DNS AD & Internet

Barry Finkel b19141 at achilles.ctd.anl.gov
Mon Aug 27 20:04:20 UTC 2001 

--- Js Op de Beeck <js_opdebeeck at innovons.net> wrote:
>> Sorry for my engish I'm French
>> 
>> I don't want to take risks.
>> 
>> I'm planning Win2000 AD migration and I'm doing
>> tests:
>> 
>> I had created DNS  (mydomain.CORP) to use in Windows
>> 2000 Directory (for
>> internal request and resources)
>> My entreprise has Unix Primary DNS for outgoing
>> request (mydomain.COM)
>> provided by ISP.
>> 
>> How to configure clients and/or servers to use
>> Windows 2000 DNS for local
>> requests and Unix DNS for external request ( I don't
>> want publish my local
>> resources to the Internet).
>> 
>> Thanks
>> 
>> Op de Beeck Js

rohail khan <rohailkaz at yahoo.com> replied:
>Hi, 
>I might be late in responding but I think I can help
>you with that.
>Start from here :
>UNIX DNS authoritative for : abc.com
>MS DNS authoritative for: ad.abc.com
>Assuming you have one MS DNS Server (Name:
>W2KServer2).
>Assuming you have on W2K Active Directory DC
>(W2Kserver1).
>
>Two ways either you are allowed to mess up with your
>BIND DNS or You dont want to do that..
>
>If you are allowed:
>1. Bind Delegation to ad.abc.com MS DNS is necessary.
>2. Your MS DNS should use BIND as forwarder.
>3. Bind Should accept Dynamic updates. 
>4. Bind should ignore Illegal characters for records
>updates (I mean it should ) of "_" underscores. Let me
>know if you want to know how.
>5. Every W2K Server will register
>gc._msdcs.DnsForestName to BIND.
>
>If you are not allowed or dont want to:
>1. Bind Delegation to MS DNS for four Zones:
>_msdcs.abc.com
>_sites.abc.com
>_tcp.abc.com
>_udp.abc.com
>
>2. Dynamic update for 
>abc.com IN A (W2K Server IP)
>
>
>Remember:
>Even if some of your W2KServers are in ad.abc.com
>They will try to register 5 records
>for(approximation):
>_msdcs.abc.com
>13 records for :
>ad.abc.com
>2 records:
>_sites.abc.com
>one more more records for:
>_tcp.abc.com, _udp.com
>
>It is wise to have option no. 2. Because you dont want
>to MS DNS, and Servers to mess up with you Unix Bind.

I would quarrel with one of the recommendations --

> 3. Bind Should accept Dynamic updates. 

There is no need for BIND to accept DDNS in this scenario.  If you have
the four "_" zones on a BIND box, then you will need to have BIND
accept DDNS.  But why place these four zones on a BIND box, when you
can place them on a W2k DNS and not have to worry about security.
These four zones contain SRV records, and I (personally) do not care if
the information gets corrupted on a MS W2k DNS,  No "A" or "PTR"
records are contained in those four zones.  It is very easy to add the
required "A" record for each Domain Controller manually.  You cannot
have secure DDNS in a W2k-BIND scenario because MS's security is not
100% documented and is not available in BIND.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list