[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind9-users
Subject:    Re: more active directory ?'s
From:       Barry Finkel <b19141 () achilles ! ctd ! anl ! gov>
Date:       2003-04-30 14:31:26
[Download RAW message or body]

Scott_Knight@ssmhc.com wrote (in part):

>>>OK.  I've searched through the archives and read about everything I've
>>been
>>>able to find about AD and DNS.  I've got a good idea of how I could
>>>implement a pure Unix solution but in our environment I'm not sure that
>>>would be best.  In our current environment we have what we refer to as a
>>>"root" name server where all changes to zone files are made.  I work for a
>>>health care org and we have a system wide zone called "ssmhc.com" and then
>>>we have zones for each organization/hospital we own / manage.  So our
>>>named.conf looks something like ...
>>
>>  <piece omitted>
>>
>>>OK, so from what I've read there is a recommendation that you give "AD"
>>its own sandbox to play in.

And I replied:

>>The answer depends upon your AD setup.   Are all the various hospitals
>>going to be in one AD forest?  Do you want W2k client machines doing
>>their own self registration DDNS?  Or will you have static client
>>registrations and just use DDNS for the SRV records?  The solution
>>(or solutions) depend upon answers to these questions.

Scott_Knight@ssmhc.com replied:

>Yes I believe the entire organization will be in one AD forest.
>
>Actually we are leaning toward having the DHCP server(s) do all the DDNS
>registrations for clients and letting the domain controllers use DDNS for
>the SRV records.

Since you have subdomains

     ic.ssmhc.com
     mgmt.ssmhc.com
     hosp1.ssmhc.com
     etc.

I am not sure how you fit this subdomain structure into

     AD.ssmhc.com

I think that you will need to create new zones

     ad.ssmhc.com
     ad.ic.ssmhc.com
     ad.mgmt.ssmhc.com
     ad.hosp1.ssmhc.com
     etc.

and delegate them to the W2k DNS Server.  Since you are planning DDNS
with DHCP (I assume the W2k DHCP Server), then for security purposes
you need the W2k DNS Server to handle the DDNS.  You should also have
these delegated zones slaved on your BIND servers, so the client
machines will still query your BIND servers, as they do now.  This
saves having to change the TCP/IP configurations on each of the W2k
machines.

Note that I am not an expert in the W2k AD; I know what I have
implemented here, and I know a little about other configurations that
have been mentioned in other postings.  Maybe someone else with more
MS W2k AD experience will have changes/corrections to what I have
proposed here.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel@anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994


[prev in list] [next in list] [prev in thread] [next in thread]