Re: ISC Bind in Active Directory

2012-10-20 Thread Carsten Strotmann 

Hello Aaron,

Aaron Thompson athomp...@berklee.edu writes:

 I'm hopping to get some feedback from people who use ISC Bind and
 DHCPD in Active Directory environments.
[...]

 If you have any relevant feed back I would appreciate it.  I'm looking
 for information on experience with Active Directory integration with
 ISC or if anyone has had problems/stability issues with AD doing
 DNS/DHCP or AD working with ISC.


I've seen and worked in a number of Active Directory installations
during the last 12 years that were using non Microsoft DNS and DHCP
components.

My experience is that if implemented correctly, it is possible to run
Microsoft Active Directory with DNS and DHCP provided by BIND and ISC
DHCP. However, doing that successfully requires that the administrator
has a good understanding of:

* the way how DNS dynamic updates work. I found that many Administrators
  do not understand the inner workings of DNS dynamic update. It is
  important to understand how a machine sending dynamic updates (in AD
  case an AD client or a domain controller) finds the DNS zone to be
  updated. Proper DNS delegation and a clean DNS design is
  key. Seperating caching/resolving DNS and authoritative DNS helps much.

* the mechanics how the Windows operating system updates the SRV a A
  records in an DNS domain that is the foundation of an Active Directory
  domain. Also important is the knowledge which records are expected in DNS
  for successfull AD operations. The knowldegde is available on the
  Internet, but the pages are often outdated (Windows 2000 is different
  to Windows 2008 is different to 2012 is details) and the information
  is scattered across many places. Finding it all can be difficult and
  can take time. The new AD best practice analyzer that come with
  Windows 2008R8 and Windows 2012 can help here.

Microsoft extenstions like Aging and Scavenging support the
Administrator to operate Active directory, but are not essential.

Getting communication between MS DNS - ISC DHCP or MS DHCP - BIND
DNS secured (TSIG vs. GSS-TSIG) can be challenging. But it is possible.

My general experience is: working in a all Windows OS environment where
all components of AD is supplied by Microsoft products require less
detail knowledge and less arguing (with Management and Microsoft
oriented consultans).  But running BIND and ISC DHCP gives more
flexibility and control. 

Pick you choice -- easy live vs. understanding
and fun :)

Carsten Strotmann
Men  Mice
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable log message

2012-10-20 Thread Warren Kumari 

On Oct 20, 2012, at 12:34 AM, David Miller dmil...@tiggee.com wrote:

 
 
 On 10/19/2012 11:57 PM, Chris Buxton wrote:
 On Oct 19, 2012, at 6:22 PM, Warren Kumari wrote:
 On Oct 19, 2012, at 9:17 PM, Michael Hoskins (michoski) 
 micho...@cisco.com wrote:
 -Original Message-
 On Oct 19, 2012, at 6:13 PM, Alan Clegg a...@clegg.com wrote:
 
 
 On Oct 18, 2012, at 1:13 PM, Chris Thompson c...@cam.ac.uk wrote:
 
 On Oct 18 2012, Jeremy C. Reed wrote:
 
 On Thu, 18 Oct 2012, Jack Tavares wrote:
 
 I  am running bind9.8.x built from source and I see this message in
 the logs
 built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah'
 '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib'
 '--mandir=/usr/share/man' '--with-openssl=/blah'
 '--enable-fixed-rrset' '--enable-shared' '--enable-threads'
 '--enable-ipv6' '--with-libtool'  etc etc etc I would prefer to not
 have that show up in the log.
 Short of modifying the source, is there an easy way to disable that?
 
 No way to disable just it. It is in the general catch-all category.
 
 Also, it is output before the configuration logging directives have
 been
 processed, so it comes out with the internal defaults for category and
 priority (daemon.notice). Any suppression would need to be done at the
 syslog level.
 
 But I have some difficulty understanding why anyone would want it
 suppressed.
 It's true that BIND is a bit noisier than it used to be at this stage,
 but
 can this really be a problem? Do you let the black hats see your
 system logs?
 
 
 This message was added by general recognition that being able to
 rebuild a drop-in binary for BIND when you didn't have access to the
 build directory (where the config.log contains the information) was a
 good thing.
 
 Yah, a very good thingŠ This has been really really useful to me on a
 number of occasionsŠ
 
 
 I, for one, see no reason to suppress this message (but I do have blind
 spots at times).
 
 Me neither, but I am interested why folk might want toŠ
 
 Maybe it's viewed as information disclosure?
 
 Ah, that's a good point, especially if BIND is being incorporated into an 
 appliance / black box and there is no need for the users of the appliance 
 to know what all goes on under the hood?
 
 An an employee of the maker of an appliance solution, I can say that we 
 gladly tell our customers what's going on under the hood. If we didn't, they 
 wouldn't trust us.
 
 Does this log message provide any information that the -V option doesn't
 provide?
 
 $ named -V
 BIND 9.8.0-P4 built with '--prefix=/blah' '--exec-prefix=/blah'
 '--enable-threads' '--enable-ipv6' 'CFLAGS=-O2 -march=native ...and so on...
 using OpenSSL version: OpenSSL 1.0.0d 8 Feb 2011
 using libxml2 version: 2.7.8

Nope, but there is a difference between someone actually being interested and 
looking (or asking their vendor) and having it show up directly in the logs…  
Someone who cares will be able to quite easily tell that it is BIND (esp if 
they get something like console access), but I have seem some appliance folk 
who don't *really* publicize this…

W

 
 -DMM
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 

-- 
He who laughs last, thinks slowest. 
-- Anonymous


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users