Recent Problem with BIND 9 under Windows XP

Vincent Poy vincepoy at
Mon Jul 2 05:27:51 UTC 2007

On 7/1/07, Danny Mayer <mayer at> wrote:
> Vincent Poy wrote:
> > On 6/29/07, Danny Mayer <mayer at> wrote:
> >> Vincent Poy wrote:
> >> > You're right about the lack of syslog in Windows so it will only log a
> >> > event rather than detailed like syslog on a Unix box would.  Is there
> >> > a way to log to a specific logfile using named.conf in Windows?
> >>
> >> No, you are not getting far enough to start the logging. That's why I
> >> told you to use the pid-file none; option. While you are at it, does the
> >> pid file exist in the directory you specified for it?
> >
> > the named.pif file does exist in the directory whether I have it
> > specified or not as I deleted the file before each test to
> > see whah happens.  With pid-file none; option, the file doesn't get
> > created but the problem still doesn't change.
> >
> The next file you need to care about is the named.conf file in the etc
> subdirectory. The service account needs to be able to read it. Look at
> the permissions on both the etc directory and on the file itself. named
> needs to be able to read it. Please note that the created account is NOT
> in the User group. That's by design for security reasons.

On both the etc directory and the named.conf file itself, when I click
on right click and get properties under the Security tab in the Group
or User Names section:

Everyone - under Allow - Full Control, Modify, Read & Execute, List
Folder Contents, Read, Write
named - under Allow - Full Control, Modify, Read & Execute, List
Folder Contents, Read, Write
System - under Allow - Read, Write, Special Permissions

Is this the correct way it should be or what is the name of the
service account if it isn't and how do I add it?  The only place where
the named account can be found is in Computer Management under System
Tools -> Local Users and Groups -> Users

> >> > Thanks for the reminder about testing named from the command line, it
> >> > runs from a different user account.  I tried running it on the command
> >> > line as the named user and it appears to run correctly:
> >>
> >> Proves nothing except that the zones will load. Even if they had failed
> >> to load you would have seen that in the application event log.
> >
> > You're right since I had to clear all the event logs before it will
> > start logging
> > again but so far, if I try to load the ISC BIND service, it will show up
> > only
> > in the system event log.  When I run it from the command line as the
> > service won't start, it will show up in the application event log.
> >
> Did you try the following command from the command line:
> net start named
> Does it start or does it give you a failure. I recall that you will get
>  a failure from there if it cannot find the named.conf file.

C:\Documents and Settings\vince>net start named
The service is not responding to the control function.

More help is available by typing NET HELPMSG 2186.

C:\Documents and Settings\vince>

> What is in the following key in the registry:


> Does it correctly point to the directory above etc which contains
> named.conf?

named.conf is in c:\windows\system32\dns\etc

> >> > When I tested it originally, it was running from the vince account on
> >> > the command line and the vince account is setup as a Administrator.
> >> >
> >> > One thing that puzzles me is that for the ISC BIND service, if I
> >> > change it to run as Local System Account, it will run fine but if I
> >> > tried it with named or vince, it will have the problem after 3 seconds
> >> > (I timed it this time) that I mentioned when I wrote the original
> >> > message about this problem.  So I don't know why it's won't start the
> >> > service running as the named user when it worked in the past.
> >>
> >> That means that you have a file permission problem.
> >
> > But how do I find out exactly where the file permission problem is
> > since the all directories from C:\windows\system32\dns and below
> > basically have named as a user under security which has Full control
> > under allow checked which enables everything under allow except
> > special permissions which can be turned on.
> See above.


More information about the bind-users mailing list