Re: Unix Bind and Windows DNS coexist problem with forwarder ON

"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D576CE5D-B4C9-45EA-B81A-1CEF01B83FA7@xxxxxxxxxxxxxxxx
>
> > Therefore, I setup delegation in UNIX BIND server to Windows 2003 DNS.
> >UNIX BIND setup remainsd the authoritative name server and Windows 2003
DNS
> >just for SRV records and all Window clients are stil pointing to UNIX
BIND
> >server.
>
> >The above does not describe delegation.
>
> >Were you to delegate then you would be delegating
> >an entire zone.
>
> >Even if you tried to delegate just the _underscore zones
> >you would still need to deal with the domain-zone itself
> >needing to be dynamic.
>
> I just delegate _underscore zones in UNIX BIND and Windows DNS (like the
> attached URL from my previous email).

Then you should have indicated that with three more
words (but I guessed it).

You really need the full zone supporting the Windows
Domain to be dynamic.

To do otherwise is to continue swimming upstream,
making you life hard and your domain unreliable when
they can be very easy and very reliable if you don't
fight it.

> The dymanic is not working in the way
> we setup but we don't really need it. Is it necessary to deal with dynamic
> update? How to do it?

Yes, it is a practical necessity.

You do it by having your BIND primary become
dynamic OR (better probably) using AD-Integrated
DNS servers on your Windows Server-DCs do that.
(It's just a radio button and a pull down in the latter case.)

> > Here is the problem, If i turn OFF forwarder in UNIX BIND server,
Windows
> > clients are able to join the new Windows 2k3 AD (by entering DNS FQDN)
> > without any problem.
>
> >Then the delegation is likely incorrect.
>
> >Is the Windows domain using a child (DNS) zone
> >of the UNIX? If not, what is the relationship.
>
> Not using child domain. Just _underscore zones.
>
>
> > But if i turn ON the forwarder in UNIX BIND server, none
> > of the Windows clients are able to join the new W2K3 AD (it said cannot
> find
> > the SRV records etc). It looks like UNIX BIND server treat the windows
> client
> > request as out of zone request and forward to the external DNS servers.
> > Anyone seem that before?
>
> >If the forwarding and the delegation are done incorrectly.
>
> >For instance (but this may not be your problem precisely):
> >A DNS server cannot (easily) check two full namespaces
> >(from the root down) -- if it forwarders it cannot check it's
> >own root, and vice versa reliably.
>
> >If you simplify:
> >Unix fully delegated to the child DNS zone for the AD domain,
> >or holding a Secondary (or stub or some other way to find it) for
> >the AD domain-Zone.
>
>
> If setup incorrectly. How come when i turn OFF forwarder would work (This
is
> what i need but we need to have Forwarder turn ON)

Likely because you are forwarding instead of following
the delegation for some reason.

> This must be DNS BIND just forward the SRV record request to external
server.

You cannot forward a particular kind of record, only
an entire zone.

> The UNIX BIND server is like "abc.com"
> Windows 2003 Server is also same "abc.com"

If you insist on the UNIX BIND then you have chosen
a terrible internal domain name.

Is the UNIX by any chance handling our PUBLIC DNS
resolution?

If it is, then you can avoid all this by isolating the UNIX
on the EXTERNAL (Internet) and isolating the Windows
DNS on the Internal, i.e., by running a Shadow DNS (aka
Split DNS) instead.

If you are really using UNIX internally then you might
SERIOUSLY consider letting MS Windows DNS take
over that job.

Note: I am NOT a Windows 'bigot' -- I run a BIND server
too -- but not FOR my internal AD domain.

Windows is just so much better than BIND for that purpose
that there is no question of which I will choose.

If you had asked for a design that left the BIND in place
before creating your domain, I would have STRONGLY
suggested using a Child zone/domain or another DNS tree
name entirely.

> When i setup a test Windows XP client to try to join the new AD. I put
> "abc.com" and it failed when forwarder ON.

Yes, it probably cannot find those supposedly delegated
records.

DCs use those dynamically registered records (A, CNAME,
AND SRVs) to find each other for replication -- the domain
clients use them to find a DC for authentication (including
joining the domain.)


.

Loading