AD & DNS??
Barry Finkel
b19141 at achilles.ctd.anl.gov
Mon Jan 19 16:41:07 UTC 2004
fih" <frhak at hotmail.com> wrote:
>I like to start a conversation regarding DNS and AD. I like to get in
>contact with people running DNS for companies with more than 20000 hosts.
>
>Basically these are the facts:
>
>At our 60000 users company it's blowing a heavy Microsoft Active Directory
>wind. Microsoft have recommended our AD team to create one global AD zone,
>we can call it microstuff.net. We are also currently using a geographical
>DNS namespace under our own root name servers. We manage our geographical
>and reverse zones with QIP. (We have lately been looking at Nominums very
>interesting DNS solution, which might replace QIP in the future)
>
>My thinking was that I will delegate microstuff.net to AD DNS servers and
>they would have their SRV records in their huge global zone, and the
>A-records would be located in the geographical zone as usual with PTR
>pointing back to the GEO zone. In my world this would be a good DNS
>solution, except for maybe the global SRV record zone.
>
>When I have been discussing this with Microsoft they recommend us to have AD
>members A-records in the global AD zone microstuff.net along with the SRV
>records, because programmers some times takes for granted that the A-records
>exists in the same zone as the SRV records.
>
>We have been discussing three solutions:
>
>1. A-records in geographical zones with corresponding PTR records. SRV
>records in the AD zone microstuff.net. (This is what I want but is
>depreciated by Microsoft)
>
>2. A-records and SRV-records in microstuff.net and corresponding
>PTR-records. (This is what Microsoft wants)
>
>3. A-records in geographical zones with corresponding PTR records. SRV
>records in the AD zone microstuff.net + an extra A-record for each AD member
>in microstuff.net. (This is a terrible compromise since all AD members will
>have two A-records and one PTR record.)
>
>I like to know how other great companies have solved this.
I know that there already have been replies to this mail. Here is my
reply:
1) Check the archives of this group and its sister group
bind9-users at isc.org
There have been many BIND/AD-related postings in the past years.
2) If you are going to have a BIND slave to the W2003/AD zones, then
I recommend having only one W2003 DNS master. There may (will?) be
serial number issues for the BIND slave if there are more than one
master (see MS article 282826).
3) What DNS servers are configured today for the W2k workstations?
If the configuration points to your BIND boxes, then take the AD
zones (with the SRV records) and have them slaved on your BIND.
That way, the DNS coinfiguration on the W2k workstations does not
have to change.
4) I am not sure what is the controversy about the location of the "A"
records. If the AD zone is
Microstuff.net
then the "A" records for the DCs must be in the
Microstuff.net
zone. If you delegate the "_" zones (four or six, depending upon the
domain) to a W2003 DNS Server and place the Microstuff.net forward
zone on a BIND box, then the "A" records will be on the BIND box.
>When I have been discussing this with Microsoft they
>recommend us to have AD members A-records in the global AD
>zone microstuff.net along with the SRV records, because
>programmers some times takes for granted that the A-records
>exists in the same zone as the SRV records.
Why would a programmers need to know what DNS server they will find
SRV records or "A" records? Assuming that the zone delegations are
correct, a programmer would issue a DNS query (to one of the DNS
servers configured for his/her machine) and an answer would be
returned. The only times I care which server handles my DNS requests
are when I am debugging a DNS problem.
6) I am not sure of your plans for Dynamic DNS (DDNS). I assume that
you want the "_" zones to be dynamic, and thus they belong on the
W2003 DNS. If you want the rest of the zone static, then place it
on a BIND box.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list