BIND DNS and AD

[Tomica Crnek]

It is not difficult, I have done this in my network and it is working ok.

As you know AD is using DDNS to publish all data needed. You have to use
bind that supports SRV records (I think version 8 or later). It uses 4
subdomains _msdcs, _sites, _tcp and _udp inside of your domain. You may
enable DDNS on whole yourdomain.com, or you may create theese 4 subdomain
zones and then enable DDNS updates to them only.

It will look like _msdcs.yourdomain.com etc.

The second thing is that bind does not allow "_" in domain names. Therefore
you have to configure theese zones not to check names.

Then, you may not wish to allow all clients to send DDNS updates to theese
zones, but to restrict it only to updates from your AD domain controllers. I
am using access list for domain controllers.

// Domain controllers for yourdomain.com
acl DC-yourdomain.com {
	10.0.0.1;
	10.0.0.2;
};

// Active Directory - _msdcs
zone "_msdcs.yourdomain.com" {
	type master;
	allow-update {
		DC-yourdomain.com;
	};
	check-names ignore;
	file "_msdcs.yourdomain.com.db";
};

// Active Directory - _sites
zone "_sites.yourdomain.com" {
	type master;
	allow-update {
		DC-yourdomain.com;
	};
	check-names ignore;
	file "_sites.yourdomain.com.db";
};

// Active Directory - _tcp
zone "_tcp.yourdomain.com" {
	type master;
	allow-update {
		DC-yourdomain.com;
	};
	check-names ignore;
	file "_tcp.yourdomain.com.db";
};

// Active Directory - _udp
zone "_udp.yourdomain.com" {
	type master;
	allow-update {
		DC-yourdomain.com;
	};
	check-names ignore;
	file "_udp.yourdomain.com.db";
};



Tomica

-----Original Message-----
From: Barry Finkel [mailto:b19141 at achilles.ctd.anl.gov] 
Sent: Monday, July 22, 2002 5:14 PM
To: bind-users at isc.org
Cc: michael.watts at corporate.wesfarmers.com.au
Subject: Re: BIND DNS and AD

"Michael Watts" <michael.watts at corporate.wesfarmers.com.au> wrote:

>My company is implementing MS Win2000 Active Directory, we have done some
>research into intergrating it with BIND DNS as opposed to using Microsoft's
>Win2000 DNS Server. I have found both Microsoft and third party white
papers
>on how to do this, but would like to know what issues I may come across if
>we choose to go down this path. Is it a difficult task to integrate them or
>do they work fairly nicely provided the procedures outlined in the
>whitepapers are followed? Any input would be apprectiated.

Have you searched the archives of bind-users?  There have been many
W2k/AD-related postings over the past years.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994




-----------------------------------------------------------------
Poruka je prilikom prijema u HRTNet
pregledana s obzirom na viruse.
-----------------------------------------------------------------


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
**********************************************************************