Mixed environments: DHCP Secure Update

Glenn Satchell Glenn.Satchell at uniq.com.au
Thu Mar 22 14:02:25 UTC 2007

>Date: Thu, 22 Mar 2007 14:34:12 +0100
>From: "Michele Vetturi" <mvetturi at yahoo.it>
>> I have successfully run a mixed BIND/AD environment for several years.
>> This is a largish network (3500 clients, originally Win2000 now XP)
>> using AD, but all DNS is run using BIND, in this case running on
>> Solaris. Originally used Bind 8, now Bind 9.2.x.
>> These articles gives a pretty good run down on using AD and BIND:
>> http://www.linux-mag.com/2001-03/bind_01.html
>> (seems you need to register to read this now)
>> is/deploy/depovg/CfgBIND.asp (link no longer available)
>> directory/support/dnsw2kb.mspx
>> (general MS DNS articles)
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;255913
>> (specific details about integrating AD into existing BIND setup)
>> On your DNS servers you create 4 extra zones for each main zone, and
>> allow the domain controllers access to update them. Make sure you
>> delegate them correctly.
>>          _udp.mydomain.com
>>          _tcp.mydomain.com
>>          _sites.mydomain.com
>>          _msdcs.mydomain.com
>> The domain controllers will add a number of SRV records and also A records in
>> the top level zones. It was easier to just let them do this so that DNS 
>> properly. There is a tool called dcdiag.exe that you can run on the domain
>> controller toverify that DNS is set up properly from AD's perspective.
>> The only option is to allow update by IP address, but hopefully the
>> Domain Controllers are fairly secure and no-one should be spoofing
>> their IP addresses. We didn't allow individual clients to do DNS updates.
>> For DNS management we used an open source web based tool downloaded from
>> dominium.sourceforge.net which we then hacked on pretty severely. I
>> haven't seen the original updated in a long time.
>Great *How-To*... :)   Thank you.
>I appreciate all your efforts to support me.

No problem - this was something I had saved from about 5 years ago, I
only had to follow up the links as the old ones had disappearred.


More information about the dhcp-users mailing list