Re: ISC Bind in Active Directory

Wed, 24 Oct 2012 08:55:13 -0700 

On 10/24/2012 9:50 AM, Nicholas F Miller wrote:

On Oct 24, 2012, at 7:12 AM, Matus UHLAR - fantomas wrote:


We use Bind for all DNS including DDNS for our AD. We use GSS-TSIG to
control what record types and machines can make dynamic updates to our AD
zone.  We use ISC's DHCP but don't allow it to do DNS updates since we use
GSS-TSIG at the client level instead.

For me to understand: do your clients use GSS-TSIG to update temselves
instead of DHCP server doing the same?

That is correct.


On Oct 22, 2012, at 11:36 AM, Aaron Thompson wrote:

Are you using AD or Bind for DNS/DHCP?  I'm assuming your using AD for
authentication.
On Oct 19, 2012, at 10:46 AM, Nicholas F Miller <nicholas.mil...@colorado.edu> 
wrote:

DDNS record scavenging is the only feature I'm aware of that MS DNS has
that Bind doesn't .  On the flip side, ISC Bind can ACL who can add
certain record types to a dynamic zone using GSS-TSIG as well as
supports views and ACLs for recursion.  Everything else should be
standard DNS.

isn't the client self-registration the reason why scavenging is needed?

Scavenging is a concern but we didn't have much choice. Our AD is only one of 
many subdomains and our DHCP spans all of them. If we used DHCP for DDNS 
records we wouldn't be guaranteed unique names. By limiting DDNS to just the AD 
we are guaranteed unique names. We only needed DDNS in our AD so it made the 
most sense to use GSS-TSIG.

A dirty way to scavenge 'A' or 'AAAA' records is to compare the records in your 
DDNS zone to all of the existing computer objects in your AD. If an 'A' or 
'AAAA' record is in your zone but no computer object matches it in the AD it 
can be assumed to be orphaned. Ldapsearch is a good tool to query the AD for 
computer objects.
Why do you feel the need to register clients in your AD domain at all? We register our clients outside of the AD domain via the DHCP server; our AD domain only contains resource records that are actually relevant to AD (i.e. over 92% of the records in the zone are SRV records). 

                    - Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to