Dots in hostnames (or: AD vs. DNS "Domains")

David Carmean dlc at
Sun Oct 21 20:47:42 UTC 2007

Hope this isn't too far off topic; I (as the BIND Guy at work) am having
a disagreement with the Microsoft Guys about proper DNS domain structure.

The Windows guy has established a new "domain" which I'll call
"".  He's got a proper DNS delegation for "".
He's created two AD subdomains named "" and
"".  Most of the AD client systems live under those 
two domains.

The problem (as I see it) is that he has *not* created proper DNS
subdomains with those names.  There is no DNS delegation
from to; no NS records for  However, his DNS servers are serving up hostnames 
that appear to be under those domains.  In other words, hostnames with 
dots in them as far as I can tell. [1]

Here is where I'm noticing a difference in the way Microsoft and 
BIND do zone transfers: I have another site who has made manual entries 
in a BIND zonefile with this same "problem" (an attempt to create hosts 
in subdomains without a proper delegation).  A zone transfer from 
that BIND server will not show those entries (but a direct query for 
them will be resolved).   The Microsoft server, however, sends 
these "fake subdomain" entries along with the rest of the zone transfer.

Windows Guy claims that this condition arose as he followed procedures to create 
these AD subdomains.  From a DNS point of view, this just "feels wrong" to me. 
I just haven't been able to do enough research/testing yet, and the juggernaut 
is being rolled into production and was hoping to get some experienced/expert 
advice here.



[1]: examination with AD Explorer does show an attribute named dnsRoot
for these domains, which Microsoft TechNet docs describe as:
"The DNS name of the domain where servers that store the particular
directory partition can be reached. This value can also be a DNS
host name."

More information about the bind-users mailing list