win 2k3 ads and bind 9.2.1 integration

Thu Aug 4 13:39:37 UTC 2005

>>"Jamie Crawford" <crawford at cmsu1.cmsu.edu> wrote:
>>
>>>Hello,
>>>I've got a domain structure of "company.com". I've seperated active
>>>directory by creating its own subdomain of "ads.company.com".   We are
>>>using bind 9.2.1 for our root domain of "company.com" and I want to use
>>>the Windows2k3 servers to handle all the active directory dns requests in
>>>"ads.company.com".  I want to do this without changing our client
>>>configurations through dhcp.  Through documentation I've read on the web
>>>and books (Oreilly Active Directory Cookbook for 2k3 and 2k pg 551-552)
>>>all I should have to do is enter this in my /etc/named.conf and the 2k3 dc
>>>should dynamically update my zone files with all relevant information.

And I replied:

>>First, the list archives of this list and of its late sister list
>>
>>     bind9-users at isc.org=20
>>
>>are searchable.  There have been many W2k/W2k+3 -related postings
>>in the past years.  What I would suggest is what I have for my setup:
>>
>>1) Have a MS W2k+3 DNS Server handle the six AD-related zones.  The MS
>>   Server can do secure DDNS, which the BIND servers can not yet do.
>>
>>2) Have those zones slaved on your BIND servers, so any client that
>>   queries the BIND server will be able to retrieve info from the AD
>>   zones without BIND having to refer the query to another DNS server.
>>
>>3) Add the domain "A" records to your BIND master, as these records
>>   are not in the six AD-related zones.
>>
>>What DHCP server are you using?  I have little experience with DHCP.
>>I do have one forward zone and five reverse zones on my MS W2k+3
>>DNS Server, all updated by a MS DHCP Server.  There are problems,
>>but the clients are not complaining.

"Jamie Crawford" <crawford at cmsu1.cmsu.edu> wrote in reply to my reply:

>Hi,
>Thanks for your response.  Were using dhcp3 on redhat.  We have the
>clients get their fqdn from our dns server through the dhcp server.  For
>example: xpcomputer1.aviationbuilding.company.com.  I'm not too knowledgeab
>le about bind at all, thats why I'm here.
>
>At this moment I have changed my named.conf to the current:
>
>zone "ads.company.com" {
>type slave;
>file "db.ads.company.com";
>masters { ip of w2k3 dns server; };
>};
>
>Are you recomending that I add these zones also?
>
> _msdcs.ads.company.com
> _tcp.ads.company.com
> _udp.ads.company.com
> _sites.ads.company.com
>DomainDNSZones.ads.company.com
>ForestDNSZones.ads.company.com
>
>So it would look like
>
>zone "_msdcs.ads.company.com" {
>type slave;
>file "_msdcs.ads.company.com";
>masters { ip of w2k3 dns server };
>};
>
>zone "_tcp.ads.company.com" {
>type slave;
>file "_tcp.ads.company.com";
>masters { ip of w2k3 dns server };
>};
>
>zone "_udp.ads.company.com" {
>type slave;
>file "_udp.ads.company.com";
>masters { ip of w2k3 dns server };
>};
>
>zone "_sites.ads.company.com" {
>type slave;
>file "_sites.ads.company.com";
>masters { ip of w2k3 dns server };
>};
>
>zone "DomanDNSZones.ads.company.com" {
>type slave;
>file "domaindsnzones.ads.company.com";
>masters { ip of w2k3 dns server };
>};
>
>zone "ForestDNSZones.ads.company.com" {
>type slave;
>file "forestdnszones.ads.company.com";
>masters { ip of w2k3 dns server };
>};
>
>
>As for the "A" records to the bind master, I have them in my root zone
>file:
>
>ads1   A   xxx.xxx.xxx.xxx
>ads2   A   xxx.xxx.xxx.xxx
>
>Would this be good enough?
>
>Also, usually you have a reverse zone file definition for your slave zones
>right?  Well I don't think I can do that with these zones because these
>servers are in the same subnets as all of our other servers.
>
>Sorry for so many questions.  I'm a bind newb.
>
>thanks for your help,
>jamie

If you already have 

     ads.company.com

as a W2k+3 -mastered zone slaved on your BIND servers, then the six
AD-related zones are already contained in that zone, so there is no
need to define these zones.  As long as the SOA record for that

     ads.company.com

zone has the nodename of the master W2k+3 DNS Server, then DDNS queries
should locate the master and send dynamic updates to that master.
I believe that with a non-MS DHCP server, you will not be able to
use secure DDNS updates.  But I am not sure of this, as I do not
manage any of the DHCP servers in use here, and the only one that is
doing DDNS is a MS W2k+3 DHCP Server updating zones on a MX W2k+3 DNS
Server.

With respect to reverse zones -- how do you handle these now?  With
DHCP these zones will be dynamic, and they can be on a BIND server.
I have no experience with dynamic zones in BIND, but I do know that
once a zone is dynamic, one should not edit the zone file manually;
all updates have to be via the nsupdate utility.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994