bind-users Digest V6 #299

Barry Finkel b19141 at
Fri Nov 12 15:14:20 UTC 2004

>> My replies to Noman Zhang
>  Norman Zhang <norman.zhang at> replies to mine

>Thanks for your reply. The rndc key works fine. I think it has been 
>discussed here before, but I can't recall why. I've just added _msdcs, 
>_sites, _tcp, _udp zones to the already running named.conf. I tried 
>converting them to, but still couldn't update.

>> What are you trying to get AD to register?  The SRV and CNAME records
>> in the four/six "_" zones?  How have you set up these MS zones?  If
>> you have used AD-integrated with secure updates, then the MS security
>> model is not iplemented in BIND, so the DDNS updates will fail.
>> If you are using non-secure updates, then this should work.

>The zone files are created and placed under /var/named/ with 
>uid.gid=named.named. This is W2K3 box just got upgraded from NT is 
>trying to become a DC by registering AD entries in BIND. I don't think 
>it uses any secure updates. How do I check? I grep the log under 
>/var/log/, but couldn't find the denied activity. Is there a speific 
>entry that I should grep for?

>> If you are trying to get individual W2k/W2k+3 machines to register
>> themselves via DHCP, then I am not sure what the problem might be.
>> Are you having the DHCP server register both forwards and reverses?
>> If so, are both registrations failing? I am not a DHCP expert, and I
>> suggest finding a newsgroup for your DHCP software.

>My W2K3 has a static IP and it has already been entered in zone files. I 
>would like to enable it to update the SRV and CNAME entries in the "_" 
>zone files. DHCP so far has no problem registering PTR and A records for 
>  IPs that it gives out. Do you see any conflicts with my config above?

A few things I can suggest.

1) Run a packet sniffer on the BIND box to see what packets are
   arriving.  Stop/start the Netlogon Service on the DC to force the
   DC to re-register its CNAME and SRV records.

2) Look for Event Log entries on the DC.  The Netlogon Service should
   produce events if something fails.

3) Insure that self-registration is ENABLED for the DC.  If 
   self-registration is disabled on a DC, the Netlogon process will
   not attempt to register its CNAME and SRV records.  I have no idea
   why the MS code is written this way, as self-registration and
   CNAME/SRV record registrations are two different and unrelated DDNS
   activities.  I am not sure if this case will produce Event Log
   entries, as you have told the operating system not to do DDNS.
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list