ISC Bind in Active Directory

Carsten Strotmann cas at strotmann.de
Wed Oct 24 21:17:04 UTC 2012 

Hello Phil,

Phil Mayers <p.mayers at imperial.ac.uk> writes:


> Our experience is that this can cause (minor) problems.
>
> The basic issue is that, if you have an AD realm:
>
> EXAMPLE.COM
>
> ...and a machine:
>
> foo
>
> ...then windows tries very hard to stick its fingers in its ears,
> shout "la la I am not listening" and assume its hostname is:
>
> foo.example.com
>
> You have to fiddle around extensively to make the client *think* it's
> name is what it really is, and it has never been clear to me what the
> implications of doing so are.
>
> This can matter if you have systems that trust the clients own idea of
> the hostname (e.g. vPro/AMT enterprise provisioning) or if you have
> support staff who want to be able to right-click on a machine from the
> "AD users & computers" snap-in and click "manage".
>
> If people have any insight into an easy way of updating clients with
> the correct idea of their own DNS hostnames, and can explain how this
> interacts with the per-connection DNS suffix stuff in the IP stack, I
> would be very grateful!

my experience is that it is safe to place clients in either a DNS domain
with the same name as the AD domain, or in a subdomain of the AD
domain. 

Using a subdomain has the benefit of seperating infrastructure
information (SRV records, server A/AAAA records) from client
information. These DNS zones can have a different dynamic update
policy/ACL, can even be delegated to different DNS servers.

Example: 
DNS-Domain: "example.com"
Ad-Domain: "ad.example.com"
Client-DNS Zone: "client.ad.example.com"

all with proper delegations.

Clients will follow the DNS hierarchy to find the SRV records in the
AD-Domain DNS-Zone. Putting AD-Clients into a DNS-Suffix (aka "local
domain") that is a different branch of the DNS namespace than the
AD-Domain DNS name creates problems and is not
recommended. (e.g. AD-Domain "example.com", clients in "ad.example.")

Using connection-specific DNS-Suffixes to my knowledge are used in the
case that one machine has network connections into mutliple AD-networks
(a gateway machine, or a common server that servers multiple, disjoint
AD domains).

As always, DNS (also Microsoft based DNS for AD) works best if there is
a un-interrupted delegation chain from the root (can be an internal root
or the Internet DNS root) to the authoritative DNS servers, and if
resolving DNS servers are separated from the authoritative DNS
servers. Important is a unified DNS namespace from every machine in the
AD network. There should be only one DNS namespace.

A general observation:
If find a high number of DNS admins in AD networks that have the
preception that the earth, pardon DNS, is flat. It is not, it is a
hierarchy :). And every attempt too make it appear flat creates problems.

-- 
Carsten Strotmann

More information about the bind-users mailing list