Re: Adctive Directory and Unix DNS
From: Kevin D. Goodknecht [MVP] (admin_at_nospam.LSAOL.COM)
Date: 04/06/04
- Next message: Arild Bakken: "Re: problem running my program as a service with ldaps"
- Previous message: Dmitry Korolyov [MVP]: "Re: Group Policy"
- In reply to: Rustom: "Re: Adctive Directory and Unix DNS"
- Next in thread: Jonathan de Boyne Pollard: "Re: Adctive Directory and Unix DNS"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 6 Apr 2004 08:35:22 -0500
In news:uBs1T64GEHA.2052@TK2MSFTNGP11.phx.gbl,
Rustom <RossMistry@hotmail.com> posted a question
Then Kevin replied below:
> I am confused. Our company requires the same namespace for BIND and
> the Active Directory root domain, Companyabc.com. Can this be
> achieved?
While it can be achieved, it would require that the record that resolves to
the domain name "companyabc.com" MUST point to the Adapter(s) on all DCs
that have file sharing enabled _ONLY_ This is for several reasons, it is
referred to as the LDAP IP address Group policies are applied from this
record, too. You see group polcies are in the
\\companyabc.com\SYSVOL\companyabc.com\policies share. This is referred to
as the Sysvol DFS share this share and everything in it is replicated to ALL
DCs in its domain.
You can host the AD domain on the BIND servers but without DDNS it can
create a lot of Administrative overhead.
> If it can be achieved with the same namespace how do I
> delegate?
You can delegate the AD subfolders, the problem is going to happen if you
have members of the Root domain trying to find the DFS share using the LDAP
record.
> We can not have a different namespace for Active Directory
> such as Companyabc.net?
Yes, in two of my previuos posts I have already enumerated that as one of
your choices. As I said in those posts I would definitely make the Root DC
and Its secure DDNS server the Primary (Active Directory Integrated) zone
and have the BIND pull a secondary of the zone. This will not comprimise the
security of either the BIND or MS DNS namespaces.
>
> Therefore, if I DCPROMO the first DC in the root domain how do you
> populate BIND DNS with the AD info if Dynamic DNS is not enabled?
two ways
1. Make the BIND a secondary of the AD domain zone.
Since the DC will hold the SOA Mname record as the master, the BIND will
send updates to the MS DNS
2. Delegate all the AD subfolders to the MS DNS, create or delegate The DC's
host records for the DC's hostname. Create the LDAP IP address records that
point only to the interfaces on the Root DC(s) with file sharing.
>
> Please read comments below...
>
>
>> 4. Go to the boss that the BIND guys are not willing to do anything
>> acceptable so creating an Active Directory Domain is out of the
>> question without the security of Active Directory DNS.
>
> Why do we lose security, please explain...
>
MS DDNS allows you to have only secure updates if the zone is integrated
into Active Directory, that means the zone has its own security settings and
unless the client has permissions to update its record in the zone, it won't
happen. BIND's secure updates are not compatable with Microsoft'a and only
work with BIND's version of DHCP. That is why the BIND admins won't let you
have dynamic updates.
255913 - Integrating Windows 2000 DNS into an Existing BIND or Windows NT
4.0-Based DNS Namespace:
http://support.microsoft.com/default.aspx?scid=kb;en-us;255913&Product=win2000
-- Best regards, Kevin D4 Dad Goodknecht Sr. [MVP] Hope This Helps ============================ -- When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. To respond directly to me remove the nospam. from my email. ========================================== http://www.lonestaramerica.com/ ========================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ ========================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ==========================================
- Next message: Arild Bakken: "Re: problem running my program as a service with ldaps"
- Previous message: Dmitry Korolyov [MVP]: "Re: Group Policy"
- In reply to: Rustom: "Re: Adctive Directory and Unix DNS"
- Next in thread: Jonathan de Boyne Pollard: "Re: Adctive Directory and Unix DNS"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
