BIND and AD integration

Martin McCormick martin at dc.cis.okstate.edu
Mon Apr 11 20:27:20 UTC 2005


"Tom Schmitt" writes:
>Yep. This is the way we did it too. And it works fine with Windows2003.
>

	One little point, here.  With Windows2003, there are two more
zones you have to set up.  For some reasons, these don't start with
the _ or underscore character.  They are

forestdnszones    and

domaindnszones

	Just set them up like the other 4 and you might also make the
base zone of whatever you call your Active Directory domain as a
separate zone.

	As an example, we have okstate.edu as our domain name.  If I
was setting up advice.okstate.edu as an AD domain, I would build
advice.okstate.edu, _msdcs.advice.okstate.edu, etc,
forestdnszones.advice.okstate.edu and
domaindnszones.advice.okstate.edu.

	A shell script comes in very handy to get it all right and
then you include the addresses of the AD controllers for all seven of
your new zones.

	You can more or less get away without creating that base zone,
but the administrators of that zone will usually complain that their
controllers can't update that zone.  They usually write a couple of A
records for the domain in to the zone.  I am not sure if you can't
just manually put those in, but for the sake of calm, I let them write
to their root zone.  They can't damage anything else but those seven
zones.

	Be sure to look at your security.log files afterwards and make
sure that what you think is happening really is.  This isn't rocket
science, but it is picky in that it is sometimes easy to get a small
housekeeping error in your file names or the permission of the master
zones and have a zone or two not update.  Nobody will notice if you
aren't watching so be sure it is all working before sitting back after
creating an AD setup.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Information Technology Division Network Operations Group



More information about the bind-users mailing list