Reject of W2K gc._msdcs...

[Craig Mason]

Hi Mark and Barry, (and any other W2K strugglers out there...)

Today I tried Mark's suggestion. I added a zone for _msdcs.example.com and
put in the check-names ignore statement into the config file's info on that
zone. Killed and restarted named... no effect. Still got the error message
about rejecting.

After a bit of frustration, ( I am a DNS newbie, forgive me) I decided to
put the check-names ignore statement in the main zone's config -
example.com. In the spirit of changing more than one thing at once, I also
changed "ignore" to "warn."

In /var/adm/messages, the error log now says "continuing anyway" and
apparently adds the "gc" A record anyway.

After restarting, magically the "gc" entry mentioned by Barry now appears in
my zone file for example.com. If all worked elegantly, I would expect it to
show up in the _msdcs.example.com zone.

I believe the "gc" A record is the address of the Global Catalog server.
We're installing a root W2K domain, and the IP address is also the IP
address of the first server in our "tree." I believe ( I have no proof of
this yet) that Windows 2000 professional clients that attempt to query DNS
for the location of a "Global Catalog" server will get the address of "gc"
back, now that it's actually in there. But this is total guesswork on my
part... would love it if an Active Directory expert chimed in.... Our server
"dc1" is the "Global Catalog" server, and I've named the first "Active
Directory" to be "example.com" - the same as the Unix DNS zone. I'm making
BIND/Solaris the primary server, and plan to make W2K servers secondary.


Monday, I'm going to work with other DNS experts to understand why the
_msdcs domain is not working for me. The newbie part of me does not know if
I am even authoritative for that zone. So, I'll work again through the issue
and post the "elegant" answer (which I hope is Mark's solution) to the list
again.

Have a great weekend!

Craig



-----Original Message-----
From: Mark.Andrews at nominum.com [mailto:Mark.Andrews at nominum.com]
Sent: Friday, February 25, 2000 3:00 PM
To: Barry Finkel
Cc: bind-users at isc.org
Subject: Re: Reject of W2K gc._msdcs...



> "Craig Mason" <cmason at masontechnology.com> wrote:
>
> >I too am getting this. I'm working with Mark Andrews from the list to
> >resolve. I think I'm also going to call in Microsoft at some point to get
> >their take on this. Please keep the list informed on any progress.
> >
> >Thanks!
> >
> >Craig
> >
> >
> >
> >-----Original Message-----
> >From: news at news.gigabell.net [mailto:news at news.gigabell.net]On Behalf Of
> >Falko Mach
> >Sent: Thursday, February 24, 2000 3:45 AM
> >To: comp-protocols-dns-bind at moderators.isc.org
> >Subject: Reject of W2K gc._msdcs...
> >
> >
> >Whats wrong if I see this in my log ?
> >
> >default: warning: owner name "gc._msdcs.gtz.de" IN (primary) is invalid -
> >rejecting
> >
> >It seems, that all works fine.
> >
> >Tnx,
> >falko
> >
> >mailto:    falko.mach at gtz.de
>
> This topic was covered earlier this week and last week.  Mark Andrews,
> Sam Wilson, and Brian Miller  wrote about the RFCs - 952, 1183, and
> 2181.  There was also mention of the relevant MS Technet articles.
> Here is a summary.
>
> 952 says that the underscore character is illegal.  952 IS A STANDARD.
> 1183 (IIRC) says that an initial numeric character is now legal.
>      1183 IS A STANDARD.

	1123 you mean

> 2181 says that almost any character is legal.  2181 is NOT a standard;
>      it is standards-track.

	These RFCs are all consistant.  Hostnames are a *subset* of
	domainnames. RFC952 and RFC1123 are talking about hostnames,
	RFC1182 is talking about domainnames.

	The terms domainname and hostname are *not* interchangable.
	All hostnames are domainnames. All domainnames are not hostnames.
>
> Microsoft decided that it would follow 2181 and use an underscore in
> an "A" record.  BIND 8.2.2-p5 by default does not allow the underscore,
> but you can change the options parameters to allow it.

	or zone.

	I suspect the real reason why Microsoft choose _msdcs was so
	and to *not* collide with any legal hostname.  However they
	attempt to put a hostname (gc._msdcs.example.com) within this
	zone (Catch 22).

	What Craig and I were doing was verifing that creating a seperate
	zone for _msdcs and not just using the parent zone would not break
	things (Craig was not necessarilly aware of what I was doing).
	This reduces the namespace that does not get checked however the
	lack of checking within _msdcs should not be a problem as only W2K
	boxes should care about what is in there and it is MS job to make
	sure that things don't break for themselves when they step outside
	of the RFCs.  This shouldn't break unless MS have stuffed up.

	e.g.
		zone "_msdcs.example.com" {
			type master;
			file "_msdcs.example.db";
			check-names ignore;
			allow-update { localnets; };
		};
>
> I had posted a query twice in the past months about this.  In my case,
> the name with the underscore was not in DNS as an entire string; it
> was split on two lines
>
>      $ORIGIN _msdcs.w2k.anl.gov.
>      gc      600     IN      A       130.202.224.143

	This is master file format.  These is nothing strange about that
	as BIND and being using it for years.
>
> The error message from BIND complained about the name
>
>      gc_msdcs.w2k.anl.gov

	You mean gc._msdcs.w2k.anl.gov
>
> and I could not locate that string in the zone.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Electronics and Computing Technologies Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
> Building 221, Room B236              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4844             IBMMAIL:  I1004994
>
>
>
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com