Active Directory and DNS

Jim Reid jim at rfc1035.com
Thu Aug 24 10:28:30 UTC 2000


>>>>> "pat" == pat moffatt <moffatt.pat at itsligo.ie> writes:

    pat> Hi, we have recently upgraded some of our servers to win2K
    pat> our DNS are two linux boxes. I followed the instructions by
    pat> coping the win2K file into our zone file but the following
    pat> three lines are causing problems.

    pat> gc._msdcs.ourzone.org.  600 IN A 190.2.3.4
    pat> gc._msdcs.ourzone.org.  600 IN A 190.2.4.3
    pat> gc._msdcs.ourzone.org.  600 IN A 170.2.1.1

    pat> I've narrowed the problem down to the underscore charachter
    pat> when this is left in I no longer have authority for my zone.

Correct. Underscores are illegal characters in host names. This means
that they're not supposed to be in the names of A records. BIND8 by
default does not allow illegal names. So when you load the now broken
zone file, the name server screams about the illegal names and makes
itself non-authoritative for the zone. That prevents anyone doing a
zone transfer of the zone. [The rationale there is the zone is broken,
so don't let that brokenness spread.] Use a check-names clause in the
zone{} statement to disable these checks.

It might be an idea to delegate _msdcs.ourzone.org to the W2K boxes.
This would allow all those W2K systems to do all their Dynamic DNS
stuff for Active Directory well away from your important DNS data.
Personally, I wouldn't want Bill's software (if I ever ran any of it)
scribbling all over my DNS zone with whatever they felt like.



More information about the bind-users mailing list