Reject of W2K gc._msdcs...

Mon Mar 6 07:51:59 UTC 2000

Craig, the domain _msdcs.zzz.com will be ignored, to the best of my
knowledge.  It is not really a domain, more a part of the host name of
records that are used forest wide. However, the DC's of your child
domains, subdomain.zzz.com should update the subdomain.zzz.com zone,
*along with* some records into zzz.com.  The record you mention,
gc._msdcs will definately go into the zone for the root of your forest, as
the global catalog srv record needs to be able to be located forest wide.
Your child domain controllers will put records in 2 places (3 if you count
reverse zones):  the root zone, and the child domain that they serve.

Your zone files look ok, along with your named.conf.  What I would try is
this (as it's what I've done and it seems to be working):

Create your zone files zzz.com and eb.zzz.com, along with
0.0.127.in-addr.arpa and any other reverse zones you need.  Configure an
apropriate named.conf (no problems with the one you listed below).  Don't
bother with creating a _msdcs.zzz.com domain.

Bring up the DC for the root of your forest and allow it to update it's
records into zzz.com.  Check the event viewer on the DC to make sure there
are no problems up to this point related to DNS or dynamic update.

Bring up the DC for your child domain.  Contrary to what Microsoft told
our company, the DC for the child domain *MUST* "live" in that domain.
IE, it's DNS domain is eb.zzz.com.  If it is in zzz.com, but is a DC for
eb.zzz.com, it's dynamic updates will go to zzz.com (at least this is the
behaviour we saw).  So child domain dc's must be a part of the domain
that they serve.

I've been thinking about the Dynamic DNS bugs I mentioned earlier, and
the one mentioned last may affect you.  Basically, the way I understand it
is this:  When you have a master server that is authoritative for zzz.com
and eb.zzz.com, if a dynamic update comes to zzz.com, the NS records that
delegate eb.zzz.com will be destroyed.  And actually, now that I look, I
didn't see any NS records in your zzz.com zone file that delegate
eb.zzz.com.  They should probably be there, but this bug may cause you
grief.  We are actually using Lucent's QIP, and since its source of
data comes from a sybase database, rather than the zone file, this bug
doesn't affect us (or they've fixed the bug, I haven't had time to really
look into it yet).  Even if this bug will affect you, you should at least
see the updates going into the eb.zzz.com zone file.  Once you get that
far, you can think about splitting eb.zzz.com out to a different server
than zzz.com.

-Tim

On Sun, 5 Mar 2000, Craig Mason wrote:

