Hello Phil, Phil Mayers <p.may...@imperial.ac.uk> writes:
> Our experience is that this can cause (minor) problems. > > The basic issue is that, if you have an AD realm: > > EXAMPLE.COM > > ...and a machine: > > foo > > ...then windows tries very hard to stick its fingers in its ears, > shout "la la I am not listening" and assume its hostname is: > > foo.example.com > > You have to fiddle around extensively to make the client *think* it's > name is what it really is, and it has never been clear to me what the > implications of doing so are. > > This can matter if you have systems that trust the clients own idea of > the hostname (e.g. vPro/AMT enterprise provisioning) or if you have > support staff who want to be able to right-click on a machine from the > "AD users & computers" snap-in and click "manage". > > If people have any insight into an easy way of updating clients with > the correct idea of their own DNS hostnames, and can explain how this > interacts with the per-connection DNS suffix stuff in the IP stack, I > would be very grateful! my experience is that it is safe to place clients in either a DNS domain with the same name as the AD domain, or in a subdomain of the AD domain. Using a subdomain has the benefit of seperating infrastructure information (SRV records, server A/AAAA records) from client information. These DNS zones can have a different dynamic update policy/ACL, can even be delegated to different DNS servers. Example: DNS-Domain: "example.com" Ad-Domain: "ad.example.com" Client-DNS Zone: "client.ad.example.com" all with proper delegations. Clients will follow the DNS hierarchy to find the SRV records in the AD-Domain DNS-Zone. Putting AD-Clients into a DNS-Suffix (aka "local domain") that is a different branch of the DNS namespace than the AD-Domain DNS name creates problems and is not recommended. (e.g. AD-Domain "example.com", clients in "ad.example.") Using connection-specific DNS-Suffixes to my knowledge are used in the case that one machine has network connections into mutliple AD-networks (a gateway machine, or a common server that servers multiple, disjoint AD domains). As always, DNS (also Microsoft based DNS for AD) works best if there is a un-interrupted delegation chain from the root (can be an internal root or the Internet DNS root) to the authoritative DNS servers, and if resolving DNS servers are separated from the authoritative DNS servers. Important is a unified DNS namespace from every machine in the AD network. There should be only one DNS namespace. A general observation: If find a high number of DNS admins in AD networks that have the preception that the earth, pardon DNS, is flat. It is not, it is a hierarchy :). And every attempt too make it appear flat creates problems. -- Carsten Strotmann _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users