we need help with AD-DDNS

[Farid Hamjavar]

Greetings,

We can certainly use some AD-DDNS help here.


We're somewhat in the middle of our "win2k-AD+Unix DNS" test 
before letting it loose in real production environment.
And we have created a test-bed.


We tried to make the test-bed resemble the future production
environment.



The test-bed, among other components, has:

win2k AD server (not a  DNS, not a DHCP)
acting as top-of-the-tree for:  "unm.edu AD Domain". 

An AIX box  which runs BIND 8.2.2p5 and act as primary 
for: "unm.edu DNS domain"

We need to have the AD domain name and DNS domain 
name to be the same.


The reason I am sending this posting is I am not sure
I have a clear understanding of how BIND's "dynamic DNS" is functioning
although I have studied the Oreilly book (DNS 3rd edition) and
have been managing DNS on the unix side for decade or so.


Question:

Given that the following is the only way we
could get it to work without strange errors,
we DO NOT WANT win2k1.unm.edu (win2k AD server described 
above 129.24.17.117) update and "mess" with the unm.edu's zone and 
rev static files.  However, we DO WANT to let the AD server provide the
SRV RR it needs to communicate to win2k clients.

Here is what we have that works which does not produce any errors.

#
#
zone "unm.edu"
{
 type master;
 file "src/domain/unm.edu.zone";
 allow-update  {129.24.17.117;};
};
#
#
#
zone "24.129.in-addr.arpa"
{
 type master;
 file "src/rev/unm.edu.rev";
 allow-update  {129.24.17.117;};
};
#
#
#


We thought we could prevent changes to our zone+rev static files
But we found out that the win2k AD does alter/re-write DNS zone
files of unm.edu.



Any idea on controlling/limiting AD's dynamic updates ONLY to
the absolutely necessary SRV RR? 


What are other options in situations like one we're in?

Thanks,
Farid
UNM