I have thought about that, but if you think about it, it only reverts the problem: now I need to either install some software on the DC to ensure secure connection/authentication with BIND box or do it in 3 steps: - get the data from AD and dump it into a flat file. - transfer the file to BIND machine - parse the file on BIND box
Both approaches are rather cumbersome and error prone. I tend to prefer installing third party certificate on the DC. On this note, can anyone give me a hint how to generate CSR if I do not have IIS installed ? Is there any command line tool for that maybe ? I tried scripting it (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/certenrollment.asp), but it looks like I am doing something wrong: the CA has no problem signing the CSRs generated by IIS, but would not sign mine (script generated) Thanks, Guy On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote: > OK, understood. While the original idea does accomplish the desired > outcome, I think there are still other alternatives. > > For example, why not create a script that runs based on a schedule on a > machine that is a member of the forest, runs in or uses the proper > security context to access the desired information in the OUs, writes > that information into the zone files on the BIND server, and then > completes the appropriate action to ensure that the data is available in > BIND DNS (i.e. restarting the DNS daemon)? > > With this example, you do not need to modify the security around AD. If > for some reason you can not perform the desired BIND tasks remotely, you > can transfer a file containing the data to an appropriate location and > allow a scheduled script on the BIND server to perform the import, etc. > > - Aric > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Wednesday, August 11, 2004 10:11 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous bind (here we go again) > > Well, I know where the hosts should be in AD, but those hosts can > change. The idea is that if host resides in one of the OUs in question, > it gets to get CNAME in company.com, but the hosts can come and go, so I > do not know what records should get CNAMEs without looking in the OUs. > > Guy > > On Thu, 2004-08-12 at 03:48, Bernard, Aric wrote: > > Since you must already know what records you want to transform into > > CNAME records in the BIND environment, why not build your scripts on > the > > linux system to query the AD hosted DNS servers and then create the > > CNAME records based on this DNS query instead of an LDAP query? > > > > - Aric > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > > Sent: Wednesday, August 11, 2004 2:34 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Anonymous bind (here we go again) > > > > > > > > We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com > > There is a subset of workstations (located in pre-configured OUs) that > > need to be resolvable using the "company.com" suffix (company.com zone > > is managed by BIND, while ad.company.com is managed by MS DNS). > > > > One of the ideas was to run (from Linux) LDAP queries against AD for > the > > machines in question, query the MS DNS for the registration and build > > CNAME entries for BIND based on the query. > > > > Caveat: our AD is configured with "LDAP signing requirement: > Negotiate", > > which means that any attempt for simple bind will be forced to use > > SSL/TLS (and we do not run CA or have certs installed on DCs) and > > otherwise will fail. > > > > >From here two options have been proposed: > > > > 1) flip the 7th bit of dsHeuristics to allow anon access and grant > > anonymous access to the required attributes (dnsHostName) > > cons: this exposed the AD to potential DoS of LDAP service by > anonymous > > (am I right here ?) > > > > 2) install 3rd party certs on DCs and have scripts use embedded > service > > account for LDAP binds/queries. > > cons/pros: I have no experience with 3rd party certs on DCs. Are there > > any caveats or gotchas here ? Is it possible/reasonable ? > > > > In any case, nothing that is not already exposed by DNS is going to be > > exposed. > > > > If you can think of any other way of achieving the desired result > > (up-to-date mapping from client.ad.company.com to client.company.com > > using CNAMEs), I would be happy to hear. Zone transfers are out of the > > question - we do not want all the hosts from AD DNS, only the certain > > subset of them. > > > > Thanks, > > Guy -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
