Bind9 and Active Directory

Martin McCormick martin at
Fri Jan 30 04:41:53 UTC 2004

	We are running a test  setup to support Microsoft Active
Directory under bind9.

	In the past, I followed the suggestion in DNS and Bind Fourth
Edition Chapter 16.8.4, I think, that suggests one run a base zone
that is the AD domain name plus 4 sub-zones of the form
_msdcs.domainname, _tcp.domainnane, etc.  The domain controllers are
allowed to update the SRV records in those sub-zones.

	I liked that approach because it is nice and safe.

	In our test setup, there are many cooks and the broth is
getting a bit full of ingredients.  I was asked to set up the base
zone and let the controllers update it.  I did this and most of their
SRV and other records seem to be going in to the base zone, but an odd
one here and there seems to go to the _xx sub-zones.

	If I let the controllers modify the base zone, do I really
need all those sub-zones?

	Besides the _xx.domain zones, there are now two more record
types called forestdnszones and domainzones.  The folks in the group
working with us are concerned that there will be lots of new record
types coming in so I would like to use the simplest mechanism that
lets the controllers write all their records.

	At least the base zone is not the top level of our domain so
the activity is contained in a sandbox to some extent.

	This is kind of like the second solution listed in Chapter 16.

	Basically, if the domain controllers update the AD domain
directly, do we need the sub-zones of _xx, forestdnszones and
domainzones plus others to follow?

	Thank you.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Information Technology Division Network Operations Group

More information about the bind-users mailing list