No subject

(and I have no axe to grind or grudge for/against BIND or MS Win2K):

As you suggest, keep Unix for the root/top level servers and delegate a
zone(s) to the Win-2K servers. That way you keep you DNS 'nice and clean'
and the Win2K-AD servers will not polute your DNS servers (if you run win2k
primary and bind as slaves you will end up with BIND error messages due to
all the non-standard DNS records in Win2K). Furthermore, all the DynDNS
updates will go to the 2K and not to BIND.

"Bell, William IT" <WBell at mvphealthcare.com> wrote in message
news:bvbnbe$1ga$1 at sf1.isc.org...
> Hi all,

> The AD admin has proposed that we change our blissful existence by doing
the
> following:
> - Create a subdomain for AD: hq.company.com (note that this has the same
> root domain name as our external DNS: company.com)
> - Change TCP/IP settings on all PC workstations and Windows servers to
point
> to the AD servers for DNS resolution
> - Remove all Windows servers from BIND DNS and move to AD (and it's
> subdomain), leaving only UNIX and network devices in BIND DNS
> - For any DNS requests not resolved in AD, forward them to our BIND DNS
> servers
> - Take over DHCP (Microsoft DHCP) so that they can do secure dynamic
updates
> and begin using Microsoft's Remote Installation Services (RIS)
> - Microsoft DHCP server will do DDNS updates
>

Sounds ok to me - basically delegate to AD servers and let the PC's talk to
these servers for resolution etc. i.e. "Windows - you're on your own"


> I proposed the solution contained in Chap. 16 ('Problems with Windows 2000
> and BIND') using the existing BIND DNS servers as primary, creating the 4
> delegated "_" subdomains, and allowing the DDNS for the PCs', services,
etc.
> to pass thru to the AD server.  The AD admin claims that this is more
> difficult to implement.  I disagreed, but don't have any experience to
> support my position.  He also states that ISC DHCP won't do secure dynamic
> updates with AD, thus preventing them from working together securely.  In
> addition, he says that ISC doesn't properly expire leases in AD.
>

TSIG is incompatible between BIND and AD - not sure if this is used for
secure DynDNS updates for AD, but having just re-read the chapter in
DNS&BIND I don't, personally, like the solution proposed. Much simpler to
delegate to Windows and let them get on with it. But be careful, they'll
start asking why you bother having UNIX BIND at all before long.

> In addition to the questions above, I'd like to know if ISC DHCP plays
nice
> with Microsoft's AD now, cleaning up leases and securely updating the DDNS
> entries using the same protocol?
>
> Please excuse any mistakes or inaccuracies that reflect my ignorance of
this
> topic.
>
> Thanks in advance for any help!
> -Bill
>
>
> ********************************************
> This communication and any files or attachments transmitted with it may
contain information that is confidential, privileged and exempt from
disclosure under applicable law. It is intended solely for the use of the
individual or the entity to which it is addressed. If you are not the
intended recipient, you are hereby notified that any use, dissemination, or
copying of this communication is prohibited by federal law. If you have
received this communication in error, please destroy it and notify the
sender.
> ********************************************
>