Microsoft Active Directory Support Observations and Questions
Martin McCormick
martin at dc.cis.okstate.edu
Wed Aug 11 15:48:13 UTC 2004
My thanks to everyone who answered my questions.
I believe I got the customer's DNS problems solved, but time
will tell. The logs that bind keeps are incredibly useful when you
know what to be looking for. Our security.log file collected over
200,000 entries in slightly more than 14 hours. Most of them were
WindowsXP platforms in our network doing their incessant Babel to
update our DNS directly.
If you grep, however, for the address of an Active Directory
controller, you will find the proverbial needle in the hay stack. You
can see if it is denied from writing. If you allow it to write to the
zone in question, then you will stop seeing the address of that
controller in the security log and start seeing it in named.log.
You might have to do something like
grep 192.168.1.5 security.log |grep -v ARPA
That will find 192.168.1.5 every time it tried to write to the DNS
except for the reverse map.
We don't want the AD controllers to write directly to the
reverse map because there isn't anything to keep a controller from
being hijacked or just going nuts and clobbering the entire reverse
map.
In many cases, the dhcp server takes care of the reverse
entries for work stations and we automatically add a reverse map any
time we manually register a host.
For anybody contemplating supporting Active Directory with
bind, the two biggest problems will be the political resistance you
may encounter and the ability to know what is really going on once you
provide the support. I am fortunate in that I am presently working
with a very thorough person on the Active Directory side who has been
patient and observant.
I may discover some horrible problem in the future that I
never dreamed of, but I don't really expect to. The controllers are
now successfully writing to all the underscore zones and the root zone
of each Active Directory domain.
As long as all the SRV records make it in to the appropriate zones, it
should work. Just make doubly sure they are really being updated and
that the controllers are able to successfully write to all the special
zones you set up in bind to accommodate Active Directory.
If you have slave DNS's around, be absolutely sure that they
are all being notified and are updating when the master tells them to.
It is easy to forget to put an address on a list and then not realize
for a while that this or that slave isn't current. Your logs are your
friends.
As for the politics, my heart goes out to anyone who must deal
with that. It can make one feel like the Greek mythological figure
who must spend eternity pushing a rock up hill.
I can't say that that comparison is an original thought of
mine, but I heard an interview with a popular singer who compared his
mission in life to that Greek character. Suddenly, I said, "That's
what this argument is like."
A number of us in our group say that the main advantage of
supporting AD with bind is robustness. If one of those
javascript-driven monster viruses roars through your organization, at
least the DNS's will still be there.
Martin McCormick WB5AGZ Stillwater, OK
OSU Information Technology Division Network Operations Group
More information about the bind-users
mailing list