Combined master + forward zone

b19141 at anl.gov b19141 at anl.gov
Mon Apr 20 14:25:47 UTC 2009 

Petteri Heinonen <petteri.j.heinonen at kolumbus.fi> wrote:

>Ok, thanks for confirming my doubts. As a related issue, how is Bind
>supposed to be used in a domain where Windows Domain Controllers are
>used for Windows domain services, but Bind is used for DNS? I mean, in
>a Windows domain DDNS updates are used by both Domain Controllers and
>by normal domain clients. For Domain Controllers, it is essential that
>they can register their SRV records dynamically in DNS. Now in case of
>distributed domain (several Domain Controllers on separate sites, but
>all still belonging to the same Windows domain and all using the same
>DNS zone), there should be also own DNS service for each site (for
>fault tolerance and redundancy etc). But, as only one site can host the
>master DNS server which accepts DDNS update requests, all sites'
>machines have to be configured to use that single Bind instance as
>their primary DNS server?
>
>So the actual question: if DDNS update functionality is needed, am I
>bound to use only one Bind instance as the primary DNS server for all
>the hosts, on all the separate sites?

There have been lots of posts on Windows AD/BIND integration over the
years.  Check the list archives.  What I suggest is placing the six AD
zones

     DomainDNSZones.example.com
     ForestDNSZones.example.com
     _msdcs.example.com
     _sites.example.com
     _tcp.example.com
     _udp.example.com

on a MS Windows DNS Server on one Domain Controller and slaving those
zones on your BIND servers.  That way Windows handles the GSS-TSIG
secure updates, and the BIND slaves will transfer the zones if and when
they are updated.  One tricky part is configuring zone transfer policy
on the MS DNS.  You have three options:

     1) Allow zone transfers to any server.
     2) Allow zone transfers only to a specified set of IP addresses.
     3) Allow zone transfers to those name servers in the NS table.

In my case, I have four slave servers, two with only one interface and
two with three interfaces each.  I did not want to choose option 2) and
enter the eight IP addresses in the zone transfer properties for each
of the AD zones, so I chose option 3).  This requires that the MS DNS
Server have the IP addresses of the slaves in its cache, because the
MS code will not go searching for a slave's IP addresss when a zone
transfer request arrives from slave server.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list