DONE: Active Directory's A record and delegation to subdomains

Adam Augustine adam_augustine at morinda.com
Wed Nov 14 16:35:55 UTC 2001 

Since a few people asked for a follow up message when we had completed the
implementation...

Everything works great. We followed the DNS and BIND book and got everything
working without any problem. The A record is NOT necessary. The Microsoft
logic was the same that web people use, which is, "why type
'www.morinda.com' when you can type 'morinda.com' and have it work." My
opinion is this is a bad idea just for the very reason that we have
encountered here, someone will want the "default" domain name to point to
their server/service rather than someone else's service.

Since we still have some 8.2.5-REL machines, we are not using the dynamic
update stuff. We are simply copying the netlogon.dns contents into the
appropriate zone (and dropping the top level A record). This is only a pain
when changes are made and will work fine for us until we complete our 9.2
roll out. We have disabled for the time being the automatic updates from the
AD servers by changing a registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"UseDynamicDns"=dword:00000000

Which eliminates the traffic and warning messages from the Domain Controller
trying to update every 5 minutes with the same information (what a waste).

Thanks to all those who helped by offer ideas and suggestions. This went off
so perfectly that we didn't know what to do with ourselves for a few days.
:-)

Hopefully people will catch this as we did, but there are some typos in the
BIND book on P.525. Particularly, under the zone definitions for _sites and
_msdcs:

zone "_sites.fx.movie.edu" {
	type master;
	file "db._udp.fx.movie.edu";
	allow-update { dc };
};

zone "_msdcs.fx.movie.edu" {
	type master;
	file "db._udp.fx.movie.edu";
	allow-update { dc };
};

Which of course, isn't quite right, and should be:

zone "_sites.fx.movie.edu" {
	type master;
	file "db._sites.fx.movie.edu";
	allow-update { dc };
};

zone "_msdcs.fx.movie.edu" {
	type master;
	file "db._msdcs.fx.movie.edu";
	allow-update { dc };
};

Probably just a cut-and-paste gone unedited.

Thanks again to everyone,
	Adam Augustine
	Global Network Manager
	Morinda, Inc.

> -----Original Message-----
> From: Bell, William IT [mailto:WBell at mvphealthcare.com]
> Sent: Wednesday, September 19, 2001 9:55 AM
> To: 'Adam Augustine'; 'bind-users at isc.org'
> Subject: RE: Active Directory's A record and delegation to subdomains
> 
> 
> Hi Adam,
> I've been following this thread with interest - good stuff.
> 
> We are investigating this DDNS/AD workaround at our company, and I
> discovered a site (Yale University) that details their 
> implementation of the
> "p.525 solution" on the following webpage.  If you haven't 
> yet seen it, go
> to:
> http://wss.yale.edu/win2k/ad-and-ddns.html
> 
> Thought you might find this helpful; we have.
> Good luck!
> --
> Regards,
>  Bill
> 
> Wm. Bell
> Unix Systems Administrator
> MVP Health Plan
> New York
> 
> 
> 
> 
> -----Original Message-----
> From: Adam Augustine [mailto:adam_augustine at morinda.com]
> Sent: Tuesday, September 18, 2001 10:54 AM
> To: 'bind-users at isc.org'
> Subject: Active Directory's A record and delegation to subdomains
> 
> 
> 
> After talking with our Win2k guy and reading various posts on 
> the list, and
> reading pages 520-525 in the BIND book, I have a concern 
> about the A record
> that Active Directory wants in the top of the domain, and how 
> AD handles
> delegation.
> 
> Like most companies, we have an A record for "morinda.com" 
> pointing to our
> web servers. Active Directory wants this A record to point to a single
> Domain Controller. My plan was to set up the domain according to the
> suggested approach on page 525 of the book. It looks clean 
> and easy, and no
> mucking about with the main domain. Unfortunately, it looks 
> like I still
> need that stupid A record and will then have to run a web 
> server (IIS of
> course, <shudder>) on the Domain Controller to redirect 
> everything to the
> real web server (I am trying to keep gripe mode off here and 
> no complain
> about how stupid it is to require an A record instead of 
> using a SRV record
> like the billion or so others they want to have).
> 
> This raises huge security issues (because of the web server 
> running on a
> Domain Controller), reliability issues (since there is only 
> one A record),
> and performance issues as well (because of a web server 
> redirecting when it
> should be doing Domain Controller stuff).
> 
> Does AD really need that A record? The p525 doesn't mention 
> it and the stuff
> on the list (what I have been able to gather anyway), isn't conclusive
> either way. It doesn't work when we test it, but that may 
> just be because we
> aren't doing it quite right. If it doesn't need it, how do we 
> set it up?
> 
> Next question, will the same trick we are using to keep AD out of the
> "production" domain (the technique described on p525) work in 
> a scenario
> where we have delegated subdomains? Our internal DNS structure has the
> corporate offices as "morinda.com" and each remote office as 
> a two letter
> delegated subdomain of that based on country, for example 
> "jp.morinda.com",
> or "ca.morinda.com" or "mx.morinda.com", which they in turn can create
> subdomains for their not-main country offices 
> ("tokyo.jp.morinda.com" or
> "toronto.ca.morinda.com", etc). This has worked superbly well 
> for us and it
> would not make me happy to have to change it. Our testing has 
> shown that it
> doesn't quite work right, but that may be because we haven't set it up
> "right".
> 
> Maybe I should just hire Cricket and Co. to take a shot at it... :-)
> 
> Thanks for any insights,
> 	Adam Augustine
>

More information about the bind-users mailing list