Mixed environments: DHCP Secure Update
dhcp1 at thehobsons.co.uk
Wed Mar 21 18:28:09 UTC 2007
Michele Vetturi wrote:
>Now my question: we are going to renew our network and the Active
>Directory environment. I'm talking about 500 desktops, 50 servers, 20
>virtual servers... So, a tedious job!
>I'm very interested in migrating some core service from Windows OS to
>Linux, and I'm studying how to deploy a Linux DHCP Server (ISC DHCP3)
>with SECURE Dynamic Update toward a Windows DNS service.
>I opted for the Windows DNS because the staff who will manage this
>service, but me, prefer a Windows GUI Management Console instead of
>BIND zone files.
>And for DHCP, I see that the ISC implementation allow me doing a lot
>Now, I think I'm right when I say that Windows DNS accepts dynamic
>updates only if clients support GSS-TSIG algorithm... and ISC DHCP
Correct, ISC DHCP and Windows DNS cannot do secure updates because
Microsoft won't reveal the key algorithm.
I believe what some people do is have Bind handle their main zones
(the ones that the DHCP server wants to update), but delegate the
subdomains used by active directory to the Windows server so that it
(and it's clients) can do what it wants in them. I think there are
something like six _<something>.domain.com subdomains used by Active
Directory - you should find something in the list archives about it.
More information about the dhcp-users