Microsoft Active Directory Support Observations and Questions

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Aug 11 15:08:43 UTC 2004 

Martin McCormick <martin at dc.cis.okstate.edu> wrote:

>	I am setting up bind to support Microsoft Active Directory and
>using the method recommended in DNS and Bind 4TH Edition.  It mostly
>works, but the customer has added a new wrinkle to make things
>more interesting.  He has a couple of Active Directory domains within
>his main domain, or at least that is the best way I can describe it.
>
>	The main domain, we'll call a.okstate.edu.  Then he's got
>b.a.okstate.edu and c.a.okstate.edu.
>
>	The one thing I can't stress enough is that there are no short
>cuts in setting this up, or at least that is what I am learning.
>
>	I set up the 7 zones for a.okstate.edu and let the controller
>for that zone update bind for all the zones.  That works as expected.
>
>	I hoped that b.a.okstate.edu and c.a.okstate.edu could use the
>root zone of a.okstate.edu, but no such luck.  I had to make a root
>zone of b.a.okstate.edu and c.a.okstate.edu as well as the 6 zones of
>the general form _msdcs.c.a.okstate.edu and _sites.b.a.okstate.edu.
>
>	At the branch level of b.a.okstate.edu and c.a.okstate.edu, I
>gave only the controllers for those domains permission to update them.
>This morning, my customer reported that he was still seeing start
>errors on the controllers.  The controllers for b.a.okstate.edu and
>c.a.okstate.edu wanted to update _msdcs.a.okstate.edu with a Cname
>record pointing to b.a and c.a.
>
>	Does anyone know if there is any procedure I can recommend to
>the client to cause his domain controllers to try to register again so
>that we can speed up the fault isolation process?  The controllers I
>have been watching seem to retry hourly which is pretty slow when one
>is trouble-shooting.
>
>	I got the impression that except for those Cname records,
>everything else may be working.
>
>	If you try this sort of thing yourself, patience is a virtue.
>It is easy to make and overlook mistakes because of the repetitive
>nature of the setup you have to install.  Shell scripts are wonderful
>for automating that repetition.

We have an AD forest

     anl.gov

We also have AD child domains such as

     ipd.anl.gov

In our

     _msdcs.anl.gov

zone we have CNAME records for all of the various DCs, in the parent
domain and in child domains (such as IPD).  

    1dd5def3-eb79-461f-8f84-49923c301952  10M IN CNAME  iris.ipd.anl.gov.

We also have SRV records for each of the various DCs.

So, as you observed, the child domain DCs will send DDNS requests to
update the parent

     _msdcs

zone.

I do not know which process on a DC will be sending these DDNS
packets.  I would try stopping/restarting the Netlogon process on
the child DCs.  I know that Netlogon registers the SRV records, and
a W2k+3 administrator here thinks that Netlogon also registers the
CNAME records.

I do not have this problem, as I have the six parent AD zone and
21 sets of "_" zones for child domains - all on a MS W2k+3 DNS
Server, with secure DDNS.  I let Widows determine who is allowed to
send DDNS updates to my W2k+3 DNS Server.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list