One last W2K / Active Directory / BIND question

Tim Maestas tmaestas at dnsconsultants.com
Fri Aug 3 01:25:43 UTC 2001



	By default the Win2k DC's will attempt to add an A
	record for example.com with their IP address.  This
	can be controlled via a registry entry (search the KB).

	However, I wouldn't expect the failure of being able
	to update that record to halt the rest of the update
	process.  If you have _msdcs etc created on your name
	server the Win2k box should update those zones.  Make
	sure that the MNAME field of the SOA for those zones
	is correct, and that those zones are properly delegated
	in the example.com zone file.

-Tim




On Thu, 2 Aug 2001, Simpson, John R wrote:

> 
> 
> Greetings,
> 
> 	Please forgive yet another question on W2K/BIND integration.  I've
> read through the FAQ's, Cricket's book (I have the 1st, 3rd, and 4th
> editions -- 1st and 3rd are signed ;-), Microsoft KB, and many messages on
> this mailing list and cannot find anyone who seems to have this problem.
> 
> 	I'm attempting to allow Windows 2000 Active Directory to update the
> _msdcs, _tcp, _udp, and _sites AD specific subdomains of example.com while
> leaving example.com static -- basically the approach Cricket outlined in the
> 4th edition of DNS and BIND.  I've created zone definitions and db files for
> example.com, _msdcs.example.com, _tcp.example.com, _udp.example.com, and
> _sites.example.com.  
> 
> 	If I give allow-update permission to the W2K server for all zones,
> including example.com, the update works and all the SRV records get added to
> _msdcs, etc.  However, I don't want the W2K server to have update permission
> to example.com.
> 
> 	If I don't give allow-update permission to the W2K server to
> example.com, it fails with the message "The Wizard cannot contact the DNS
> server that handles the name "example.com" to determine if it supports
> dynamic update. Confirm your DNS configuration, or install and configure a
> DNS server on this computer."  At the same time BIND logs an unauthorized
> update for example.com.  It makes no attempt to update _msdcs.example.com,
> etc.  As soon as I restore allow-update to example.com the updates proceed.
> 
> 	The problem appears to be that the W2K server wants to add an A
> record assigning its IP address to  the name "example.com." -- at least
> that's the only new record.  The existing record for sp01.example.com was
> not changed.  The new A record an annoying side effect in the lab, but in
> our production environment it would be an error.
> 
> 	The Windows 2000 server is W2K SP1, with the name sp01.example.com,
> domain example.com.  The name server is a lab system running BIND 8.2.2-P5
> (all our production servers are 8.2.4) on Solaris 7.  Just realized the BIND
> version number on the lab system -- no wonder it was available.  I'll be
> putting together an up to date server for testing tomorrow.
> 
> 	Has anyone else encountered this behavior?  Is it due to my 8.2.2-P5
> server or something on the W2K side?  I can provide any additional OS, BIND,
> or config files that would be useful.  I'm virtually certain it's on the
> Windows side, given the extraneous A record.
> 
> Regards,
> 
> John Simpson
> --
> John R. Simpson							The Reynolds
> and Reynolds Co.
> Sr. Network Engineer						800
> Germantown Street OH10
> Network Services, Network Architecture Team			Dayton, OH
> 45407
> Voice (937) 485-2269 Fax (937) 485-2427
> mailto:John_Simpson at reyrey.com
> 
> 



More information about the bind-users mailing list