Recommendations on integrating BIND and AD

William Bell halo64 at yahoo.com
Thu Feb 5 13:39:52 UTC 2004 

Hi Kevin,
Thanks for the info.  It was very helpful.
Your configuration sounds a great deal like what I was hoping to do here.
Can you elaborate a bit more?  I'm also interested in the details of how you
implemented it.

One of the sticking points for our AD admin is the "fact" that ISC DHCP
won't update DDNS securely in AD subdomains.   (This is what he told me
anyway.  I haven't been able to confirm or deny it.)  You state that your
DHCP server updates the AD subdomains using TSIG.  How does that work?  I
thought ISC's DHCP server didn't speak the same TSIG language as MS.

Thanks again!
-Bill

On 1/30/04 14:08, in article bvejgi$sll$1 at sf1.isc.org, "Mark Damrose"
<mdamrose at elgin.cc.il.us> wrote:

> "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> news:bvceuo$ne7$1 at sf1.isc.org...
>> Bell, William IT wrote:
>> 
>> 
>>> In addition, he says that ISC doesn't properly expire leases in AD.
>>> 
>> 
>> Wouldn't know. Don't use ISC's DHCP implementation...
>> 
> Actually, this is backwards.  MS server improperly removes DDNS.
> MS OSs don't properly remove entries they have made once they are
> no longer needed (AD DHCP doesn't add clients, they self-register).
> MS DNS servers assume that clients don't clean up after themselves,
> and drop all DNS entries made dynamically.  MS OSs assume the DNS
> server is going to silently discard their DNS entries, so periodically
> re-add them.
> 
> ISCs DHCP server adds a DNS entry *once* - when the lease is created.
> It then deletes the entry *once* - when the lease expires or is released.
> ISC recommends setting the flag to tell the client not to attempt their own
> DDNS.
> 
> I have a completely ISC DNS/DHCP shop with AD.
> Top level domain is static only.
> AD subdomains in the forest are DHCP server updated using TSIG.
> AD servers A records manually entered - servers have static IP.
> Underscore domains restricted to AD servers IP.
> The only issues I have are that there doesn't appear to be a printer
> manufacturer out there who can get a DHCP client right, but that's
> a different rant.
> 
>

More information about the bind-users mailing list