Recent Problem with BIND 9 under Windows XP

[Danny Mayer]

Vincent Poy wrote:
> On 7/1/07, Mark Andrews <Mark_Andrews at isc.org> wrote:
>>
>> >
>> > > On 6/29/07, Danny Mayer <mayer at ntp.isc.org> wrote:
>> > > > Vincent Poy wrote:
>> > > > > You're right about the lack of syslog in Windows so it will
>> only log a
>> > > > > event rather than detailed like syslog on a Unix box would. 
>> Is there
>> > > > > a way to log to a specific logfile using named.conf in Windows?
>> > > >
>> > > > No, you are not getting far enough to start the logging. That's
>> why I
>> > > > told you to use the pid-file none; option. While you are at it,
>> does the
>> > > > pid file exist in the directory you specified for it?
>> > >
>> > > the named.pif file does exist in the directory whether I have it
>> > > specified or not as I deleted the named.pid file before each test to
>> > > see whah happens.  With pid-file none; option, the file doesn't get
>> > > created but the problem still doesn't change.
>> > >
>> > > > > Thanks for the reminder about testing named from the command
>> line, it
>> > > > > runs from a different user account.  I tried running it on the
>> command
>> > > > > line as the named user and it appears to run correctly:
>> > > >
>> > > > Proves nothing except that the zones will load. Even if they had
>> failed
>> > > > to load you would have seen that in the application event log.
>> > >
>> > > You're right since I had to clear all the event logs before it will
>> > > start logging
>> > > again but so far, if I try to load the ISC BIND service, it will
>> show up only
>> > > in the system event log.  When I run it from the command line as the
>> > > service won't start, it will show up in the application event log.
>> > >
>> > > > > When I tested it originally, it was running from the vince
>> account on
>> > > > > the command line and the vince account is setup as a
>> Administrator.
>> > > > >
>> > > > > One thing that puzzles me is that for the ISC BIND service, if I
>> > > > > change it to run as Local System Account, it will run fine but
>> if I
>> > > > > tried it with named or vince, it will have the problem after 3
>> seconds
>> > > > > (I timed it this time) that I mentioned when I wrote the original
>> > > > > message about this problem.  So I don't know why it's won't
>> start the
>> > > > > service running as the named user when it worked in the past.
>> > > >
>> > > > That means that you have a file permission problem.
>> > >
>> > > But how do I find out exactly where the file permission problem is
>> > > since the all directories from C:\windows\system32\dns and below
>> > > basically have named as a user under security which has Full control
>> > > under allow checked which enables everything under allow except
>> > > special permissions which can be turned on.
>> >
>> >       Check C:\, D:\windows and C:\windows\system32.
>>
>>        Check C:\, C:\windows and C:\windows\system32.
> 
> C:\ only has one permission, Everyone = full control
> C:\Windows has one permission, Everyone = full control
> C:\Windows\System32 has two permissions, Everyone = full control,
> System = Read/Write/Special permissions
> 
> And I even deleted the C:\Windows\System32\dns directory and only
> saved the named.conf file as well as the master zone files and tried
> reinstalling, same results.
> 


Explicitly grant read and write permission to named to both the
directory C:\Windows\system32\dns and all it's subdirectories and files.
You shouldn't assume that Everyone is sufficient since the named account
is not part of any group.

Danny

> Cheers,
> Vince
>