AD DDNS Updates ignored with Bind 9 ?

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Apr 14 15:47:52 UTC 2004 

webmaster at kberssin.de (Kai Berssin) wrote:

>I'm about to implement an Active Directory environment with Windows
>Server 2003 Active Directory Domain Controllers and Bind 9.2.1 DNS
>servers. For that, I've created 4 new zones "_mcds.DOMAINNAME",
>"_sites.DOMAINNAME", "_tcp.DOMAINNAME", and "_udp.DOMAINNAME" on the
>Bind server, each zone containing an "allow-update { IP_OF_AD_DCs; };"
>statement (yes, I know about the security issues). Adding or updating
>a record with "nsupdate" works fine, i.e. in general the dynamic
>update feature works. Adding a new AD DC with DCPROMO also works (in
>the sense that there is no error message), i.e basically the
>communication between AD and DNS functions, and AD recognizes the DNS
>server as to be configured for dynamic updates (otherwise DCPROMO
>would complain). However, none of the records generated by DCPROMO
>(the stuff you can find in netlogon.dns) is written to the Bind zone
>files or the corresponding JNL files. Does anybody has experienced the
>same problems and can offer me a tip as to what the problem might be ?
>If I trace the communication between the DC AD and the DNS server
>during DCPROMO with Netmon, I cannot find any errors or warnings; the
>only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
>"Prerequisite: DOMAINNAME of type Req for all on class Unknown class".
>Apparently, the DNS record class in the prerequisites record is
>unknown to Netmon, is it also unknown to Bind ?

1) For W2003 you also need the zones

        DomainDNSZones.DOMAINNAME
        ForestDNSZones.DOMAINNAME

But that is not the answer to your problem, I believe.

In the Event Log on the W2003 DC, are there any event entries from the
Netlogon process?  If the SRV records are not accepted by the BIND
server, I would expect Netlogon to log those errors.  If there are no
Event Log entries, then the DNS updates should have been sent and
accepted by the BIND server.  On your BIND server, enable querlogging,
and on the DC, stop/restart the Netlogon process.  See if anything is
logged on the BIND box.  (I do not have DDNS on my BIND box, and without
looking at the code, I am not sure if querylogging will log DDNS
attempts.  If not, then use snoop or another sniffer to see the packets
arriving at the BIND server.)
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list