Windows AD, Windows DHCP, BIND, and DDNS

Frank Pikelner Frank.Pikelner at
Mon Jun 15 16:52:19 UTC 2009


On your Windows DHCP server, use DHCP MMC, right click on DHCP server name, and select options. In Options, select DNS tab and uncheck the required DNS registration options.



-----Original Message-----
From: bind-users-bounces at on behalf of Borgia, Joe A CTR USAF AFMC AFRL/RIOS
Sent: Mon 6/15/2009 10:27 AM
To: bind-users at
Subject: Windows AD, Windows DHCP, BIND, and DDNS


I need some help.


At my site, I am running Windows AD, Windows DHCP, and BIND version


The AD namespace that my customer implemented is different from the BIND
namespace. The majority of the clients here are Windows XP/Vista-based
systems that receive their IP via Windows DHCP. We'd like to have these
systems register themselves manually via DDNS to our BIND namespace. Just
for proof-of-concept before we even try to tackle TSIG to secure it, we're
using the "allow-update" directive.


DHCP Server:


We setup allow-update for for both the forward lookup "hosts"
file and reverse lookup "hosts.rev" file.

Our BIND namespace is

Our AD namespace is


When a client gets an IP with the BIND server configured to allow the
Windows DHCP server to do the updating, rather than registering that client
as, it registers it only in the reverse lookup table as, which is undesirable. We want the host to be on the BIND servers, both forward and reverse.


When I setup an ACL called "dynamic-update" for and allow all
of that network to perform the updates on the BIND server, it works better,
but not completely because to make that work, we had to go into the client's
TCP/IP settings, and tell it to register specifically as
Doing that caused the client to register itself properly in both forward and
reverse lookup zones. However, apparently, the DHCP server is also
registering the reverse lookup IP with When you do a
reverse lookup on the client, you get both FQDNs back in the response.


The two problems with this are first, to make this work, each client has to
be touched to configure that DNS namespace to register it properly and
second, we need to get the DHCP server to stop doing this registration for
AD in the BIND servers.


It'd be ideal if we could just have the Windows DHCP server update the BIND
servers with the proper DNS suffix. I've looked around the Internet and it
doesn't seem as if there are too many people with different namespaces
between BIND and AD trying to do what we're doing. If the namespaces
matched, this would work perfectly. Unfortunately, we are not in a position
to change either namespace, so we have to make this work somehow.


Anyone have any ideas?


Thanks in advance,



Joseph A. Borgia, Jr.

Sr. UNIX/SAN Engineer

Team Rome IT - Rome Research Corporation

U.S. Air Force Research Laboratory/Rome Research Site/RIOS

COMM: 315-330-3952

DSN: 587-3952

FAX: 315-330-8258


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list