your DNS configuration, or install and configure a
> DNS server on this computer."  At the same time BIND logs an unauthorized
> update for example.com.  It makes no attempt to update _msdcs.example.com,
> etc.  As soon as I restore allow-update to example.com the updates proceed.
>
>         The problem appears to be that the W2K server wants to add an A
> record assigning its IP address to  the name "example.com." -- at least
> that's the only new record.  The existing record for sp01.example.com was
> not changed.  The new A record an annoying side effect in the lab, but in
> our production environment it would be an error.

If this is a static IP address in the example.com domain, why not add it
yourself?
That should stop the update attempts.


>
>         The Windows 2000 server is W2K SP1, with the name sp01.example.com,
> domain example.com.  The name server is a lab system running BIND 8.2.2-P5
> (all our production servers are 8.2.4) on Solaris 7.  Just realized the BIND
> version number on the lab system -- no wonder it was available.  I'll be
> putting together an up to date server for testing tomorrow.
>

Your test server should be running AT LEAST the same version as production,
if not later.  You don't want surprises when you DO move this to production.
That, after all, is the point of having a test system.

>
>         Has anyone else encountered this behavior?  Is it due to my 8.2.2-P5
> server or something on the W2K side?  I can provide any additional OS, BIND,
> or config files that would be useful.  I'm virtually certain it's on the
> Windows side, given the extraneous A record.

Add it yourself on a permanent basis and see what happens.

    Danny

More information about the bind-users mailing list