Windows AD, Windows DHCP, BIND, and DDNS
Frank.Pikelner at netcraftcommunications.com
Mon Jun 15 16:52:19 UTC 2009
On your Windows DHCP server, use DHCP MMC, right click on DHCP server name, and select options. In Options, select DNS tab and uncheck the required DNS registration options.
From: bind-users-bounces at lists.isc.org on behalf of Borgia, Joe A CTR USAF AFMC AFRL/RIOS
Sent: Mon 6/15/2009 10:27 AM
To: bind-users at lists.isc.org
Subject: Windows AD, Windows DHCP, BIND, and DDNS
I need some help.
At my site, I am running Windows AD, Windows DHCP, and BIND version
The AD namespace that my customer implemented is different from the BIND
namespace. The majority of the clients here are Windows XP/Vista-based
systems that receive their IP via Windows DHCP. We'd like to have these
systems register themselves manually via DDNS to our BIND namespace. Just
for proof-of-concept before we even try to tackle TSIG to secure it, we're
using the "allow-update" directive.
DHCP Server: 10.10.10.10
We setup allow-update for 10.10.10.10 for both the forward lookup "hosts"
file and reverse lookup "hosts.rev" file.
Our BIND namespace is bind.domain.mil
Our AD namespace is our.ds.domain.mil
When a client gets an IP with the BIND server configured to allow the
Windows DHCP server to do the updating, rather than registering that client
as host.bind.domain.mil, it registers it only in the reverse lookup table as
host.our.ds.domain.mil, which is undesirable. We want the host to be
host.bind.domain.mil on the BIND servers, both forward and reverse.
When I setup an ACL called "dynamic-update" for 10.10.0.0/16 and allow all
of that network to perform the updates on the BIND server, it works better,
but not completely because to make that work, we had to go into the client's
TCP/IP settings, and tell it to register specifically as bind.domain.mil.
Doing that caused the client to register itself properly in both forward and
reverse lookup zones. However, apparently, the DHCP server is also
registering the reverse lookup IP with host.our.ds.domain.mil. When you do a
reverse lookup on the client, you get both FQDNs back in the response.
The two problems with this are first, to make this work, each client has to
be touched to configure that DNS namespace to register it properly and
second, we need to get the DHCP server to stop doing this registration for
AD in the BIND servers.
It'd be ideal if we could just have the Windows DHCP server update the BIND
servers with the proper DNS suffix. I've looked around the Internet and it
doesn't seem as if there are too many people with different namespaces
between BIND and AD trying to do what we're doing. If the namespaces
matched, this would work perfectly. Unfortunately, we are not in a position
to change either namespace, so we have to make this work somehow.
Anyone have any ideas?
Thanks in advance,
Joseph A. Borgia, Jr.
Sr. UNIX/SAN Engineer
Team Rome IT - Rome Research Corporation
U.S. Air Force Research Laboratory/Rome Research Site/RIOS
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users