Mixed environments: DHCP Secure Update
Glenn Satchell
Glenn.Satchell at uniq.com.au
Thu Mar 22 12:07:16 UTC 2007
>Date: Wed, 21 Mar 2007 20:50:21 +0100
>From: "Michele Vetturi" <mvetturi at yahoo.it>
>
>> You won't be able to allow the Windows systems to do secure updates
>> to the Bind service.
>>
>> You have the option of delegating those to the Windows box - it's
>> more overhead but allows you to split the DNS for the main domain
>> done properly on Bind, and the AD stuff done on the MS server. Having
>> recently had another look at a Windows box, I'm "not impressed" !
>>
>
>I saw everyone answered as you. Probably this is the most acceptable
>compromise and the best implementation in such environments.
>
>I think I will follow your suggestions. And now, let's work on the
>QA/test environment...
>
>> [cut]
>
>Thank you all, once again, for your time.
>
>--
>Michele Vetturi
>
I have successfully run a mixed BIND/AD environment for several years.
This is a largish network (3500 clients, originally Win2000 now XP)
using AD, but all DNS is run using BIND, in this case running on
Solaris. Originally used Bind 8, now Bind 9.2.x.
These articles gives a pretty good run down on using AD and BIND:
http://www.linux-mag.com/2001-03/bind_01.html
(seems you need to register to read this now)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/i
is/deploy/depovg/CfgBIND.asp (link no longer available)
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/active
directory/support/dnsw2kb.mspx
(general MS DNS articles)
http://support.microsoft.com/default.aspx?scid=kb;en-us;255913
(specific details about integrating AD into existing BIND setup)
On your DNS servers you create 4 extra zones for each main zone, and
allow the domain controllers access to update them. Make sure you
delegate them correctly.
_udp.mydomain.com
_tcp.mydomain.com
_sites.mydomain.com
_msdcs.mydomain.com
The domain controllers will add a number of SRV records and also A records in
the top level zones. It was easier to just let them do this so that DNS worked
properly. There is a tool called dcdiag.exe that you can run on the domain
controller toverify that DNS is set up properly from AD's perspective.
The only option is to allow update by IP address, but hopefully the
Domain Controllers are fairly secure and no-one should be spoofing
their IP addresses. We didn't allow individual clients to do DNS updates.
For DNS management we used an open source web based tool downloaded from
dominium.sourceforge.net which we then hacked on pretty severely. I
haven't seen the original updated in a long time.
regards,
-glenn
--
Glenn Satchell mailto:glenn.satchell at uniq.com.au | Some days we are
Uniq Advances Pty Ltd http://www.uniq.com.au | the flies; some
PO Box 70 Paddington NSW Australia 2021 | days we are the
tel:0409-458-580 tel:02-9380-6360 fax:02-9380-6416 | windscreens...
More information about the dhcp-users
mailing list