Active Directory's A record and delegation to subdomains

Cricket Liu cricket at menandmice.com
Tue Sep 18 15:10:02 UTC 2001


Hi, Adam!

> After talking with our Win2k guy and reading various posts on the list,
and
> reading pages 520-525 in the BIND book, I have a concern about the A
record
> that Active Directory wants in the top of the domain, and how AD handles
> delegation.
>
> Like most companies, we have an A record for "morinda.com" pointing to our
> web servers. Active Directory wants this A record to point to a single
> Domain Controller. My plan was to set up the domain according to the
> suggested approach on page 525 of the book. It looks clean and easy, and
no
> mucking about with the main domain. Unfortunately, it looks like I still
> need that stupid A record and will then have to run a web server (IIS of
> course, <shudder>) on the Domain Controller to redirect everything to the
> real web server (I am trying to keep gripe mode off here and no complain
> about how stupid it is to require an A record instead of using a SRV
record
> like the billion or so others they want to have).
>
> This raises huge security issues (because of the web server running on a
> Domain Controller), reliability issues (since there is only one A record),
> and performance issues as well (because of a web server redirecting when
it
> should be doing Domain Controller stuff).
>
> Does AD really need that A record? The p525 doesn't mention it and the
stuff
> on the list (what I have been able to gather anyway), isn't conclusive
> either way. It doesn't work when we test it, but that may just be because
we
> aren't doing it quite right. If it doesn't need it, how do we set it up?

No, according to the guys at Microsoft, that A RR is only for legacy LDAP
clients.  I thought I wrote that somewhere...  Anyway, I think there's a
Registry setting you can use on the DC to tell it not to add that record.

> Next question, will the same trick we are using to keep AD out of the
> "production" domain (the technique described on p525) work in a scenario
> where we have delegated subdomains? Our internal DNS structure has the
> corporate offices as "morinda.com" and each remote office as a two letter
> delegated subdomain of that based on country, for example
"jp.morinda.com",
> or "ca.morinda.com" or "mx.morinda.com", which they in turn can create
> subdomains for their not-main country offices ("tokyo.jp.morinda.com" or
> "toronto.ca.morinda.com", etc). This has worked superbly well for us and
it
> would not make me happy to have to change it. Our testing has shown that
it
> doesn't quite work right, but that may be because we haven't set it up
> "right".

Sure, that'll work even if you also have a _udp.morinda.com,
_tcp.morinda.com
and the like.

> Maybe I should just hire Cricket and Co. to take a shot at it... :-)

No need--this time.  ;-)

cricket

Men & Mice
DNS Software & Services
www.menandmice.com




More information about the bind-users mailing list