Supporting domaindnszones forestdnszones in Active Directory

Martin McCormick martin at dc.cis.okstate.edu
Thu Jul 8 13:28:58 UTC 2004 

	The underscores are definitely not at the beginning of those
new names.  I used bind's dig to do a zone transfer from the site in
question and the four original domain names of _sites, _tcp, _udp and _msdcs
are amply represented with records.  The domaindnszones domain has
plenty of existing records but there is no _ preceding the name.  As
I mentioned in the first message, there appear to be no forestdnszones
records either with or without the underscore.

Kevin Darcy writes:
>My guess would be that AD is ignoring the underscore for the "root" 
>domain that it uses. This could either be a simple GUI bug (the 
>underscore is dropped), or it could be something deeper, like an 
>inconsistent attempt to obey Internet hostname requirements (which 
>technically forbid underscores). Why do you *want* underscores in those 
>domain names? What does it buy you?

	I truly don't care as long as the Windows AD zones are
definable.  We are possibly going to replace the dns function
presently being provided by Microsoft DNS's with our bind DNS's so I
need to be sure to correctly define the domain names so that the AD
controllers can write their records in to a working zone.  The fact
that examples I have been given, both from the bind book and from
people who are providing a similar service at their sites show
underscores for all 6 domains and the fact that at least one of the
two new domains at our site has no underscore bothers me because it is
different than expected.

	If we do switch DNS's, I want to provide exactly the same
zones that the AD clients presently get.  If the lack of the
underscore is some kind of mistake, then that needs to be fixed before
we perpetuate the problem in the new setup.

	If Microsoft dropped the underscore for forestdnszones and
domaindnszones in their newest version of Win2K+3, all that may mean
is that we need to configure the zones appropriately if we hope to
provide the service for them.

	I've had good luck with AD setups involving Win2K
installations and the original 4 domains so this whole question is
admittedly kind of picky, but some of the people on the AD side of
things are skeptical and I know that we need to have this right from
the get go to make everybody happy.

	One could configure _forestdnszones and forestdnszones as well
as _domaindnszones and domaindnszones which would take care of both
sets of possibilities, but one would have at least 2 empty zones that
just waste CPU time and disk space.

	My apologies for this rather minute bit of detail, but I know
bind can do the job if I set it up right and I also know that we
probably won't get much time to experiment with things if I don't get
it right.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Information Technology Division Network Operations Group

More information about the bind-users mailing list