Delegate from BIND to Windows 2003 DNS (AD Zone)

Wed Apr 13 19:32:06 UTC 2005

First, thanks all for update :)

Barry Finkel a =E9crit :
> FabriceR <nospam at spam.net> wrote:
>
> All you need to do is this:
>=20
>    1) If you are using the W2k AD multi-master DNS, then choose ONE
>       of the DNS Servers to be the "master".  Say, dc1.
>=20
>    2) Add this delegation line to the=20
>=20
>           compagny.fr
>=20
>       zone:
>=20
>           ad  IN  NS  dc1.ad.compagny.fr

OK. I remove all related info (stub and NS,A record) about ad in BIND=20
DNS then :

$ nsupdate
 > update add dc1.ad.compagny.fr. 86400 IN A 192.168.7.17
 > update add ad.compagny.fr. 86400 IN NS dc1.ad.compagny.fr.
 >
 > CTRL-D
$
$ tcpdump host 192.168.7.17 &
$
$ dig NS ad.compagny.fr.

; <<>> DiG 9.2.1 <<>> NS ad.compagny.fr.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30276
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;ad.compagny.fr.            IN      NS

;; ANSWER SECTION:
ad.compagny.fr.     86400   IN      NS      dc1.ad.compagny.fr.

;; ADDITIONAL SECTION:
dc1.ad.compagny.fr. 86400 IN   A       192.168.7.17

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 13 19:59:56 2005
;; MSG SIZE  rcvd: 75

$ dig host1.ad.compagny.fr.

; <<>> DiG 9.2.1 <<>> host1.ad.compagny.fr.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49932
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;host1.ad.compagny.fr.   IN      A

;; Query time: 1337 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 13 20:00:07 2005
;; MSG SIZE  rcvd: 45

$

In the log :
Apr 13 20:00:07 dnsbind named[7248]: MAXQUERIES exceeded, possible data=20
loop in resolving (host1.ad.compagny.fr)

Note that there is no network trafic (tcpdump) ...

So I think that my BIND DNS don't want to pass query to=20
dc1.ad.compagny.fr ! :(

> I would suggest that you make your BIND servers slave servers for the
>=20
>      ad.compagny.fr
>=20
> zone.  That way, all of your zones will be on BIND servers that the
> clients can query.  If clients already have the BIND servers in their
> TCP/IP configuration, then they can continue to query those BIND server=
s
> and not have to know about the W2k AD DNS Server(s), and a query to
> the BIND servers will not result in that query being forwarded to the
> W2k DNS Servers to get an authoritative answer.

Ok, It's a good idea ! In a first time, I want to make work and well=20
understand delegation/stub ...

> Note that if you use the W2k multi-master configuration, and you have
> BIND slaves, then you might experience zone serial number problems.
> See MS KB article 282826.  It is for that reason that I have only ONE
> MS W2k+3 DNS Server (and four DCs).
>=20
> For more details on WS W2k DNS and BIND interaction/integration, see
> the archives of this list (and of its late sister list
> bind9-users at isc.org), where there have been many postings in the past
> years.

Thank Kerry for information about "host -c" output.

In my mind, a stub zone allow to not maintain manually registrations NS=20
for a delegate zone. It is a delegation OR a stub zone. In fact, I=20
understand the possiblity offer by the combination (change forwarder=20
option, ...).

Best regards,
FabriceR.