Active Directory's A record and delegation to subdomains

Adam Augustine adam_augustine at morinda.com
Tue Sep 18 14:53:46 UTC 2001


After talking with our Win2k guy and reading various posts on the list, and
reading pages 520-525 in the BIND book, I have a concern about the A record
that Active Directory wants in the top of the domain, and how AD handles
delegation.

Like most companies, we have an A record for "morinda.com" pointing to our
web servers. Active Directory wants this A record to point to a single
Domain Controller. My plan was to set up the domain according to the
suggested approach on page 525 of the book. It looks clean and easy, and no
mucking about with the main domain. Unfortunately, it looks like I still
need that stupid A record and will then have to run a web server (IIS of
course, <shudder>) on the Domain Controller to redirect everything to the
real web server (I am trying to keep gripe mode off here and no complain
about how stupid it is to require an A record instead of using a SRV record
like the billion or so others they want to have).

This raises huge security issues (because of the web server running on a
Domain Controller), reliability issues (since there is only one A record),
and performance issues as well (because of a web server redirecting when it
should be doing Domain Controller stuff).

Does AD really need that A record? The p525 doesn't mention it and the stuff
on the list (what I have been able to gather anyway), isn't conclusive
either way. It doesn't work when we test it, but that may just be because we
aren't doing it quite right. If it doesn't need it, how do we set it up?

Next question, will the same trick we are using to keep AD out of the
"production" domain (the technique described on p525) work in a scenario
where we have delegated subdomains? Our internal DNS structure has the
corporate offices as "morinda.com" and each remote office as a two letter
delegated subdomain of that based on country, for example "jp.morinda.com",
or "ca.morinda.com" or "mx.morinda.com", which they in turn can create
subdomains for their not-main country offices ("tokyo.jp.morinda.com" or
"toronto.ca.morinda.com", etc). This has worked superbly well for us and it
would not make me happy to have to change it. Our testing has shown that it
doesn't quite work right, but that may be because we haven't set it up
"right".

Maybe I should just hire Cricket and Co. to take a shot at it... :-)

Thanks for any insights,
	Adam Augustine


More information about the bind-users mailing list