bind vs. MS DNS

Robert Lowe Robert.H.Lowe at lawrence.edu
Thu Jun 17 16:58:39 UTC 2004



Barry Finkel wrote:

> Kevin Darcy (I believe) responded to a posting:
>  
> 
>>>>>Now, if you want to make secure Dynamic 
>>>>>Updates directly from Win2K (or Win2K3) clients to the DNS of your main 
>>>>>domain, then you're not going to be able to use BIND for that. But
>>>>>technically that's not an Active Directory function; it's a Win2K* 
>>>>>function, and one that many folks find to be not worth the resources it 
>>>>>consumes. Depends on what you're trying to achieve.
> 
>  
> and Robert Lowe <Robert.H.Lowe at lawrence.edu> replied:
> 
> 
>>>>We turn off DDNS in all of our client images.  Client-initiated dynamic
>>>>updates is a bad idea anyway.  We use TSIG signed updates from ISC's
>>>>DHCP server for the few zones where we do DDNS.  DHCP is probably
>>>>another aspect of this discussion regarding migration too.  :-(
> 
>  
> and I replied:
> 
> 
>>>We attempt to turn off DDNS on all our W2k machines.  But DCs need
>>>self-registration enabled in order for the DC to register its SRV
>>>records.
> 
> 
> and Robert Lowe <Robert.H.Lowe at lawrence.edu> replied:
> 
> 
>>No, this can be turned off.  See the MS article I referenced earlier.
>>So that the archives pick it up, I'll insert the first part of the
>>appropriate section below, and a piece regarding Windows Server 2003.
> 
> 
> I believe that if one takes a DC and turns off self-registration in
> TCP/IP properties, then that DC will NOT register its SRV records in
> DNS.  I believe that the registry setting referenced in MS article 
> 
>      816592 HOW TO: Configure DNS dynamic update in Windows 2003
> 
> affects whether the DC will do DDNS for the SRV records or will produce
> a netlogon.dns file (that can be $INCLUDEd into a BIND zone file, as
> I did in my initial W2k DNS testing).
> 
> In my setup I want each DC to register its SRV records dynamically in
> my MS W2k+3 DNS Server, but I do NOT want the DCs to do DDNS
> self-registration, which I do not allow on my BIND servers.  If I
> disable self-registration, then I disable SRV DDNS at the same time.

Correct.  All I was suggesting for the OP was that these zones do
not normally change and that they could be easily maintained manually
if he wanted to host all of his zones on BIND.  Or, he could start
by allowing the DCs to dynamically update the zones, then disable
the updates on the DCs, and turn the zones into manually maintained
zones.  He has three options:

1. Host all zones on MS-DNS
2. Host only the "underscore" zones on MS-DNS, and all others on BIND
3. Host all zones on BIND, with suboptions:
    a. Make "underscore" zones dynamic, allowing updates by IP address
    b. Make "underscore" zones manually maintained

All of these are workable with an ADS environment.

-Robert

> We have an open trouble ticket with MS on a related issue (EventID
> 40961), and I will suggest to MS that they decouple self-registration
> and registration of SRV records.



More information about the bind-users mailing list