> 
> As promised, here is what I tried to resolve the problems of child domains
> not loading any data into their perspective zone file. Sample source files
> below from the master BIND server for "zzz.com".
> 
> 
> For those of you just tuning in, trying to make BIND 8.2.2.p5 on Solaris 2.6
> be the source of DNS in an organization, preparing for a W2K / Active
> Directory strategy where Unix is the master of all DNS knowledge, accepting
> all Dynamic updates for Windows 2000 domains and child domains.
> 
> 
> (Note when reading this below, realize that it hasn't worked. All dynamic
> information is being populated into zzz.com's zone file. The "check-names
> ignore" allows the host entry gc._msdcs.zzz.com to make it into the main
> zone file, it will not go down into _msdcs.zzz.com's zone).
> 
> 
> W2K Active Directory will begin at the "root" (zzz.com) and child domains
> will be subdomain.zzz.com. In this example, I'm using eb.zzz.com. They will
> be "domains" in a single tree/multiple domain configuration of Active
> Directory. For testing, all hosts are on a "103" subnet for testing.  .110
> is the first Domain Controller in the A.D. tree for zzz.com. .130 is the
> first domain controller for a child domain eb.zzz.com.
> 
> 
> The "symptom" is that all information simple goes into zzz.com's zone file.
> The child zones (eb.zz.com, or _msdcs.zzz.com) are ignored. I'm thinking
> this might be the problems mentioned by Mark in earlier posts ???
> 
> 
> 
> Anyway, on to the show.
> 
> 
> 
> 
> My named.conf
> 
> ---------------
> 
> 
> options {
>         directory "/var/named";
> 	allow-query { any; };
> };
> 
> logging {
> 	channel querylog {
> 		file "/var/adm/dnsquery.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
> 	channel packetlog {
> 		file "/var/adm/dnspacket.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
> 	channel securitylog {
> 		file "/var/adm/dnssecurity.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
> 	channel dblog {
> 		file "/var/adm/dnsdb.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
> 	channel eventlog {
> 		file "/var/adm/dnsevent.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
> 	channel xferinlog {
> 		file "/var/adm/dnsxferin.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
> 	channel xferoutlog {
> 		file "/var/adm/dnsxferout.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
> 	channel updatelog {
> 		file "/var/adm/dnsupdate.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
> 	channel otherlog {
> 		file "/var/adm/dnsother.log" versions 1 size 10m;
> 		print-time yes;
> 		print-category yes;
> 	} ;
>         category queries { querylog; };
>         category packet { packetlog; };
>         category security { securitylog; };
>         category db { dblog; };
>         category eventlib { eventlog; };
> 	category config { otherlog; };
> 	category insist { otherlog; };
> 	category maintenance { otherlog; };
> 	category notify { otherlog; };
> 	category load { otherlog; };
> 	category parser { otherlog; };
> 	category update { updatelog; };
> };
> 
> zone "zzz.com" in {
>         type master;
>         file "master/zzz.com";
> 	allow-update { any; };
> 	allow-transfer { xxx.yyy.103.110; xxx.yyy.103.130; };
> 	check-names ignore;
> };
> 
> zone "0.0.127.in-addr.arpa" in {
>         type master;
>         file "master/127.0.0";
> 	check-names ignore;
> };
> 
> zone "103.yyy.xxx.in-addr.arpa" in {
>         type master;
>         file "master/xxx.yyy.103";
> 	allow-update { any; };
> 	check-names ignore;
> };
> ; commenting because it's not working...
> 
> ; zone "eb.zzz.com" in {
> ; 	type master;
> ; 	file "master/eb.zzz.com";
> ; 	allow-update { any; };
> ; 	check-names ignore;
> ; };
> ;
> ; zone "_msdcs.zzz.com" in {
> ; 	type master;
> ; 	file "master/_msdcs.zzz.com";
> ; 	allow-update { any; };
> ; 	check-names ignore;
> ; }; ;
> ;
> ; zone "_msdcs.eb.zzz.com" in {
> ; 	type master;
> ; 	file "master/_msdcs.eb.zzz.com";
> ; 	allow-update { any; };
> ; 	check-names warn;
> ; };
> ;
> 
> ---------------
> (*** Note, dynamic data has been removed by me before attaching these files.
> When BIND is running, DDNS updates are showing up in file zzz.com)
> 
> 
> 
> zone file zzz.com
> 
> ;BIND DUMP V8
> $ORIGIN com.
> zzz	86400	IN	SOA	unixbindserver.zzz.com. postmaster.zzz.com. (
> 		37 3600 900 3600000 86400 )	;Cl=2
> 	86400	IN	NS	unixbindserver.zzz.com.	;Cl=2
> 	86400	IN	NS	dc1.zzz.com.	;Cl=2
> $ORIGIN eb.zzz.com.
> 	86400	IN	NS	dceb.eb.zzz.com.	;Cl=2
> 
> <... lots of interesting Microsoft DDNS  A records deleted here ...>
> 
> 
> 
> ---------------
> 
> zone file eb.zzz.com
> 
> 
> ;BIND DUMP V8
> $ORIGIN com.
> zzz	86400	IN	SOA	unixbindserver.zzz.com. postmaster.zzz.com. (
> 		37 3600 900 3600000 86400 )	;Cl=2
> 	86400	IN	NS	unixbindserver.zzz.com.	;Cl=2
> 	86400	IN	NS	dc1.zzz.com.	;Cl=2
> $ORIGIN eb.zzz.com.
> 	86400	IN	NS	dceb.eb.zzz.com.	;Cl=2
> 
> ---------------
> 
> zone file _msdcs.zzz.com
> 
> 
> ;BIND DUMP V8
> $ORIGIN com.
> zzz	86400	IN	SOA	unixbindserver.zzz.com. postmaster.zzz.com. (
> 		37 3600 900 3600000 86400 )	;Cl=2
> 	86400	IN	NS	unixbindserver.zzz.com.	;Cl=2
> 	86400	IN	NS	dc1.zzz.com.	;Cl=2
> $ORIGIN eb.zzz.com.
> 	86400	IN	NS	dceb.eb.zzz.com.	;Cl=2
> 
> ---------------
> 
> zone file _msdcs.eb.zzz.com
> 
> ;BIND DUMP V8
> $ORIGIN com.
> zzz	86400	IN	SOA	unixbindserver.zzz.com. postmaster.zzz.com. (
> 		37 3600 900 3600000 86400 )	;Cl=2
> 	86400	IN	NS	unixbindserver.zzz.com.	;Cl=2
> 	86400	IN	NS	dc1.zzz.com.	;Cl=2
> $ORIGIN eb.zzz.com.
> 	86400	IN	NS	dceb.eb.zzz.com.	;Cl=2
> 
> 
> ---------------
> 
> reverse lookup file xxx.yyy.103
> 
> 
> ;BIND DUMP V8
> $ORIGIN yyy.xxx.in-addr.arpa.
> 103	86400	IN	SOA	unixbindserver.zzz.com. postmaster.zzz.com. (
> 		730 3600 900 3600000 86400 )	;Cl=5
> 	86400	IN	NS	unixbindserver.zzz.com.	;Cl=5
> $ORIGIN 103.yyy.xxx.in-addr.arpa.
> 100	86400	IN	PTR	mailman.zzz.com.	;Cl=5
> 130	1200	IN	PTR	dceb.eb.zzz.com.	;Cl=5
> 14	86400	IN	PTR	unixbindserver.zzz.com.	;Cl=5
> 110	1200	IN	PTR	dc1.zzz.com.	;Cl=5
> 
> ---------------
> 
> 
> ... Craig
> 
> Craig Mason
> Mason Technology, Inc.
> cmason at masontechnology.com
> (303) 756-3363
> 
> 