W2K Active Directory and BIND on Sun

Fri Jun 23 14:10:15 UTC 2000

Ian Edwards wrote:

>Hi,
>
>I am trying to set up BIND (8.2.2p5) on Solaris to support Active
>Directory on a Windows 2000 server.
>
>I originally had this in named.conf
>
>    zone "panorama.com" {
>	    type master;
>	    file "panorama.zone";
>	    allow-update {
>		    panorama;
>	    };
>    };
>
>This overwrote the (neatly formatted) panorama.zone file that I had.
>Is this the expected behaviour ?
>(I suppose it was logical as it has to store the updates somewhere.)
>
>Looking in the BIND FAQ it suggests using :
>
>    zone "_msdcs.panorama.com" {
>	    type master;
>	    file "_msdcs.panorama.zone";
>	    check-names ignore;
>	    allow-update {
>		    panorama;
>	    };
>    };
>
>Based on what was dumped into the 'panorama.zone' I also created entries
>for _sites.panorama.com, _tcp.panorama.com and _udp.panorama.com.
>Are these necessary ?
>
>Is there a document that says, in simple terms, how to set up BIND to
>work with Active Directory ?
>
>Thanks,
>Ian.

Cricket has already responded to this, but I will add a few items.
I believe that the zone that BIND writes dnyamically in the master
will be in essentially the same format as the zone on the slave that
BIND has tranferred into memory from the master and then written to
disk.  I can not determine in what order the records are written; I
see no pattern.  This is one reason why I am reluctant to open any
of my DNS zones to dynamic update.  We are testing some schemes in our
Win2k testbed, and those zones that require dynamic update have been
placed on a MS Win2k DNS box.  I am not saying that this will be our
final configuration when we bring up Win2k in production.

In our test anl.gov Win2k parent domain, I moved these subdomains to
the Win2k DNS box:

     _msdcs.anl.gov
     _tcp.anl.gov
     _udp.anl.gov
     _sites.anl.gov

as the Win2k Domain Controllers in the anl.gov domain will repeatedly
send DDNS updates for SRV records.  I believe that if the Win2k DC
is taken off of the network, the box will attempt to unregister its
services; when it returns to the network it will re-register its
services.  When an individual service is stopped and started, a DDNS
update packet will be sent.  As I do not care about these SRV records
(they are not mapping nodenames to addresses and vice-versa), I saw
no problem in moving those zones to the MS DNS.

There is a potential problem with the MS implementation.  In the anl.gov
test Win2k domain we have three DCs.  Each one will register an entry:

     anl.gov 600 IN A 192.168.1.12   
     anl.gov 600 IN A 192.168.1.11   
     anl.gov 600 IN A 192.168.1.8    

In our situation, we have nothing registered at the "anl.gov" name
except for one MX record.  If a site has, for example, 

     zzz.com IN A some-other-non-Domain-Controller-machine.zzz.com
or
     zzz.com IN CNAME some-other-machine

then this MS scheme for registering the DCs will not work.  I have not
read a MS document that explains why they do this.

There is a lot of Win2k DNS information on the MS web site; here are a
few URLs:

     http://www.microsoft.com/TechNet/win2000/win2ksrv/reskit/tcpch06.asp

     http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/w2kdns.asp

     http://www.microsoft.com/TechNet/win2000/win2ksrv/reskit/dsgch10.asp

     http://www.microsoft.com/TechNet/showcase/w2kinfdd.asp

     http://www.microsoft.com/TechNet/win2000/dguide/chapt-9.asp

----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994