AD & DNS??

Barry Finkel b19141 at achilles.ctd.anl.gov
Mon Jan 19 16:41:07 UTC 2004


fih" <frhak at hotmail.com> wrote:

>I like to start a conversation regarding DNS and AD. I like to get in
>contact with people running DNS for companies with more than 20000 hosts.
>
>Basically these are the facts:
>
>At our 60000 users company it's blowing a heavy Microsoft Active Directory
>wind. Microsoft have recommended our AD team to create one global AD zone,
>we can call it microstuff.net. We are also currently using a geographical
>DNS namespace under our own root name servers. We manage our geographical
>and reverse zones with QIP. (We have lately been looking at Nominums very
>interesting DNS solution, which might replace QIP in the future)
>
>My thinking was that I will delegate microstuff.net to AD DNS servers and
>they would have their SRV records in their huge global zone, and the
>A-records would be located in the geographical zone as usual with PTR
>pointing back to the GEO zone. In my world this would be a good DNS
>solution, except for maybe the global SRV record zone.
>
>When I have been discussing this with Microsoft they recommend us to have AD
>members A-records in the global AD zone microstuff.net along with the SRV
>records, because programmers some times takes for granted that the A-records
>exists in the same zone as the SRV records.
>
>We have been discussing three solutions:
>
>1. A-records in geographical zones with corresponding PTR records. SRV
>records in the AD zone microstuff.net. (This is what I want but is
>depreciated by Microsoft)
>
>2. A-records and SRV-records in microstuff.net and corresponding
>PTR-records. (This is what Microsoft wants)
>
>3. A-records in geographical zones with corresponding PTR records. SRV
>records in the AD zone microstuff.net + an extra A-record for each AD member
>in microstuff.net. (This is a terrible compromise since all AD members will
>have two A-records and one PTR record.)
>
>I like to know how other great companies have solved this.

I know that there already have been replies to this mail.  Here is my
reply:

1) Check the archives of this group and its sister group

        bind9-users at isc.org

   There have been many BIND/AD-related postings in the past years.

2) If you are going to have a BIND slave to the W2003/AD zones, then
   I recommend having only one W2003 DNS master.  There may (will?) be
   serial number issues for the BIND slave if there are more than one
   master (see MS article 282826).

3) What DNS servers are configured today for the W2k workstations?
   If the configuration points to your BIND boxes, then take the AD
   zones (with the SRV records) and have them slaved on your BIND.
   That way, the DNS coinfiguration on the W2k workstations does not
   have to change.

4) I am not sure what is the controversy about the location of the "A"
   records.  If the AD zone is

         Microstuff.net

   then the "A" records for the DCs must be in the 

         Microstuff.net

   zone.  If you delegate the "_" zones (four or six, depending upon the
   domain) to a W2003 DNS Server and place the Microstuff.net forward
   zone on a BIND box, then the "A" records will be on the BIND box.

   >When I have been discussing this with Microsoft they
   >recommend us to have AD members A-records in the global AD
   >zone microstuff.net along with the SRV records, because
   >programmers some times takes for granted that the A-records
   >exists in the same zone as the SRV records.

   Why would a programmers need to know what DNS server they will find
   SRV records or "A" records?  Assuming that the zone delegations are
   correct, a programmer would issue a DNS query (to one of the DNS
   servers configured for his/her machine) and an answer would be
   returned.  The only times I care which server handles my DNS requests
   are when I am debugging a DNS problem.

6) I am not sure of your plans for Dynamic DNS (DDNS).  I assume that
   you want the "_" zones to be dynamic, and thus they belong on the
   W2003 DNS.  If you want the rest of the zone static, then place it
   on a BIND box.

----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994



More information about the bind-users mailing list