win 2k3 ads and bind 9.2.1 integration

Wed Aug 3 16:16:27 UTC 2005

Hi,
Thanks for your response.  Were using dhcp3 on redhat.  We have the =
clients get their fqdn from our dns server through the dhcp server.  For =
example: xpcomputer1.aviationbuilding.company.com.  I'm not too knowledgeab=
le about bind at all, thats why I'm here. =20

At this moment I have changed my named.conf to the current:

zone "ads.company.com" {
type slave;
file "db.ads.company.com";
masters { ip of w2k3 dns server; };
};

Are you recomending that I add these zones also?

 _msdcs.ads.company.com
 _tcp.ads.company.com
 _udp.ads.company.com
 _sites.ads.company.com
DomainDNSZones.ads.company.com
ForestDNSZones.ads.company.com

So it would look like

zone "_msdcs.ads.company.com" {
type slave;
file "_msdcs.ads.company.com";
masters { ip of w2k3 dns server };
};

zone "_tcp.ads.company.com" {
type slave;
file "_tcp.ads.company.com";
masters { ip of w2k3 dns server };
};

zone "_udp.ads.company.com" {
type slave;
file "_udp.ads.company.com";
masters { ip of w2k3 dns server };
};

zone "_sites.ads.company.com" {
type slave;
file "_sites.ads.company.com";
masters { ip of w2k3 dns server };
};

zone "DomanDNSZones.ads.company.com" {
type slave;
file "domaindsnzones.ads.company.com";
masters { ip of w2k3 dns server };
};

zone "ForestDNSZones.ads.company.com" {
type slave;
file "forestdnszones.ads.company.com";
masters { ip of w2k3 dns server };
};

As for the "A" records to the bind master, I have them in my root zone =
file:

ads1   A   xxx.xxx.xxx.xxx
ads2   A   xxx.xxx.xxx.xxx

Would this be good enough?

Also, usually you have a reverse zone file definition for your slave zones =
right?  Well I don't think I can do that with these zones because these =
servers are in the same subnets as all of our other servers.

Sorry for so many questions.  I'm a bind newb.

thanks for your help,
jamie

>>> Barry Finkel <b19141 at achilles.ctd.anl.gov> 8/3/2005 9:19:31 AM >>>
"Jamie Crawford" <crawford at cmsu1.cmsu.edu> wrote:

>Hello,
>I've got a domain structure of "company.com". I've seperated active
>directory by creating its own subdomain of "ads.company.com".   We are
>using bind 9.2.1 for our root domain of "company.com" and I want to use
>the Windows2k3 servers to handle all the active directory dns requests in
>"ads.company.com".  I want to do this without changing our client
>configurations through dhcp.  Through documentation I've read on the web
>and books (Oreilly Active Directory Cookbook for 2k3 and 2k pg 551-552)
>all I should have to do is enter this in my /etc/named.conf and the 2k3 =
dc
>should dynamically update my zone files with all relevant information.
>
>###/etc/named.conf####
>
>zone "ads.company.com" IN {
>type master;
>file "db.ads.company.com";
>allow update { ip of dc's;  };
>};
>
>###db.ads.company.com###
>$TTL 3600
>@ IN SOA ads1.ads.company.com. hostmaster.ads.company.com. ( 1025 900 600
>86400 3600 )
>
>ads.company.com.   IN  NS  ads1
>ads.company.com.   IN  NS  ads2
>ads1  IN   A   15x.xxx.xxx.xxx
>ads2  IN   A   15x.xxx.xxx.xxx
>
>
>After restarting bind and restarting the domain controllers, I expected =
to
>have the domain controllers to dynamically update the zone file with all
>the relevant information that would be in the netlogon.dns file. To my
>surprise, no updates occured.  Instead I got the domain controllers =
trying
>to update my reverse zone of "xx.xxx.in-addr.;arpa/IN' denied" and
>erroring out with the usual "cant update dns message"  I then went into
>the reverse zone config in named.conf and allowed both domain controllers
>to "allow-updates". I restarted named and the dc's and=3D20
>that made the dc's happy, but it didn't update my ads.company.com zone
>file with any information.
>
>If anyone has any ideas or experience where to go next, it would be
>greatly appreciated.
>
>Thanks,
>jamie

First, the list archives of this list and of its late sister list

     bind9-users at isc.org=20

are searchable.  There have been many W2k/W2k+3 -related postings
in the past years.  What I would suggest is what I have for my setup:

1) Have a MS W2k+3 DNS Server handle the six AD-related zones.  The MS
   Server can do secure DDNS, which the BIND servers can not yet do.

2) Have those zones slaved on your BIND servers, so any client that
   queries the BIND server will be able to retrieve info from the AD
   zones without BIND having to refer the query to another DNS server.

3) Add the domain "A" records to your BIND master, as these records
   are not in the six AD-related zones.

What DHCP server are you using?  I have little experience with DHCP.
I do have one forward zone and five reverse zones on my MS W2k+3
DNS Server, all updated by a MS DHCP Server.  There are problems,
but the clients are not complaining.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov=20
Argonne, IL   60439-4828             IBMMAIL:  I1004994