Windows/BIND integration [was: Combined master + forward zone]

b19141 at anl.gov b19141 at anl.gov
Thu Apr 23 19:33:29 UTC 2009 

I wrote:
>> 
>> There have been lots of posts on Windows AD/BIND integration over the
>> years.  Check the list archives.  What I suggest is placing the six AD
>> zones
>> 
>>      DomainDNSZones.example.com
>>      ForestDNSZones.example.com
>>      _msdcs.example.com
>>      _sites.example.com
>>      _tcp.example.com
>>      _udp.example.com
>> 
>> on a MS Windows DNS Server on one Domain Controller and slaving those
>> zones on your BIND servers.  That way Windows handles the GSS-TSIG
>> secure updates, and the BIND slaves will transfer the zones if and when
>> they are updated.


and Michael Milligan <milli at acmeps.com> replied:
>And don't forget to set a group policy on all DCs to not update the A
>records in the apex zone.  Otherwise the DCs will complain in the Event
>logs forever... this assumes the BIND servers are authoritative for
>example.com, in this example.
>
>See http://support.microsoft.com/kb/246804 for Windows 2000
>
>See http://support.microsoft.com/kb/267855 for Windows 2003 and later,
>specifically under "Netlogon fix" and tell it not to register the
>LdapIPAddress.
>
>(There is also more information there on preventing all the DCs from
>creating NS records in the zone, which becomes problematic when there
>are more than about 10 DCs.  I had one customer with 100s of DCs, and
>each one put in an NS record in the zone for itself...  ugh.  With a
>little magic, dropped that back to a handful of DCs at big data centers.)


It is not as simple as that.  There are a number of Windows registry
setting in this area; here is a brief explanation (I know that this
is a BIND forum, not a MS forum):

1) TCP/IP properties - register this machine in DNS.
   If this is unchecked on a Domain Controller, then Windows will not
   try to self-register the DC in DNS.  Which is what is desired for
   A mixed BIND/MS Windows DNS Server where the DC is manually
   registered in the BIND DNS.

   But this has side-effects.  With self-register set to NO, then the
   DC will NOT register the SRV records associated with its services,
   because MS believes that both sets of registrations will be sent to
   the same MS DNS Server.  It does not account for self-registration
   to a BIND DNS server and SRV records in the AD "_" zones on a Windows
   DNS Server.  If one has a DC that is not to be used that much, then
   the administrator can always change the weights on the SRV records,
   as we have done for the DC in our disaster recovery site.

2) MS created a new registry setting, RegisterDNSARecords, which is used
   to control the registration in DNS of the domain "A" records
   (e.g., example.com IN A 192.168.2.5).  The values for this setting:

        1 ==> Register the DNS "A" records for this DC
        0 ==> Do not register the DNS "A" records for this DC.
        not present (i.e., null) ==> Rely in the self-registration
             setting.

   In a mixed environment, the domain "A" record would be in the BIND
   server, and not dynamic (Q259028).  The two "A" records are listed
   in Q258213:

        A record(s) for the DnsDomainName for a domain controller
        A record(s) for the gc._msdcs.DnsForestName if the domain
             controller is also a global catalog

   If this registry setting is 0, then netlogon.dns file (which can be
   used to load into a BIND server) will NOT have the "A" record for
   the domain, and the "A" record for the GC will also be removed
   from the netlogon.dns file AND from DNS.

3) Further complicating matters are three other registry settings:

        UseDynamicDns
        DisableDynamicUpdate
        DnsUpdateOnAllAdapters

   which I will not explain here.  These newer registry settings were
   created to fix problems that arose with controlling DDNS.

We have in our mixed environment:

     Self-registration: Y
     RegisterDNSARecords: 0
     DNSUpdateOnAllAdapters: 1
     DisableDynamicUpdate: 1

This combination works fine with Windows 2003 and Windows 2008 DCs,
with one exception.  There is no DDNS activity to the BIND servers,
and there are no EventID entries produced about failing DDNS.
This works in Windows 2008 R2 with a fresh install.  If one takes a
W2003 Server and does an upgrade install of 2008 R2, then there is
DDNS activity to the BIND boxes and EventID records.  Once I can get
more AC power to our Windows 2008 testbed, I will install a Solaris BIND
server and do some more testing before I call Microsoft to complain.
There should be no difference between a 2008 R2 fresh install and an
upgrade install, but we have found one difference.  Contact me privately
for more details.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list