Re: [ActiveDir] 3rd party DNS and windows DDNS updates
Kinda? Hmm... :) Go ahead and sniff it, but keep in mind that it may be different for different client versions. If they're all the same version, no worries but if you ever have different ones, then it's better to go the appropriate route for your risk tolerance. Alex, I can think of no time when a client would use a name resolution server that is not authoritative for it's primary domain. Ever. Can you provide a scenario that would warrant such a thing? Technically that is. It's never a good idea IMHO to use a NS that is not authoritative for your own primary zone. Never. That's because you'll get confused during troubleshooting and because you'll have trouble at some point in the lifetime of that client. It's essentially a self-made time-bomb waiting for the right moment to ruin your day. On 1/20/06, Alex Fontana <[EMAIL PROTECTED]> wrote: For starters…I kinda agree ;-) Simplicity, especially when dealing with DNS and AD is my primary concern, and I may just be playing devil's advocate here, but if I learn something new it was worth it! So… I do care what it's supposed to do because it helps me in troubleshooting issues. The RFC for DDNS specifically says that the client must know the name of the zone for which it is trying to update a RR, and must know the MNAME of the SOA for that zone. That said, put a sniffer on your machine and run ipconfig /registerdns. You'll see that the first operation is a query for the SOA for your hostname. Besides, telling a client to use a different DNS server than one that is authoritative for it's own primary zone happens all the time. Think of a remote office in a DNS environment that uses primary/secondary configs. More likely than not those clients are going to point to a Secondary DNS server as primary for resolution and maybe the master as secondary. Regardless, the first operation will be a query for the SOA record. Again, do I suggest everyone go and point their clients to bob.com's dns server when their clients are in the jim.bob.com domain? No, of course not, but it would work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, January 20, 2006 6:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Additionally, I've never seen it work well even though it may be that it's supposed to. To be honest, I never cared what it's supposed to do, because of the amount of confusion it causes and the likelihood that it would break for something it is ridiculous to begin with. In my opinion, there is no sound reason to tell a client to use a different DNS server than the one that is authoritative for it's own primary zone for name services. That's an absurd way to do things that has no technical merit that I have ever seen. Whenever I see a configuration such as this, it is always either a misunderstanding or a politically motivated decision, but never a good one. Like I said earlier, tell your client to avoid the hassle of a complicated name resolution scheme and instead use DNS the way it was designed to work. You get paid to make those kind of suggestions ;) On 1/20/06, Lee, Wook < [EMAIL PROTECTED]> wrote: Yea, with a caveat. You need to be careful when mixing DNS implementations. We've seen cases where forwarding of dynamic updates breaks because of bugs in one or both implementations. The moral of the story is to test, test, test, then deploy and keep your fingers crossed because there's no accounting for production. Be ready with a contingency plan in case it all comes crashing down around your ears. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex FontanaSent: Thursday, January 19, 2006 9:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 3rd party DNS and windows DDNS updates As I understand it; the client machine queries it's primary DNS server for the SOA of the zone that matches the client's primary DNS Suffix. It then attempts to register it's A/PTR records with primary for that zone. That said, as long as the client's primary dns server knows who the SOA for the client's zone is you should be ok… Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, January 19, 2006 6:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must t
RE: [ActiveDir] 3rd party DNS and windows DDNS updates
For starters…I kinda agree ;-) Simplicity, especially when dealing with DNS and AD is my primary concern, and I may just be playing devil’s advocate here, but if I learn something new it was worth it! So… I do care what it’s supposed to do because it helps me in troubleshooting issues. The RFC for DDNS specifically says that the client must know the name of the zone for which it is trying to update a RR, and must know the MNAME of the SOA for that zone. That said, put a sniffer on your machine and run ipconfig /registerdns. You’ll see that the first operation is a query for the SOA for your hostname. Besides, telling a client to use a different DNS server than one that is authoritative for it’s own primary zone happens all the time. Think of a remote office in a DNS environment that uses primary/secondary configs. More likely than not those clients are going to point to a Secondary DNS server as primary for resolution and maybe the master as secondary. Regardless, the first operation will be a query for the SOA record. Again, do I suggest everyone go and point their clients to bob.com’s dns server when their clients are in the jim.bob.com domain? No, of course not, but it would work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, January 20, 2006 6:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Additionally, I've never seen it work well even though it may be that it's supposed to. To be honest, I never cared what it's supposed to do, because of the amount of confusion it causes and the likelihood that it would break for something it is ridiculous to begin with. In my opinion, there is no sound reason to tell a client to use a different DNS server than the one that is authoritative for it's own primary zone for name services. That's an absurd way to do things that has no technical merit that I have ever seen. Whenever I see a configuration such as this, it is always either a misunderstanding or a politically motivated decision, but never a good one. Like I said earlier, tell your client to avoid the hassle of a complicated name resolution scheme and instead use DNS the way it was designed to work. You get paid to make those kind of suggestions ;) On 1/20/06, Lee, Wook <[EMAIL PROTECTED]> wrote: Yea, with a caveat. You need to be careful when mixing DNS implementations. We've seen cases where forwarding of dynamic updates breaks because of bugs in one or both implementations. The moral of the story is to test, test, test, then deploy and keep your fingers crossed because there's no accounting for production. Be ready with a contingency plan in case it all comes crashing down around your ears. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana Sent: Thursday, January 19, 2006 9:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 3rd party DNS and windows DDNS updates As I understand it; the client machine queries it's primary DNS server for the SOA of the zone that matches the client's primary DNS Suffix. It then attempts to register it's A/PTR records with primary for that zone. That said, as long as the client's primary dns server knows who the SOA for the client's zone is you should be ok… Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Thursday, January 19, 2006 6:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunc
