RE: [ActiveDir] AD DNS along with Bind
You are surely not exposing your internal namespace to the Internet Or are you? Let me get out the old Hacking 101 books... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, May 25, 2006 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind (From my DNS admin) If I did that, then I would have to open DNS conduits through our firewalls for the DC, as anyone who was requesting information from any AD zone would be querying the DNS Server on the DC. We try to limit contact to the DC from the Internet. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, May 24, 2006 4:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Why configure the BIND servers as secondary to the zones delegated to the Windows DNS servers? Why not just let the Windows DNS servers handle those queries? By doing so you would remove the issue surrounding the zone serial numbers while also provide redundancy for Windows based zones and the dynamic updates they require. Could just be a personal preference I suppose... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. >Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630)
RE: [ActiveDir] AD DNS along with Bind
(From my DNS admin) If I did that, then I would have to open DNS conduits through our firewalls for the DC, as anyone who was requesting information from any AD zone would be querying the DNS Server on the DC. We try to limit contact to the DC from the Internet. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, May 24, 2006 4:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Why configure the BIND servers as secondary to the zones delegated to the Windows DNS servers? Why not just let the Windows DNS servers handle those queries? By doing so you would remove the issue surrounding the zone serial numbers while also provide redundancy for Windows based zones and the dynamic updates they require. Could just be a personal preference I suppose... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. >Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If
RE: [ActiveDir] AD DNS along with Bind
Mike, Just read it properly now, the bind dns are secondary dns of your _msdcs.domain.com? That's interesting.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Thursday, May 25, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Importance: Low Hi Mike, Thanks but personally I don't see why its not delegated to all DNS DCs, kind of limits off the load spreading and redundancy for the name resolution portion. Unless you are only running one dns on the dc, in which again same as above. Im guessing if your dc is down (the one running the dns) clients are somehow using the cache ttl of it - otherwise im sure pretty there'll be lotsa complain :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, May 25, 2006 3:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. >Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can
RE: [ActiveDir] AD DNS along with Bind
Hi Mike, Thanks but personally I don't see why its not delegated to all DNS DCs, kind of limits off the load spreading and redundancy for the name resolution portion. Unless you are only running one dns on the dc, in which again same as above. Im guessing if your dc is down (the one running the dns) clients are somehow using the cache ttl of it - otherwise im sure pretty there'll be lotsa complain :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, May 25, 2006 3:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. >Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation and hence causing a no domain controller found scenario isnt it? Interesting article mentioned below, does it applies to 2003 as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE:
RE: [ActiveDir] AD DNS along with Bind
Why configure the BIND servers as secondary to the zones delegated to the Windows DNS servers? Why not just let the Windows DNS servers handle those queries? By doing so you would remove the issue surrounding the zone serial numbers while also provide redundancy for Windows based zones and the dynamic updates they require. Could just be a personal preference I suppose... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. >Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation and hence causing a no domain controller found scenario isnt it? Interesting article mentioned below, does it applies to 2003 as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for de
RE: [ActiveDir] AD DNS along with Bind
Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. >Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation and hence causing a no domain controller found scenario isnt it? Interesting article mentioned below, does it applies to 2003 as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcpIN NS windnsserver.example.com. _udpIN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DN
RE: [ActiveDir] AD DNS along with Bind
Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation and hence causing a no domain controller found scenario isnt it? Interesting article mentioned below, does it applies to 2003 as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcpIN NS windnsserver.example.com. _udpIN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DNS Server. I use ONLY ONE Windows DNS Server due to serial number problems that can/will occur with the MS multi-master setup. See Q282826. Insure that the zones are AD-integrated with secure DDNS only. Change the zone properties: In the SOA insure that the "Responsible person" field has the correct e-mail address (with the "@" replaced with "."). In the "Name Servers" tab add the BIND slaves (that are the registered nameservers for the example.com domain). Allow zone transfers to the servers in the Name Servers tab. Notify servers in the Name Servers tab. These changes will have to be done for each zone, as MS has not implemented global zone properties. 3) Define these six zones on the BIND slave DNS servers that are registered for the example.com zone. The master server is obviously the Windows 2003 DNS Server. 4) In my case, the parent example.com zone is still on a BIND server, so I have manually entered the domain "A" records on that master server. Note that there are three types of DDNS from a Windows machine: a) A machine (desktop, server, or DC) self-registering b) A DC (netlogon) registering its SRV and CNAME records c) A DC (netlogon) registering the domain "A" record. There are different registry keys controlling each of these, and since they have been implemented at different times and since some of them have been reused (from former, still current usage), the interaction among these registry keys is complicated. I count 162 different cases, and I have not had time to test all of them. If you do not care about DDNS requests being sent to the BIND master for the example.com zone, where (I would hope) the DDNS would be refused, then you do not have to worry about some of these registry keys. With this setup, the MS Windows DNS Server is a "hidden master". It is known only via the MNAME (master server name) field in the SOA (Start of Authority) record in each zone. If your clients (be they Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP configurations, then these clients will continue to use the BIND servers for DNS resolution. This will work for the AD zones, as all of the AD zones are slaved on the BIND servers. Any machine that needs to update the zone (DCs updating CNAME and SRV records), or Windows clients (self-registration via DHCP) will use secure DDNS, and these machines will locate the master via a standard SOA query. There is NO NEED for ANY machine to have the Windows DNS Server in its TCP/IP configuration as a DNS server. The nice thing about this is that you do not have to go and change any client TCP/IP configuration. On my one MS W2003 DNS Server I have the six AD zones for anl.gov and fifteen sets of AD zones for subdomains of anl.gov. There is documentation in the DNS "Bible" - "DNS and BIND" 4th edition (with a fifth addition due out any minute, I am told). There is also documentation in "DNS on Windows Server 2003". Both are O'Reilly books. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Ar
RE: [ActiveDir] AD DNS along with Bind
Mike, This is very detailed and clearly written. I appreciate it, say my thanks to your DNS guy! Adeel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thommes, Michael M. Sent: Tuesday, May 23, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcpIN NS windnsserver.example.com. _udpIN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DNS Server. I use ONLY ONE Windows DNS Server due to serial number problems that can/will occur with the MS multi-master setup. See Q282826. Insure that the zones are AD-integrated with secure DDNS only. Change the zone properties: In the SOA insure that the "Responsible person" field has the correct e-mail address (with the "@" replaced with "."). In the "Name Servers" tab add the BIND slaves (that are the registered nameservers for the example.com domain). Allow zone transfers to the servers in the Name Servers tab. Notify servers in the Name Servers tab. These changes will have to be done for each zone, as MS has not implemented global zone properties. 3) Define these six zones on the BIND slave DNS servers that are registered for the example.com zone. The master server is obviously the Windows 2003 DNS Server. 4) In my case, the parent example.com zone is still on a BIND server, so I have manually entered the domain "A" records on that master server. Note that there are three types of DDNS from a Windows machine: a) A machine (desktop, server, or DC) self-registering b) A DC (netlogon) registering its SRV and CNAME records c) A DC (netlogon) registering the domain "A" record. There are different registry keys controlling each of these, and since they have been implemented at different times and since some of them have been reused (from former, still current usage), the interaction among these registry keys is complicated. I count 162 different cases, and I have not had time to test all of them. If you do not care about DDNS requests being sent to the BIND master for the example.com zone, where (I would hope) the DDNS would be refused, then you do not have to worry about some of these registry keys. With this setup, the MS Windows DNS Server is a "hidden master". It is known only via the MNAME (master server name) field in the SOA (Start of