Announcement

Collapse
No announcement yet.

Bind DNS for Active Directory DCs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bind DNS for Active Directory DCs

    I have 4 Bind DNS entries for my domain as follows:
    Code:
    _ldap._tcp.mydomain.com.                 SRV 0   0   389 server01.mydomain.com.
    _kerberos._tcp.mydomain.com.             SRV 0   0   88  server01.mydomain.com.
    _ldap._tcp.dc._msdcs.mydomain.com.       SRV 0   0   389 server01.mydomain.com.
    _kerberos._tcp.dc._msdcs.mydomain.com.   SRV 0   0   88  server01.mydomain.com.
    I want to make sure the other domain controllers are found and used. I've just added the same 4 records for each server and it will round robin them, but what about machines in different sites, will this be enough to use all the domain controllers correctly?

    If I read correctly, when a domain controller receives a request, it will tell you to use a domain controller closer to you.

    What I want to know is how does a client be efficient and use it's own domain controller first? Does it have to go through the discovery process of getting one of the dns records and querying that server which then refers it to a nearer domain controller?

    I don't want to have to use Bind views for this as I'd have to specify only the local DC and this would lose me redundancy in case the local DC was rebooting or went down.

    Any recommendations for proper DNS/site setup?

  • #2
    Re: Bind DNS for Active Directory DCs

    Looks like you are short on SRV records.
    When you DCPROMO a server, it places a file "netlogon.dns" in the windows\system32\config folder which contains all the SRV and A records that the DC needs to have registered. Just use the file to populate the zone in BIND.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Bind DNS for Active Directory DCs

      thanks for that!

      I didn't know that file was there and it really makes it easy to take the records to bind (which I guess is the point - now the question is why isn't this more widely known)

      I put the minimum records and this seemed to work. But I will put the rest by collecting this file from each DC and adding it to Bind.

      Comment


      • #4
        Re: Bind DNS for Active Directory DCs

        Originally posted by humbletech99 View Post
        thanks for that!
        I didn't know that file was there and it really makes it easy to take the records to bind (which I guess is the point - now the question is why isn't this more widely known)
        Well, it's in the docs And as to why this is not widely known, my bet is that running AD with BIND is not a very common setup. If you ask me, it has much more cons than pros. AD-integrated zones with secure dynamic updates utilizing GSS-TSIG are much easier to maintain
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Bind DNS for Active Directory DCs

          I know, that's what I did when setting up Active Directory for my last place, but we're fond of Bind here (also it allows us to do things like views which share a single configuration and give different answers depending on which ip the request comes from so that people in each site go to their local server for a service...)

          I'll have to go find those docs you speak of...

          I'm also considering moving over to MS DNS instead of Bind if I can see a good way to do the views thing... otherwise if I create a record in an AD-integrated zone it will be replicated to the other site and give the same answer at both sites which isn't the desired effect...
          Last edited by humbletech99; 19th January 2007, 11:29.

          Comment


          • #6
            Re: Bind DNS for Active Directory DCs

            Originally posted by humbletech99 View Post
            (also it allows us to do things like views which share a single configuration and give different answers depending on which ip the request comes from so that people in each site go to their local server for a service...)
            You mean like Netmask Ordering? Can BIND do it for more than just A records?
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Bind DNS for Active Directory DCs

              Originally posted by humbletech99 View Post
              I know, that's what I did when setting up Active Directory for my last place, but we're fond of Bind here (also it allows us to do things like views which share a single configuration and give different answers depending on which ip the request comes from so that people in each site go to their local server for a service...)

              I'll have to go find those docs you speak of...

              I'm also considering moving over to MS DNS instead of Bind if I can see a good way to do the views thing... otherwise if I create a record in an AD-integrated zone it will be replicated to the other site and give the same answer at both sites which isn't the desired effect...

              Actually Microsoft DNS uses the weightings in the SRV records to direct requests to the local site servers if available. I dont know how this compares with Bind

              Tom
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Bind DNS for Active Directory DCs

                thanks JeremyW and Ossian, food for thought, I've gone off to do some more reading and contemplating what to do on the dns front...

                Comment

                Working...
                X