Active Directory Integrated DNS( dynamic update behavior )
Rahul Parasnis
rparasnis at clj.co.jp
Thu Jan 16 00:18:21 UTC 2003
thanks a lot barry , this options is pretty much safe .
For rest of zones either I can define w2k as secondary or forward those
requests to bind DNS .
is there any limit on defining secondary servers ? ( is it 20 )
I tested the dynamic update to learn it's behavior . Here is what understood
please correct me if I am wrong .
If there is A record, CNAME and PTR record for one client . A record is
different than the Client FQDN ( computer name ). When client updates , it
deletets this A record and PTR record and replaces with it's FQDN Name but
the old A record and CNAME resord is not deleted .
I could see the log in db.domain.ixfr and reverse_lookup_zone_file.ixfr .
These two names are not cnames of the A-record that is dynamically added .
nslookup cname
Server: DNS Server
Address: IP Address
Name: rparasnis.clj.co.jp
Address: IP Address
Aliases: cname.clj.co.jp
there are following records now in DNS
A record for computername ( dynamically updated )
PTR record for computername ( dynamically updated )
A record (old ) which was existing before
CNAME records pointing to old A-record
is my understanding correct ?
best regards,
- RAHUL
> -----Original Message-----
> From: Barry Finkel [mailto:b19141 at achilles.ctd.anl.gov]
> Sent: Wednesday, January 15, 2003 12:07 AM
> To: rparasnis at clj.co.jp
> Subject: RE: Active Directory Integrated DNS
>
>
> >in all it looks like you recommend atleast one win2K as Name Server .
> >You suggested forward zones for _msdcs,_sites,_tcp,_udp then what do you
> >mean by "define these zones in your bind server as slaves .
>
> Define zones
>
> _msdcs.example.com
> _sites.example.com
> _tcp.example.com
> _udp.example.com
>
> on your BIND servers as slave zones, with the master being the W2k DNS
> box.
>
> --------
>
> >I agree that putting underscore zones on bind I will have to
> give away the
> >secure update , but I can compromise with allow-update options ( although
> >still vulnerable for ip spoofing )only to Domain controllers as you said
> >they need this feature .
>
> You can do that, but (as you note) the updates are not secure.
>
> --------
>
> >lastly about alias , I can add alias in the zone if I want but
> questions is
> >when Client boots it checks in the DNS whether records exists or not if
> >exists it deletes and add new entry ( A and PTR ) in DNS . at
> that time what
> >happens to this alias that I have defined ?
>
> If you have in DNS
>
> ccccc IN CNAME aaaaa.example.com
>
> and some DDNS deletes (and possibly re-adds)
>
> aaaaa IN A 192.168.1.1
>
> The CNAME record is not touched. The W2k client self-registration code
>
> 1) deletes and re-adds the "A" record
> 2) adds an additional "PTR" record.
>
> --------
>
> >Does CLIENT checks after certain interval whether my record
> exists in DNS ?
> >( I know DCs do this every 24 hours )
>
> If you have self-registration not disabled (and it must not be disabled
> for DCs), then the CLIENT workstation will re-register every 24 hours,
> I believe.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory Phone: +1 (630) 252-7277
> 9700 South Cass Avenue Facsimile:+1 (630) 252-4601
> Building 222, Room D209 Internet: BSFinkel at anl.gov
> Argonne, IL 60439-4828 IBMMAIL: I1004994
>
>
This e-mail contains confidential information or information belonging to
Credit Lyonnais and is intended solely for the addressees.
The unauthorized disclosure, use, dissemination or copying of this e-mail,
or any information it contains, is prohibited.
E-mails are susceptible to alteration and their integrity cannot be guaranteed.
Credit Lyonnais shall not be liable for this e-mail if modified or falsified.
If you are not the intended recipient of this e-mail, please delete it
immediately from your system and notify the sender of the wrong delivery
and the mail deletion.
More information about the bind-users
mailing list