This didn't work....

John Miller johnmill at brandeis.edu
Sat Apr 27 02:14:29 UTC 2013 

Hi Lawrence,

I'm going to answer your questions a bit out of order, but hopefully
things'll still be clear.


> How do you have an AD domain where your AD servers aren't authoritative
> for itself?
>
>
This is how our AD domain is set up -- the root of the AD domain is
brandeis.edu, but the domain controllers do not run the MS DNS Server
service.  Client computers get the main campus DNS resolvers via DHCP, and
are set not to use the MS DNS Client service.  We've set up dynamic zones
in BIND for the zones needed by AD: _msdcs.brandeis.edu, _tcp.brandeis.edu,
_udp.brandeis.edu, etc.

Microsoft TechNet has some really thorough docs on this:

http://technet.microsoft.com/en-us/library/dd316373.aspx

It's a bit dated, but the principles still apply.  The more general
Microsoft docs:

http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc772774%28v=ws.10%29.aspx

are also quite good.


Had a strange problem where our servers couldn't resolve hosts in an AD
> subdomain.
>

Can you clarify the problem a bit here?  Is it that the authoritative
nameservers for foo.example.com are unable to resolve ads.foo.example.com?
Do the foo.example.com servers look to themselves for recursion?  Am I
correct that a department on campus is running their own AD environment
with a root of ads.foo.example.com, and you simply delegate the subdomain
to them?


> This was in the zone file:
>
>  $ORIGIN foo.example.com.
>  ...
>  ads     NS     ads.foo.example.com
>  ...
>  ...
>  ...
>  ads     A      a.b.c.d
>  ...
>  ...
>  ...
>
>
This looks pretty normal if you're delegating the ads.foo.example.com zone
to a server called ads.foo.example.com.  A little confusing to use the same
name for the nameserver as the subdomain itself, but it seems like it
should work.

So changing to:
>
>  $ORIGIN foo.example.com
>  ...
>  ads      NS     dc2.foo.example.com.
>           NS     dc3.foo.example.com.
>  dc2      A      a.b.c.e
>  dc3      A      a.b.c.f
>  ...
>
>
This looks very odd indeed.  If the root of the AD domain is
ads.foo.example.com, why do the DCs live in the parent zone?  Is that
something you allow?  The first zone config looked more appropriate.

Without going any further into this, it looks as though the department may
have set their AD domain up as "foo.example.com" when in reality it should
be "ads.foo.example.com."  Can you clarify this?

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130426/592d83a8/attachment.html>

More information about the bind-users mailing list