Dots in hostnames (or: AD vs. DNS "Domains")
dlc at halibut.com
Sun Oct 21 20:47:42 UTC 2007
Hope this isn't too far off topic; I (as the BIND Guy at work) am having
a disagreement with the Microsoft Guys about proper DNS domain structure.
The Windows guy has established a new "domain" which I'll call
"ad.example.com". He's got a proper DNS delegation for "ad.example.com".
He's created two AD subdomains named "na.ad.example.com" and
"eu.ad.example.com". Most of the AD client systems live under those
The problem (as I see it) is that he has *not* created proper DNS
subdomains with those names. There is no DNS delegation
from ad.example.com to na.ad.example.com; no NS records for
na.ad.example.com. However, his DNS servers are serving up hostnames
that appear to be under those domains. In other words, hostnames with
dots in them as far as I can tell. 
Here is where I'm noticing a difference in the way Microsoft and
BIND do zone transfers: I have another site who has made manual entries
in a BIND zonefile with this same "problem" (an attempt to create hosts
in subdomains without a proper delegation). A zone transfer from
that BIND server will not show those entries (but a direct query for
them will be resolved). The Microsoft server, however, sends
these "fake subdomain" entries along with the rest of the zone transfer.
Windows Guy claims that this condition arose as he followed procedures to create
these AD subdomains. From a DNS point of view, this just "feels wrong" to me.
I just haven't been able to do enough research/testing yet, and the juggernaut
is being rolled into production and was hoping to get some experienced/expert
: examination with AD Explorer does show an attribute named dnsRoot
for these domains, which Microsoft TechNet docs describe as:
"The DNS name of the domain where servers that store the particular
directory partition can be reached. This value can also be a DNS
More information about the bind-users