Changing SOA & DNS server for an Active Directory DDNS zone

Andy Blanchard andyb at giganews.com
Thu Oct 13 00:51:45 UTC 2005 

On Tue, 11 Oct 2005 09:24:47 -0500 (CDT), Barry Finkel
<b19141 at achilles.ctd.anl.gov> wrote:

>Things to consider (besides what Kevin Darcy posted):
>
>1) With the AD zones mastered on a W2k/W2k+3 Server, you have secure
>   DDNS; with the master on a BIND server, you no longer have secure
>   DDNS.

Actually, we do.  Our global DHCP/DNS infratructure is entirely *NIX,
and everything is TSIG signed from that side, which is basically DHCP
server to DNS server traffic and zone trasfers, so no problems there.
As to Windows, I've read the "DNS and Windows 2000" section of "DNS
and BIND" *very* carefully; we have a dedicated subdomain for AD and
so on.  True, a rogue user with a tool like nsupdate, some basic DNS
skills and an idea of the network design could do some damage, but not
enough for us to be losing sleep over until we can get everything
using GSS-TSIG.  

>2) When the DCs decide to re-register their SRV records via DDNS, the
>   MS DNS code realizes that the request is essentially a null request,
>   so it responds OK to the initial non-secure DDNS, and there are no
>   changes to the zone (and its serial number).  With BIND, I assume
>   that the DDNS will result in a change to the zone, replacing records
>   with identical records.  This will result in a serial number change
>   and zone transfers to the slaves.  I do not know how often a DC will
>   re-register its DNS records.  I have no experience with DDNS and
>   BIND, so the BIND behavior might not be exactly what I have written.

SRV records are refreshed hourly by the netlogin service, but the
Windows clients do check for the presense of the records when they
update.  If they do exist, then no updates are made and the serial
does not get updated, the upshot is that we only get through a couple
of dozen serials numbers a day and so, as there are 4 billion to
choose from, that's not a problem.

>If you already have the AD zones slaved on the new BIND master, then
>you will not need to copy the zones from the current W2k master.  Is
>there a reason why you are moving the AD zones from MS to BIND?  I have
>my AD zones (74 total) on a W2k+3 Server and slaved on BIND.

As already mentioned, we don't have *any* MS based DHCP/DNS servers
because the infrastructure was well established long before Windows
2000 and AD arrived in the comms room.  I'm moving from a pair of old
Sun SPARC boxes to new Linux boxes all of which are running BIND, so
there is a need to transfer the master zone file between the relevent
servers, and flip the "named.conf" settings around.  Well, by "is" I
mean "was" since I actually made the changes last night and have had
no reported problems or unusual logfile entries in the 24 hours since.

Andy

More information about the bind-users mailing list