Recent Problem with BIND 9 under Windows XP
Vincent Poy
vincepoy at gmail.com
Mon Jul 2 05:27:51 UTC 2007
On 7/1/07, Danny Mayer <mayer at gis.net> wrote:
> Vincent Poy wrote:
> > On 6/29/07, Danny Mayer <mayer at ntp.isc.org> wrote:
> >> Vincent Poy wrote:
> >> > You're right about the lack of syslog in Windows so it will only log a
> >> > event rather than detailed like syslog on a Unix box would. Is there
> >> > a way to log to a specific logfile using named.conf in Windows?
> >>
> >> No, you are not getting far enough to start the logging. That's why I
> >> told you to use the pid-file none; option. While you are at it, does the
> >> pid file exist in the directory you specified for it?
> >
> > the named.pif file does exist in the directory whether I have it
> > specified or not as I deleted the named.pid file before each test to
> > see whah happens. With pid-file none; option, the file doesn't get
> > created but the problem still doesn't change.
> >
>
> The next file you need to care about is the named.conf file in the etc
> subdirectory. The service account needs to be able to read it. Look at
> the permissions on both the etc directory and on the file itself. named
> needs to be able to read it. Please note that the created account is NOT
> in the User group. That's by design for security reasons.
On both the etc directory and the named.conf file itself, when I click
on right click and get properties under the Security tab in the Group
or User Names section:
Everyone - under Allow - Full Control, Modify, Read & Execute, List
Folder Contents, Read, Write
named - under Allow - Full Control, Modify, Read & Execute, List
Folder Contents, Read, Write
System - under Allow - Read, Write, Special Permissions
Is this the correct way it should be or what is the name of the
service account if it isn't and how do I add it? The only place where
the named account can be found is in Computer Management under System
Tools -> Local Users and Groups -> Users
> >> > Thanks for the reminder about testing named from the command line, it
> >> > runs from a different user account. I tried running it on the command
> >> > line as the named user and it appears to run correctly:
> >>
> >> Proves nothing except that the zones will load. Even if they had failed
> >> to load you would have seen that in the application event log.
> >
> > You're right since I had to clear all the event logs before it will
> > start logging
> > again but so far, if I try to load the ISC BIND service, it will show up
> > only
> > in the system event log. When I run it from the command line as the
> > service won't start, it will show up in the application event log.
> >
>
> Did you try the following command from the command line:
> net start named
>
> Does it start or does it give you a failure. I recall that you will get
> a failure from there if it cannot find the named.conf file.
C:\Documents and Settings\vince>net start named
The service is not responding to the control function.
More help is available by typing NET HELPMSG 2186.
C:\Documents and Settings\vince>
> What is in the following key in the registry:
> HKEY_LOCAL_MACHINE\SOFTWARE\ISC\BIND\InstallDir?
C:\WINDOWS\system32\dns
> Does it correctly point to the directory above etc which contains
> named.conf?
named.conf is in c:\windows\system32\dns\etc
> >> > When I tested it originally, it was running from the vince account on
> >> > the command line and the vince account is setup as a Administrator.
> >> >
> >> > One thing that puzzles me is that for the ISC BIND service, if I
> >> > change it to run as Local System Account, it will run fine but if I
> >> > tried it with named or vince, it will have the problem after 3 seconds
> >> > (I timed it this time) that I mentioned when I wrote the original
> >> > message about this problem. So I don't know why it's won't start the
> >> > service running as the named user when it worked in the past.
> >>
> >> That means that you have a file permission problem.
> >
> > But how do I find out exactly where the file permission problem is
> > since the all directories from C:\windows\system32\dns and below
> > basically have named as a user under security which has Full control
> > under allow checked which enables everything under allow except
> > special permissions which can be turned on.
>
> See above.
Cheers,
Vince
More information about the bind-users
mailing list