Recommendations on integrating BIND and AD

Mark Damrose mdamrose at elgin.cc.il.us
Thu Feb 5 22:26:02 UTC 2004 

"William Bell" <halo64 at yahoo.com> wrote in message
news:bvtvhe$1thr$1 at sf1.isc.org...
> Hi Kevin,
> Thanks for the info.  It was very helpful.
> Your configuration sounds a great deal like what I was hoping to do here.
> Can you elaborate a bit more?  I'm also interested in the details of how
you
> implemented it.
>
> One of the sticking points for our AD admin is the "fact" that ISC DHCP
> won't update DDNS securely in AD subdomains.   (This is what he told me
> anyway.  I haven't been able to confirm or deny it.)  You state that your
> DHCP server updates the AD subdomains using TSIG.  How does that work?  I
> thought ISC's DHCP server didn't speak the same TSIG language as MS.

ISC DHCP server speaks RFC defined TSIG.
MS DNS server speaks MS version of TSIG.
Yes, they are incompatible.

My ISC DHCP server updates my ISC BIND server via TSIG.
AD servers update my ISC BIND undersore zones restricted by IP.
Others suggest delegating underscore zones to MS DNS to allow MS TSIG.

>
> Thanks again!
> -Bill
>
> On 1/30/04 14:08, in article bvejgi$sll$1 at sf1.isc.org, "Mark Damrose"
> <mdamrose at elgin.cc.il.us> wrote:
>
> > "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> > news:bvceuo$ne7$1 at sf1.isc.org...
> >> Bell, William IT wrote:
> >>
> >>
> >>> In addition, he says that ISC doesn't properly expire leases in AD.
> >>>
> >>
> >> Wouldn't know. Don't use ISC's DHCP implementation...
> >>
> > Actually, this is backwards.  MS server improperly removes DDNS.
> > MS OSs don't properly remove entries they have made once they are
> > no longer needed (AD DHCP doesn't add clients, they self-register).
> > MS DNS servers assume that clients don't clean up after themselves,
> > and drop all DNS entries made dynamically.  MS OSs assume the DNS
> > server is going to silently discard their DNS entries, so periodically
> > re-add them.
> >
> > ISCs DHCP server adds a DNS entry *once* - when the lease is created.
> > It then deletes the entry *once* - when the lease expires or is
released.
> > ISC recommends setting the flag to tell the client not to attempt their
own
> > DDNS.
> >
> > I have a completely ISC DNS/DHCP shop with AD.
> > Top level domain is static only.
> > AD subdomains in the forest are DHCP server updated using TSIG.
> > AD servers A records manually entered - servers have static IP.
> > Underscore domains restricted to AD servers IP.

More information about the bind-users mailing list