Delegate from BIND to Windows 2003 DNS (AD Zone)

Barry Finkel b19141 at achilles.ctd.anl.gov
Thu Apr 14 13:54:58 UTC 2005 

>Barry Finkel a =E9crit :
>> FabriceR <nospam at spam.net> wrote:
>>
>> All you need to do is this:
>>
>>    1) If you are using the W2k AD multi-master DNS, then choose ONE
>>       of the DNS Servers to be the "master".  Say, dc1.
>>
>>    2) Add this delegation line to the
>>
>>           compagny.fr
>>
>>       zone:
>>
>>           ad  IN  NS  dc1.ad.compagny.fr
>
>
>OK. I remove all related info (stub and NS,A record) about ad in BIND
>DNS then :
>
>$ nsupdate
> > update add dc1.ad.compagny.fr. 86400 IN A 192.168.7.17
> > update add ad.compagny.fr. 86400 IN NS dc1.ad.compagny.fr.
> >
> > CTRL-D
>$
>$ tcpdump host 192.168.7.17 &
>$
>$ dig NS ad.compagny.fr.
>
>; <<>> DiG 9.2.1 <<>> NS ad.compagny.fr.
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30276
>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
>;; QUESTION SECTION:
>;ad.compagny.fr.            IN      NS
>
>;; ANSWER SECTION:
>ad.compagny.fr.     86400   IN      NS      dc1.ad.compagny.fr.
>
>;; ADDITIONAL SECTION:
>dc1.ad.compagny.fr. 86400 IN   A       192.168.7.17
>
>;; Query time: 1 msec
>;; SERVER: 127.0.0.1#53(127.0.0.1)
>;; WHEN: Wed Apr 13 19:59:56 2005
>;; MSG SIZE  rcvd: 75
>
>$ dig host1.ad.compagny.fr.
>
>; <<>> DiG 9.2.1 <<>> host1.ad.compagny.fr.
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49932
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;host1.ad.compagny.fr.   IN      A
>
>;; Query time: 1337 msec
>;; SERVER: 127.0.0.1#53(127.0.0.1)
>;; WHEN: Wed Apr 13 20:00:07 2005
>;; MSG SIZE  rcvd: 45
>
>$
>
>In the log :
>Apr 13 20:00:07 dnsbind named[7248]: MAXQUERIES exceeded, possible data
>loop in resolving (host1.ad.compagny.fr)
>
>Note that there is no network trafic (tcpdump) ...
>
>So I think that my BIND DNS don't want to pass query to
>dc1.ad.compagny.fr ! :(

In this case you might have to add to the parent zone

     dc1.ad.compagny.fr. IN   A       192.168.7.17

In the output of your dig commands, there is no

     ;; flags: aa

which means that the response was not authoritative.  If you do not
have the 

     ad.compagny.fr

slaved on your BIND servers, then you probably have to add the glue
record above so that BIND knows authoritatively the address of the
AD DNS server.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list