win 2k3 ads and bind 9.2.1 integration

[Barry Finkel]

"Jamie Crawford" <crawford at cmsu1.cmsu.edu> wrote:

>Hello,
>I've got a domain structure of "company.com". I've seperated active
>directory by creating its own subdomain of "ads.company.com".   We are
>using bind 9.2.1 for our root domain of "company.com" and I want to use
>the Windows2k3 servers to handle all the active directory dns requests in
>"ads.company.com".  I want to do this without changing our client
>configurations through dhcp.  Through documentation I've read on the web
>and books (Oreilly Active Directory Cookbook for 2k3 and 2k pg 551-552)
>all I should have to do is enter this in my /etc/named.conf and the 2k3 dc
>should dynamically update my zone files with all relevant information.
>
>###/etc/named.conf####
>
>zone "ads.company.com" IN {
>type master;
>file "db.ads.company.com";
>allow update { ip of dc's;  };
>};
>
>###db.ads.company.com###
>$TTL 3600
>@ IN SOA ads1.ads.company.com. hostmaster.ads.company.com. ( 1025 900 600
>86400 3600 )
>
>ads.company.com.   IN  NS  ads1
>ads.company.com.   IN  NS  ads2
>ads1  IN   A   15x.xxx.xxx.xxx
>ads2  IN   A   15x.xxx.xxx.xxx
>
>
>After restarting bind and restarting the domain controllers, I expected to
>have the domain controllers to dynamically update the zone file with all
>the relevant information that would be in the netlogon.dns file. To my
>surprise, no updates occured.  Instead I got the domain controllers trying
>to update my reverse zone of "xx.xxx.in-addr.;arpa/IN' denied" and
>erroring out with the usual "cant update dns message"  I then went into
>the reverse zone config in named.conf and allowed both domain controllers
>to "allow-updates". I restarted named and the dc's and=20
>that made the dc's happy, but it didn't update my ads.company.com zone
>file with any information.
>
>If anyone has any ideas or experience where to go next, it would be
>greatly appreciated.
>
>Thanks,
>jamie

First, the list archives of this list and of its late sister list

     bind9-users at isc.org

are searchable.  There have been many W2k/W2k+3 -related postings
in the past years.  What I would suggest is what I have for my setup:

1) Have a MS W2k+3 DNS Server handle the six AD-related zones.  The MS
   Server can do secure DDNS, which the BIND servers can not yet do.

2) Have those zones slaved on your BIND servers, so any client that
   queries the BIND server will be able to retrieve info from the AD
   zones without BIND having to refer the query to another DNS server.

3) Add the domain "A" records to your BIND master, as these records
   are not in the six AD-related zones.

What DHCP server are you using?  I have little experience with DHCP.
I do have one forward zone and five reverse zones on my MS W2k+3
DNS Server, all updated by a MS DHCP Server.  There are problems,
but the clients are not complaining.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994