Setup W2k Active Directory with BIND

Mark Andrews Mark_Andrews at isc.org
Wed Aug 17 00:39:31 UTC 2005 

Q: Can a NS record refer to a CNAME.

A: No.  The rules for glue (copies of the *address* records in the parent
   zones) and additional section processing do not allow it to work.

   You would have to add both the CNAME and address records (A/AAAA)
   as glue to the parent zone and have CNAMEs be followed when doing
   additional section processing to make it work.  No namesever
   implementation supports either of these requirements.

> Dear all,
> 
> For the past few days I have been trying to run dcpromo on a W2k box,
> which uses BIND rather than MS-DNS. I found (and used) much
> documentation on the internet (including this newsgroup) on how to set
> this up. I also have a copy of the fourth edition of O'Reilly's "DNS
> and BIND" by Paul Albitz and Cricket Liu, which explains the topic
> clearly, however I keep running into the same problem: dcpromo tells
> me:
> 
> The wizard cannot contact the DNS server that handles the name
> "win2k.example.com" to determine if it supports dynamic update. Confirm
> your DNS configuration, or install and configure a DNS server on this
> computer.
> 
> I am running BIND 9.2.5 and the Windows 2000 box has Service Pack 4
> installed. The IP address of the BIND server is 10.0.2.4. Its name is
> bind.example.com and a CNAME record named ns1.example.com points to it.
> 
> The IP address for the W2k box is 10.0.2.5. My main domain is
> "example.com" (for purposes of non-disclosure) and I am trying to get
> the Windows box registered in "win2k.example.com". The Windows machine
> also has its Primary DNS suffix set to win2k.example.com.
> 
> I have included my configuration files below. Any suggestions and help
> are greatly appreciated!
> 
> ===============
> /etc/named.conf
> ===============
> logging {
>         channel logfile {
>                 file "/var/log/named";
>                 print-time yes;
>                 severity info;
>                 print-category yes;
>                 print-severity yes;
>         };
>         category "default"      { "logfile"; };
> };
> 
> options {
>         directory "/var/named";
>         dump-file "/var/named/data/cache_dump.db";
>         listen-on { 127.0.0.1; 10.0.2.4; };
>         statistics-file "/var/named/data/named_stats.txt";
>         notify yes;
>         forward first;
>         forwarders {
>                 <isp dns server 1>;
>                 <isp dns server 2>;
>         };
> };
> 
> acl "win2kservers" {
>         10.0.2.5;
> };
> 
> key "rndckey" {
>       algorithm hmac-md5;
>       secret "<snipped>";
> };
> 
> controls {
>       inet 127.0.0.1 port 953
>               allow { 127.0.0.1; } keys { "rndckey"; };
> };
> 
> zone "." {
>         type hint;
>         file "root.hints";
> };
> 
> zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "pz/127.0.0";
> };
> 
> zone "example.com" {
>         type master;
>         notify yes;
>         file "pz/example.com";
>         allow-update { "win2kservers"; };
> };
> 
> // Windows 2000 servers' zone files for active directory
> zone "win2k.example.com" {
>         type master;
>         notify yes;
>         file "pz/win2k.example.com";
>         allow-update { "win2kservers"; };
> };
> 
> // NOTE: I have also tried the format: zone "_msdcs.example.com" {},
> //       but that also does not resolve the issue.
> 
> zone "_msdcs.win2k.example.com" {
>         type master;
>         notify yes;
>         file "pz/_msdcs.win2k.example.com";
>         allow-update { "win2kservers"; };
> };
> 
> zone "_sites.win2k.example.com" {
>         type master;
>         notify yes;
>         file "pz/_sites.win2k.example.com";
>         allow-update { "win2kservers"; };
> };
> 
> zone "_tcp.win2k.example.com" {
>         type master;
>         notify yes;
>         file "pz/_tcp.win2k.example.com";
>         allow-update { "win2kservers"; };
> };
> 
> zone "_udp.win2k.example.com" {
>         type master;
>         notify yes;
>         file "pz/_udp.win2k.example.com";
>         //check-names ignore;
>         allow-update { "win2kservers"; };
> };
> 
> // End Windows 2000 servers' zone files for active directory
> 
> zone "2.0.10.in-addr.arpa" {
>         type master;
>         notify no;
>         file "pz/2.0.10";
>         allow-update { "win2kservers"; };
> };
> 
> ===============================
> /var/named/pz/win2k.example.com
> ===============================
> $ORIGIN .
> $TTL 259200     ; 3 days
> win2k.example.com IN SOA ns1.example.com. bind.example.com. (
>                                 200508169  ; serial
>                                 28800      ; refresh (8 hours)
>                                 7200       ; retry (2 hours)
>                                 2419200    ; expire (4 weeks)
>                                 86400      ; minimum (1 day)
>                                 )
>                         NS      ns1.example.com.
> 
> ======================================
> /var/named/pz/_msdcs.win2k.example.com
> ======================================
> $ORIGIN .
> $TTL 259200     ; 3 days
> _msdcs.win2k.example.com IN SOA ns1.example.com. bind.example.com. (
>                                 200508172  ; serial
>                                 28800      ; refresh (8 hours)
>                                 7200       ; retry (2 hours)
>                                 2419200    ; expire (4 weeks)
>                                 86400      ; minimum (1 day)
>                                 )
>                         NS      ns1.example.com.
> 
> ==========================
> The files _sites.win2k.example.com, _tcp.win2k.example.com and
> _udp.win2k.example.com take on the same format as
> _msdcs.win2k.example.com.
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list