MS DNS Registration Issue

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Aug 8 15:31:54 UTC 2001 

rohail khan <rohailkaz at yahoo.com> wrote:

> Hi,
> The status:
> Main DNS server Running BIND.
> controlling abc.edu
> BIND Delegation to MS DNS for def.abc.edu
> One of the DC/GC in def.abc.edu is trying to register
> some records in MS DNS(Auth. for def.abc.edu). Most of
> the SRV records related to def.abc.edu and A record
> for def.abc.edu are able to register in MS DNS.
> But some records which related to _msdcs.DNSForestName
> (***_msdcs.abc.edu) and global Catalog A record/s 
> gc._DNSForestName IN A
> ServerInSecondDomain(w2kserver1.ad.uab.edu) are not
> registring.
> 
> Some of the records that are not registring are: 
> _ldap._tcp.gc_msdcs.DNSForestName IN SRV
> W2KServer1.def.abc.edu failed
> gc._msdcs.abc.edu IN A W2Kserver1.def.abc.edu failed.
> and few more whic related to gc/_msdcs DNSForestName.
> 
> Since MSDNS is only Authoritative for def.abc.edu. My
> understanding is that it will not accept these records
> registration until it is authoritative to abc.edu too.
> So Is there any way I could forward these record
> registration of BIND, as I have allowed "_" in BIND. 
> 
> Really need Help.
> 
> Regards
> Shoaib Qazi
> Graduate Assistant.
> uab.edu

First, is the domain in question abc.edu (Appalachian Bible College in
West Virginia) or uab.edu (U. of Alabama, Birmingham)?  Why hide the
real information.

Next, you have delegated the subdomain

     def.abc.edu

to the MS W2k DNS.  You have not delegated the four "_" zones

     _msdcs.abc.edu
     _sites.abc.edu
     _tcp.abc.edu
     _udp.abc.edu
     
to the MS W2k DNS.  The SRV records for these four "_" zones will
register IF you authorize the BIND nameserver to accept dynamic
DNS updates for those zones.  I personally would not do this, as there
is no way to do the DDNS in a secure manner (MS's security method is
not completely documented, and it has not yet been implemented in
BIND).  I would define these four "_" zones on the MS W2k DNS box,
make the zones AD-integrated with secure updates, and then define
these zones as slaves on your "abc.edu" BIND server.

I have re-read your posting, and I am not sure why some of the SRV
records would register and some would not.  There appears that there
are some typos in the records in your posting (e.g.,)

     _ldap._tcp.gc_msdcs.DNSForestName IN SRV ...

this confuses the issue.  If some of the records are not being 
registered in the BIND server, then there should be "denied update"
records in the BIND syslog.   Maybe I am missing the heart of the
problem you are posting because you have obscured the real information.
My reading of your posting differs from Len Conrad's, who also
replied.

For more about integration of MS W2k DNS with BIND, see the archives
of bind-users, where there have been many postings since August 1999 
(and probably before).
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list