Windows 2K DC A Record Visible When Running Nslookup against domain name

Josh Littlefield joshl at cisco.com
Tue Jan 30 21:49:49 UTC 2001 

Microsoft clients use SRV records to locate the directory and other W2K
Domain-related services.  They don't use the W2K Domain A records.  The
Microsoft literature indicates these are created to support LDAP clients which
don't use SRV records.  In particular, I think LDAP referrals from Active
Directory servers refer to other "Domains" rather than to specific LDAP
servers.  Therefore, a non-SRV-aware LDAP client may expect these A records when
following an LDAP referral to that domain.

"Jim D. Kirby" wrote:

> Regarding the A records for hte Win2K DCs.....
>
> In our test, we only populated A records for the DCs like this:
>
>      dc01.anl.gov   IN  A   192.168.1.11
>      dc02.anl.gov   IN  A   192.168.4.10
>
> and left the A records associated with the domain itseld to point at another
> host (the DNS machine itself).  We did not have problems with clients
> finding a DC.
>
> Barry indicates that the Win2K clients use the A record associated with the
> domain (anl.gov   IN  A   192.168.1.11) to find their DC.  My understanding
> is, that Win2K client first gets it address DNS information from DHCP (or
> statically or via DHCPINFORM; no matter which).  Armed with DNS information,
> it then does a DNS lookup for a particular SRV records
> (_ldap.First-Default-Sites._tcp._msdcs.anl.gov or something similiar) to
> find
> the ldap, kereberos, global catalog and other services.
>
> This should mean that the DC-to-domain records are not needed.  We do not
> allow WindK DCs to update the primary zone so we do not have domain A
> records pointing to DC addesses and it seems to work well.
>
> Is there any reason why this setup would cause us problems?  I guess it's
> possible that legacy WINS could  be masking issues.
> jk
>
> -----Original Message-----
> From: Barry Finkel [mailto:b19141 at achilles.ctd.anl.gov]
> Sent: Friday, January 26, 2001 9:13 AM
> To: bind-users at isc.org
> Subject: Re: Windows 2K DC A Record Visible When Running Nslookup
> against domain name
>
> Vyto Grigaliunas [mailto:vyto at fnal.gov] replied to Bill Smith:
>
> >I've noticed that two and I think it's because the W2K DC's create A
> records
> >associated with the domain itself as well...why, I don't know (I seem to
> say
> >that a lot about Microsoft), but then again we're just starting to set up a
> >testbed...probably how AD clients find their DC's ???
>
> "Jim D. Kirby" <jdkirby at bluebunny.com> replied to Vyto:
>
> >I've noticed this as well.  Or suspicion is it's just MS's way of taking
> >control of the zone.  It does not overwrite any existing A records, but we
> >did not want our DCs populated this way and have disabled updates to the
> >primary zone file.  We did create _msdcs, _tcp, _udp, and _sites subdomains
> >under the primary zone and allow the DCs to update those zones.  AD/Win2K
> >clients find their DCs from those zones.
>
> I believe that Vyto is correct.  Each DC in a Win2k domain will
> register its address in DNS -  for example,
>
>      anl.gov   IN  A   192.168.1.11
>      anl.gov   IN  A   192.168.4.10
>
> That is how the Win2k clients find the addresses of the DCs.  In our
> testbed and production networks I have the four "_" zones on a Win2k
> DNS (this may change) where I alllow DDNS.  I do not allow DDNS to the
>
>      anl.gov
>
> zone, so for each of our DCs for that top-level Win2k domain I
> registered the "A" record manually.  I do not expect that our top-level
> DCs will change IP addresses in the future, so there is no need for the
> "A" records to be dynamic.
>
> We are still working on configurations for the sub-domains of anl.gov.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
> Building 221, Room B236              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4844             IBMMAIL:  I1004994

--
=====================================================================
Josh Littlefield                                  Cisco Systems, Inc.
joshl at cisco.com                                      250 Apollo Drive
tel: 978-244-8378  fax: same               Chelmsford, MA  01824-3627

More information about the bind-users mailing list