Authority) record in each zone. If your clients (be they Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP configurations, then these clients will continue to use the BIND servers for DNS resolution. This will work for the AD zones, as all of the AD zones are slaved on the BIND servers. Any machine that needs to update the zone (DCs updating CNAME and SRV records), or Windows clients (self-registration via DHCP) will use secure DDNS, and these machines will locate the master via a standard SOA query. There is NO NEED for ANY machine to have the Windows DNS Server in its TCP/IP configuration as a DNS server. The nice thing about this is that you do not have to go and change any client TCP/IP configuration. On my one MS W2003 DNS Server I have the six AD zones for anl.gov and fifteen sets of AD zones for subdomains of anl.gov. There is documentation in the DNS "Bible" - "DNS and BIND" 4th edition (with a fifth addition due out any minute, I am told). There is also documentation in "DNS on Windows Server 2003". Both are O'Reilly books. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, May 23, 2006 2:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DNS along with Bind Team, Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp, _udp, _msdcs etc. and have the rest o
RE: [ActiveDir] AD DNS along with Bind
Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcpIN NS windnsserver.example.com. _udpIN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DNS Server. I use ONLY ONE Windows DNS Server due to serial number problems that can/will occur with the MS multi-master setup. See Q282826. Insure that the zones are AD-integrated with secure DDNS only. Change the zone properties: In the SOA insure that the "Responsible person" field has the correct e-mail address (with the "@" replaced with "."). In the "Name Servers" tab add the BIND slaves (that are the registered nameservers for the example.com domain). Allow zone transfers to the servers in the Name Servers tab. Notify servers in the Name Servers tab. These changes will have to be done for each zone, as MS has not implemented global zone properties. 3) Define these six zones on the BIND slave DNS servers that are registered for the example.com zone. The master server is obviously the Windows 2003 DNS Server. 4) In my case, the parent example.com zone is still on a BIND server, so I have manually entered the domain "A" records on that master server. Note that there are three types of DDNS from a Windows machine: a) A machine (desktop, server, or DC) self-registering b) A DC (netlogon) registering its SRV and CNAME records c) A DC (netlogon) registering the domain "A" record. There are different registry keys controlling each of these, and since they have been implemented at different times and since some of them have been reused (from former, still current usage), the interaction among these registry keys is complicated. I count 162 different cases, and I have not had time to test all of them. If you do not care about DDNS requests being sent to the BIND master for the example.com zone, where (I would hope) the DDNS would be refused, then you do not have to worry about some of these registry keys. With this setup, the MS Windows DNS Server is a "hidden master". It is known only via the MNAME (master server name) field in the SOA (Start of Authority) record in each zone. If your clients (be they Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP configurations, then these clients will continue to use the BIND servers for DNS resolution. This will work for the AD zones, as all of the AD zones are slaved on the BIND servers. Any machine that needs to update the zone (DCs updating CNAME and SRV records), or Windows clients (self-registration via DHCP) will use secure DDNS, and these machines will locate the master via a standard SOA query. There is NO NEED for ANY machine to have the Windows DNS Server in its TCP/IP configuration as a DNS server. The nice thing about this is that you do not have to go and change any client TCP/IP configuration. On my one MS W2003 DNS Server I have the six AD zones for anl.gov and fifteen sets of AD zones for subdomains of anl.gov. There is documentation in the DNS "Bible" - "DNS and BIND" 4th edition (with a fifth addition due out any minute, I am told). There is also documentation in "DNS on Windows Server 2003". Both are O'Reilly books. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, May 23, 2006 2:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DNS along with Bind Team, Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp, _udp, _msdcs etc. and have the rest of the non-AD zones managed by Bind. Has anyone done something like this? There is a MS article (ID:255913) that talks about it however, it doesnt say what DNS should client point to? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive
[ActiveDir] AD DNS along with Bind
Team, Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp, _udp, _msdcs etc. and have the rest of the non-AD zones managed by Bind. Has anyone done something like this? There is a MS article (ID:255913) that talks about it however, it doesnt say what DNS should client point to? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/