Windows 2K DC A Record Visible When Running Nslookup against domain name

Jim D. Kirby jdkirby at bluebunny.com
Tue Jan 30 20:57:43 UTC 2001 

Regarding the A records for hte Win2K DCs.....

In our test, we only populated A records for the DCs like this:

     dc01.anl.gov   IN  A   192.168.1.11
     dc02.anl.gov   IN  A   192.168.4.10

and left the A records associated with the domain itseld to point at another
host (the DNS machine itself).  We did not have problems with clients
finding a DC.

Barry indicates that the Win2K clients use the A record associated with the
domain (anl.gov   IN  A   192.168.1.11) to find their DC.  My understanding
is, that Win2K client first gets it address DNS information from DHCP (or
statically or via DHCPINFORM; no matter which).  Armed with DNS information,
it then does a DNS lookup for a particular SRV records
(_ldap.First-Default-Sites._tcp._msdcs.anl.gov or something similiar) to
find  
the ldap, kereberos, global catalog and other services.

This should mean that the DC-to-domain records are not needed.  We do not
allow WindK DCs to update the primary zone so we do not have domain A
records pointing to DC addesses and it seems to work well.

Is there any reason why this setup would cause us problems?  I guess it's
possible that legacy WINS could  be masking issues.
jk

-----Original Message-----
From: Barry Finkel [mailto:b19141 at achilles.ctd.anl.gov]
Sent: Friday, January 26, 2001 9:13 AM
To: bind-users at isc.org
Subject: Re: Windows 2K DC A Record Visible When Running Nslookup
against domain name


Vyto Grigaliunas [mailto:vyto at fnal.gov] replied to Bill Smith:

>I've noticed that two and I think it's because the W2K DC's create A
records
>associated with the domain itself as well...why, I don't know (I seem to
say
>that a lot about Microsoft), but then again we're just starting to set up a
>testbed...probably how AD clients find their DC's ???

"Jim D. Kirby" <jdkirby at bluebunny.com> replied to Vyto:

>I've noticed this as well.  Or suspicion is it's just MS's way of taking
>control of the zone.  It does not overwrite any existing A records, but we
>did not want our DCs populated this way and have disabled updates to the
>primary zone file.  We did create _msdcs, _tcp, _udp, and _sites subdomains
>under the primary zone and allow the DCs to update those zones.  AD/Win2K
>clients find their DCs from those zones.

I believe that Vyto is correct.  Each DC in a Win2k domain will 
register its address in DNS -  for example,

     anl.gov   IN  A   192.168.1.11
     anl.gov   IN  A   192.168.4.10

That is how the Win2k clients find the addresses of the DCs.  In our
testbed and production networks I have the four "_" zones on a Win2k
DNS (this may change) where I alllow DDNS.  I do not allow DDNS to the

     anl.gov

zone, so for each of our DCs for that top-level Win2k domain I
registered the "A" record manually.  I do not expect that our top-level
DCs will change IP addresses in the future, so there is no need for the
"A" records to be dynamic.

We are still working on configurations for the sub-domains of anl.gov.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list