Re: [ActiveDir] 3rd party DNS and windows DDNS updates
Additionally, I've never seen it work well even though it may be that it's supposed to. To be honest, I never cared what it's supposed to do, because of the amount of confusion it causes and the likelihood that it would break for something it is ridiculous to begin with. In my opinion, there is no sound reason to tell a client to use a different DNS server than the one that is authoritative for it's own primary zone for name services. That's an absurd way to do things that has no technical merit that I have ever seen. Whenever I see a configuration such as this, it is always either a misunderstanding or a politically motivated decision, but never a good one. Like I said earlier, tell your client to avoid the hassle of a complicated name resolution scheme and instead use DNS the way it was designed to work. You get paid to make those kind of suggestions ;) On 1/20/06, Lee, Wook <[EMAIL PROTECTED]> wrote: Yea, with a caveat. You need to be careful when mixing DNS implementations. We've seen cases where forwarding of dynamic updates breaks because of bugs in one or both implementations. The moral of the story is to test, test, test, then deploy and keep your fingers crossed because there's no accounting for production. Be ready with a contingency plan in case it all comes crashing down around your ears. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex FontanaSent: Thursday, January 19, 2006 9:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 3rd party DNS and windows DDNS updates As I understand it; the client machine queries it's primary DNS server for the SOA of the zone that matches the client's primary DNS Suffix. It then attempts to register it's A/PTR records with primary for that zone. That said, as long as the client's primary dns server knows who the SOA for the client's zone is you should be ok… Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, January 19, 2006 6:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra < [EMAIL PROTECTED]> wrote: Hi,Wanted to know if any one has tried this or does this work.Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS. Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards,Chandra Burra
RE: [ActiveDir] 3rd party DNS and windows DDNS updates
Yea, with a caveat. You need to be careful when mixing DNS implementations. We’ve seen cases where forwarding of dynamic updates breaks because of bugs in one or both implementations. The moral of the story is to test, test, test, then deploy and keep your fingers crossed because there’s no accounting for production. Be ready with a contingency plan in case it all comes crashing down around your ears. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Thursday, January 19, 2006 9:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 3rd party DNS and windows DDNS updates As I understand it; the client machine queries it’s primary DNS server for the SOA of the zone that matches the client’s primary DNS Suffix. It then attempts to register it’s A/PTR records with primary for that zone. That said, as long as the client’s primary dns server knows who the SOA for the client’s zone is you should be ok… Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 19, 2006 6:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra <[EMAIL PROTECTED]> wrote: Hi, Wanted to know if any one has tried this or does this work. Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS. Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards, Chandra Burra
RE: [ActiveDir] 3rd party DNS and windows DDNS updates
As I understand it; the client machine queries it’s primary DNS server for the SOA of the zone that matches the client’s primary DNS Suffix. It then attempts to register it’s A/PTR records with primary for that zone. That said, as long as the client’s primary dns server knows who the SOA for the client’s zone is you should be ok… Yay? Nay? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 19, 2006 6:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 3rd party DNS and windows DDNS updates Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra <[EMAIL PROTECTED]> wrote: Hi, Wanted to know if any one has tried this or does this work. Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS. Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards, Chandra Burra
Re: [ActiveDir] 3rd party DNS and windows DDNS updates
Give a little more detail, can you? What I think you're asking is, if the zone is a third party hosted zone delegated to AD, but the users are using the third party host as their primary dns resolver, then would they be able to update their records? Is that about it? If that's the case, then I would think not. Why? Because the client must talk directly to the server that is authoritative for the zone so it can write the record. In most situations, I have always advocated having machines use the servers that host their primary zone for all transactions. This has always resulted in higher availability and lower resolution times when/if issues arise (it's hard to keep admins from doing things, right? ;) Further, if the client machine is an AD member, it will do better if it is able to register it's forward and reverse information. Not for AD necessarily, but for other applications that use DNS. If you're going to delegate the zone to AD anyway, have the clients use the AD DNS and just simplify your design. All your AD DNS servers would then just forward or otherwise allow resolution for other zones, but you wouldn't have a bunch of complex name resolution issues. Al On 1/19/06, Chandra Burra <[EMAIL PROTECTED]> wrote: Hi,Wanted to know if any one has tried this or does this work.Having a 3rd party DNS with a sub-zone or child zone created for AD and delegated that zone to windows DDNS. Now if the clients are pointing to 3rd party DNS as primary DNS - will these clients be able to still register with the dynamic windows DNS?? Regards,Chandra Burra
