<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Folks,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I need some help.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>At my site, I am running Windows AD, Windows DHCP, and BIND
version 9.6.0-P1.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The AD namespace that my customer implemented is different
from the BIND namespace. The majority of the clients here are Windows XP/Vista-based
systems that receive their IP via Windows DHCP. We’d like to have these systems
register themselves manually via DDNS to our BIND namespace. Just for
proof-of-concept before we even try to tackle TSIG to secure it, we’re using
the “allow-update” directive.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>DHCP Server: 10.10.10.10<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>We setup allow-update for 10.10.10.10 for both the forward
lookup “hosts” file and reverse lookup “hosts.rev” file.<o:p></o:p></p>
<p class=MsoNormal>Our BIND namespace is bind.domain.mil<o:p></o:p></p>
<p class=MsoNormal>Our AD namespace is our.ds.domain.mil<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>When a client gets an IP with the BIND server configured to
allow the Windows DHCP server to do the updating, rather than registering that
client as host.bind.domain.mil, it registers it only in the reverse lookup
table as host.our.ds.domain.mil, which is undesirable. We want the host to be
host.bind.domain.mil on the BIND servers, both forward and reverse.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>When I setup an ACL called “dynamic-update” for 10.10.0.0/16
and allow all of that network to perform the updates on the BIND server, it
works better, but not completely because to make that work, we had to go into
the client’s TCP/IP settings, and tell it to register specifically as
bind.domain.mil. Doing that caused the client to register itself properly in
both forward and reverse lookup zones. However, apparently, the DHCP server is
also registering the reverse lookup IP with host.our.ds.domain.mil. When you do
a reverse lookup on the client, you get both FQDNs back in the response.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The two problems with this are first, to make this work,
each client has to be touched to configure that DNS namespace to register it
properly and second, we need to get the DHCP server to stop doing this
registration for AD in the BIND servers.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>It’d be ideal if we could just have the Windows DHCP server
update the BIND servers with the proper DNS suffix. I’ve looked around the
Internet and it doesn’t seem as if there are too many people with different
namespaces between BIND and AD trying to do what we’re doing. If the namespaces
matched, this would work perfectly. Unfortunately, we are not in a position to
change either namespace, so we have to make this work somehow.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Anyone have any ideas?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks in advance,<o:p></o:p></p>
<p class=MsoNormal>Joe<o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas'>------------------------------------<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas'>Joseph
A. Borgia, Jr.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas'>Sr.
UNIX/SAN Engineer<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas'>Team
Rome IT - Rome Research Corporation<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas'>U.S. Air
Force Research Laboratory/Rome Research Site/RIOS<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas'>COMM:
315-330-3952<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas'>DSN:
587-3952<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.5pt;font-family:Consolas'>FAX:
315-330-8258<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>