BIND and MS DNS
kcd at daimlerchrysler.com
Thu Nov 23 05:05:42 UTC 2006
kelvin dumb wrote:
> My goal is to allow MS clients talk to w3k AD and let
> other *nix talk to BIND. I'm using a Bind DNS 9.2.4 on
> Debian and Windows 2003.
> BIND has 192.168.0.100 and MS DNS 192.168.0.120. ICS
> DHCP is DHCP server. I want to subdomain so MS DNS
> will handle all the traffic from MS clients. This is
> what I have been doing so far.
If you just want Microsoft DNS to handle the whole ad.math.edu
subdomain, simply delegate it from math.edu. You don't need to break out
subdomains/subzones in that case.
But, you mentioned DHCP. Is DHCP updating client names in DNS via
Dynamic Update? If so, then *where* are those client names going? If
your intention is for them to go into ad.math.edu, then you're going to
have to either
a) delegate ad.math.edu to Microsoft DNS and then figure out how to
configure the Microsoft DNS stuff to accept Dynamic Updates from ISC
DHCP (which would be off-topic for this list), or,
b) host ad.math.edu in BIND as a single zone and open up Dynamic Updates
for *both* ISC DHCP and Active Directory, which runs the risk of them
stepping on each other's records, or
c) play games with delegating subzones of ad.math.edu (as you've already
attempted), so that the respective sources of Dynamic Update are
segregated from each other.
A few things to keep in mind, applicability dependent on which option
1) NS records point to *names* not IP addresses
2) It makes no sense to define a given zone as master on both the BIND
and Microsoft DNS side,
3) If a given nameserver is authoritative for given zone, and you want
it to receive queries for names in that zone from other
nameservers/iterative-resolvers, then you should "publish" that fact by
including the name of the nameserver in the NS records for the zone,
both at the apex of the zone itself, and in the delegation NS records
from the parent zone. For purposes of redundancy and possibly
performance, you might choose to define a zone as "slave"and *not*
publish it in the NS records -- that's what's known as a "stealth slave"
and is perfectly valid too,
4) (In response to "Do I need to create db._msdcs.ad.math.edu...etc on
BIND? if so, what need to go in there?") Yes, any time you set up a zone
as "master" in BIND you need to provide a zone file with, at a minimum,
the SOA RR and some apex NS records. Everything else can be populated
via Dynamic Update; even the SOA and apex NS records can be changed via
Dynamic Update *after* the zone is already established, they just can't
be initially created via Dynamic Update since there is technically no
"zone" to update until those records are in place.
More information about the bind-users