Why not just have the workstations in the company.com suffix? Is there a requirement for them to be in the ad.company.com zone?
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Wednesday, August 11, 2004 5:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Anonymous bind (here we go again) We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com There is a subset of workstations (located in pre-configured OUs) that need to be resolvable using the "company.com" suffix (company.com zone is managed by BIND, while ad.company.com is managed by MS DNS). One of the ideas was to run (from Linux) LDAP queries against AD for the machines in question, query the MS DNS for the registration and build CNAME entries for BIND based on the query. Caveat: our AD is configured with "LDAP signing requirement: Negotiate", which means that any attempt for simple bind will be forced to use SSL/TLS (and we do not run CA or have certs installed on DCs) and otherwise will fail. >From here two options have been proposed: 1) flip the 7th bit of dsHeuristics to allow anon access and grant anonymous access to the required attributes (dnsHostName) cons: this exposed the AD to potential DoS of LDAP service by anonymous (am I right here ?) 2) install 3rd party certs on DCs and have scripts use embedded service account for LDAP binds/queries. cons/pros: I have no experience with 3rd party certs on DCs. Are there any caveats or gotchas here ? Is it possible/reasonable ? In any case, nothing that is not already exposed by DNS is going to be exposed. If you can think of any other way of achieving the desired result (up-to-date mapping from client.ad.company.com to client.company.com using CNAMEs), I would be happy to hear. Zone transfers are out of the question - we do not want all the hosts from AD DNS, only the certain subset of them. Thanks, Guy -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
