Mixed environments: DHCP Secure Update

Michele Vetturi mvetturi at yahoo.it
Thu Mar 22 13:34:12 UTC 2007

> I have successfully run a mixed BIND/AD environment for several years.
> This is a largish network (3500 clients, originally Win2000 now XP)
> using AD, but all DNS is run using BIND, in this case running on
> Solaris. Originally used Bind 8, now Bind 9.2.x.
> These articles gives a pretty good run down on using AD and BIND:
> http://www.linux-mag.com/2001-03/bind_01.html
> (seems you need to register to read this now)
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/i
> is/deploy/depovg/CfgBIND.asp (link no longer available)
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/active
> directory/support/dnsw2kb.mspx
> (general MS DNS articles)
> http://support.microsoft.com/default.aspx?scid=kb;en-us;255913
> (specific details about integrating AD into existing BIND setup)
> On your DNS servers you create 4 extra zones for each main zone, and
> allow the domain controllers access to update them. Make sure you
> delegate them correctly.
>          _udp.mydomain.com
>          _tcp.mydomain.com
>          _sites.mydomain.com
>          _msdcs.mydomain.com
> The domain controllers will add a number of SRV records and also A records in
> the top level zones. It was easier to just let them do this so that DNS worked
> properly. There is a tool called dcdiag.exe that you can run on the domain
> controller toverify that DNS is set up properly from AD's perspective.
> The only option is to allow update by IP address, but hopefully the
> Domain Controllers are fairly secure and no-one should be spoofing
> their IP addresses. We didn't allow individual clients to do DNS updates.
> For DNS management we used an open source web based tool downloaded from
> dominium.sourceforge.net which we then hacked on pretty severely. I
> haven't seen the original updated in a long time.

Great *How-To*... :)   Thank you.

I appreciate all your efforts to support me.

Michele Vetturi

More information about the dhcp-users mailing list