Bind9 and Active Directory

Barry Finkel b19141 at achilles.ctd.anl.gov
Fri Jan 30 16:47:00 UTC 2004 

Martin McCormick <martin at dc.cis.okstate.edu> wrote:

>	We are running a test  setup to support Microsoft Active
>Directory under bind9.
>
>	In the past, I followed the suggestion in DNS and Bind Fourth
>Edition Chapter 16.8.4, I think, that suggests one run a base zone
>that is the AD domain name plus 4 sub-zones of the form
>_msdcs.domainname, _tcp.domainnane, etc.  The domain controllers are
>allowed to update the SRV records in those sub-zones.
>
>	I liked that approach because it is nice and safe.
>
>	In our test setup, there are many cooks and the broth is
>getting a bit full of ingredients.  I was asked to set up the base
>zone and let the controllers update it.  I did this and most of their
>SRV and other records seem to be going in to the base zone, but an odd
>one here and there seems to go to the _xx sub-zones.
>
>	If I let the controllers modify the base zone, do I really
>need all those sub-zones?
>
>	Besides the _xx.domain zones, there are now two more record
>types called forestdnszones and domainzones.  The folks in the group
>working with us are concerned that there will be lots of new record
>types coming in so I would like to use the simplest mechanism that
>lets the controllers write all their records.
>
>	At least the base zone is not the top level of our domain so
>the activity is contained in a sandbox to some extent.
>
>	This is kind of like the second solution listed in Chapter 16.
>
>	Basically, if the domain controllers update the AD domain
>directly, do we need the sub-zones of _xx, forestdnszones and
>domainzones plus others to follow?

I am not sure what you mean by

     I did this and most of their SRV and other records seem to be
     going in to the base zone, but an odd one here and there seems
     to go to the _xx sub-zones.

Please give examples of the zone names (or give us the real zone names).
In the domain

     anl.gov

there are SIX "_" zones"

     _msdcs.anl.gov
     _sites.anl.gov
     _tcp.anl.gov
     _udp.anl.gov
     _DomainDNSZones.anl.gov
     _ForestDNSZones.anl.gov

The last two are new for Windows 2003.  The SRV/CNAME records for
anl.gov are placed in these zones.  I have a number (20) of
sub-domains, one being

     hep.anl.gov

In that domain there are four "_" zones

     _msdcs.hep.anl.gov
     _sites.hep.anl.gov
     _tcp.hep.anl.gov
     _udp.hep.anl.gov

and the SRV/CNAME records for hep.anl.gov are placed in these four
zones.

Note that the zones

     anl.gov
     hep.anl.gov

are confined to my BIND boxes and NOT subject to DDNS.  I ignore the
DDNS registration attempts (from self-registration of the DCs and
from DC's trying to register their "A" records) and the resulting
BIND syslog messages.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list