Forward Zone updated by Microsoft DNS

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Apr 20 13:58:27 UTC 2005


"Bruce A. Black" <bblack at iccu.com> wrote:

>>>I have been looking for information on how to get a Windows 2003 server
>>>to update a BIND 9 installation on Linux. The reverse zone updates but
>>>not the forward and I cannot figure out how to get it to work.
>>>
>>>Any help will be greatly appreciated.
>>>
>>>Thanks,
>>>
>>>Bruce
>>>
>>>My named.conf file is as follows:
>>>
>>>options {
>>>        directory "/var/named";
>>>        dump-file "/var/named/data/cache_dump.db";
>>>        statistics-file "/var/named/data/named_stats.txt";
>>>        /*
>>>         * If there is a firewall between you and nameservers you want
>>>         * to talk to, you might need to uncomment the query-source
>>>         * directive below.  Previous versions of BIND always asked
>>>         * questions using port 53, but BIND 8.1 uses an unprivileged
>>>         * port by default.
>>>         */
>>>         // query-source address * port 53;
>>>};
>>>
>>>controls {
>>>        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
>>>};
>>>
>>>zone "." IN {
>>>        type hint;
>>>        file "named.ca";
>>>};
>>>
>>>
>>>zone "0.0.127.in-addr.arpa" IN {
>>>        type master;
>>>        file "named.local";
>>>};
>>>
>>>zone "domain.com" IN {
>>>        type master;
>>>       // notify no;
>>>        file "domain.com";
>>>        allow-update { 172.17.0.0/16; localhost; };
>>>};
>>>
>>>zone "5.17.172.in-addr.arpa" IN {
>>>        type master;
>>>       // notify no;
>>>        file "172.17.5";
>>>        allow-update { 172.17.0.0/16; localhost; };
>>>};
>>>
>>>// Following added by Bruce to keep log stuff out.
>>>logging {
>>>        category lame-servers { null; };
>>>
>>>};
>>>
>>>include "/etc/rndc.key";

I replied:

>>Exactly what are you trying to do?  Are you trying to get the W2k Server
>>to self-register in DNS?  It is not clear from what you wrote?  Is
>>the Server sending any DNS packets to the BIND server?  Are there
>>messages on the BIND side?  Are there Event Log records on the W2k side?
>>
>>As I read your subject line, I get an entirely different picture of
>>what you are trying to do.  Please explain your setup, and what
>>record(s) you are trying to register in the BIND server.  Are these
>>record(s) self-registration for the W2k Server?  Are they DC SRV
>>records?  Are they DNS registrations from a separate W2k workstation?

"Bruce A. Black" <bblack at iccu.com> replied:

>I am trying to make our primary DNS server a BIND server rather than a
>Windows Server. I will need to keep the DNS running on Windows as we
>have Active Directory, I just want a more reliable primary DNS server.
>So, I am following the steps outlined in:=20
>
>http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/win2
>kcd.mspx
>
>Of course I am trying to go from Windows to Linux/BIND.
>
>In the final steps it says to run ipconfig /registerdns on the Windows
>box. After doing this I started getting updates on the reverse zone but
>not the forward zone. I have not been able to get the Windows server to
>move all of its records to the BIND server.

I still am confused.  It appears that you want to move your primary
DNS server from MS W2k DNS to BIND.  But you write, "I will need to
keep the DNS running on Windows as we have Active Directory."

I am not sure what your final DNS setup will be.  What will be on the
MS W2k DNS Server?  Let me suggest the configuration I have:

1) All the zones (except for the AD zones) are on a BIND 9 server,
   and I do not allow DDNS.  I manually enter the "A" record for a
   DC if the requestor informs me that the machine to be registered is
   a DC.

2) I have delegated to the MS W2k+3 Server these zones:

        _msdcs.example.com
        _sites.example.com
        _tcp.example.com
        _udp.example.com
        DomainDNSZones.example.com
        ForestDNSZones.example.com

3) I have four DCs, but ONLY ONE runs DNS, due to potential zone serial
   number problems.  See MS KB 282826.

4) I have these six zones slaved on my BIND server.  I also have 20
   sets of the four "_" zones for AD subdomains of example.com.

5) The MS W2k+3 DNS Server is a "hidden" master, as all of the clients
   query my BIND servers.  But I allow MS secure-DDNS updates to the
   MS DNS Server (primarily SRV and CNAME record updates from DCs).

6) I do have one forward and five reverse DDNS zones on the MS W2k+3
   server for one client who insisted on the setup.  All the DDNS
   is from the DCs or from a MS W2k DHCP Server, which registers
   client machines.

Getting back to your problem - 

> I started getting updates on the reverse zone but not the forward zone.

Are the forward zone DDNS requests being sent to the BIND server?
Are there messages in the BIND syslog?  What about in the dns.log
file on the MS W2k DNS Server?  Have you allowed DDNS to the forward
zone?

> I have not been able to get the Windows server to move all of its
> records to the BIND server.

Why not define the zone to the BIND server as a slave.  Once the records
have been transferred, change the DNS configuration so that the BIND
server is the master.  This is the easiest way to copy/move zone data.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994



More information about the bind-users mailing list