I'm about to implement an Active Directory environment with Windows
Server 2003 Active Directory Domain Controllers and Bind 9.2.1 DNS
servers. For that, I've created 4 new zones "_mcds.DOMAINNAME",
"_sites.DOMAINNAME", "_tcp.DOMAINNAME", and "_udp.DOMAINNAME" on the
Bind server, each zone containing an "allow-update { IP_OF_AD_DCs; };"
statement (yes, I know about the security issues). Adding or updating
a record with "nsupdate" works fine, i.e. in general the dynamic
update feature works. Adding a new AD DC with DCPROMO also works (in
the sense that there is no error message), i.e basically the
communication between AD and DNS functions, and AD recognizes the DNS
server as to be configured for dynamic updates (otherwise DCPROMO
would complain). However, none of the records generated by DCPROMO
(the stuff you can find in netlogon.dns) is written to the Bind zone
files or the corresponding JNL files. Does anybody has experienced the
same problems and can offer me a tip as to what the problem might be ?
If I trace the communication between the DC AD and the DNS server
during DCPROMO with Netmon, I cannot find any errors or warnings; the
only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
"Prerequisite: DOMAINNAME of type Req for all on class Unknown class".
Apparently, the DNS record class in the prerequisites record is
unknown to Netmon, is it also unknown to Bind ?

Kind regards,

Kai

You problem is buried in the details, but to start:

It is a very poor idea to try to manually create the sub-zones
an DCs records. Let the DCs do it.

Dynamic DNS is a practical requirement.

It is also a good idea to use an MS DNS server (but this is not
a strong recommendation because BIND can certainly work.)

The DNS server needs to be dynamic.

--
Herb Martin
"Kai Berssin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm about to implement an Active Directory environment with Windows
> Server 2003 Active Directory Domain Controllers and Bind 9.2.1 DNS
> servers. For that, I've created 4 new zones "_mcds.DOMAINNAME",
> "_sites.DOMAINNAME", "_tcp.DOMAINNAME", and "_udp.DOMAINNAME" on the
> Bind server, each zone containing an "allow-update { IP_OF_AD_DCs; };"
> statement (yes, I know about the security issues). Adding or updating
> a record with "nsupdate" works fine, i.e. in general the dynamic
> update feature works. Adding a new AD DC with DCPROMO also works (in
> the sense that there is no error message), i.e basically the
> communication between AD and DNS functions, and AD recognizes the DNS
> server as to be configured for dynamic updates (otherwise DCPROMO
> would complain). However, none of the records generated by DCPROMO
> (the stuff you can find in netlogon.dns) is written to the Bind zone
> files or the corresponding JNL files. Does anybody has experienced the
> same problems and can offer me a tip as to what the problem might be ?
> If I trace the communication between the DC AD and the DNS server
> during DCPROMO with Netmon, I cannot find any errors or warnings; the
> only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
> "Prerequisite: DOMAINNAME of type Req for all on class Unknown class".
> Apparently, the DNS record class in the prerequisites record is
> unknown to Netmon, is it also unknown to Bind ?
>
> Kind regards,
>
> Kai

KB> However, none of the records generated by DCPROMO (the stuff you
KB> can find in netlogon.dns) is written to the Bind zone files or
KB> the corresponding JNL files.

What do the logs for BIND say ?

Dear Herb,

thank you very much for this answer. Unfortunately there are some
contraints I have to obey:

a) Our DNS infrastructure is based on BIND 9.2.1 on Solaris 8, so
Windows DNS is no option.

b) I want to configure as few dynamic zones as possible. Therefore, I
thought it's a good idea to pre-create the _msdcs, _sites, _tcp, and
_udp zones so that the master zone can be kept static.

c) To give you a better idea of what I'm trying, these are the
relevant parts of my named.conf file:

acl slaveserver {
....
};

acl masterserver {
....
};

acl addomaincontrollers {
....
};

options {
directory "/var/named";
# the default is to fail, if the master file is not correct
# check-names master warn;

pid-file "/var/run/named.pid";

datasize default;
stacksize default;
coresize default;
files unlimited;
recursion yes;

listen-on-v6 { any; };
listen-on { any; };
// query-source address * port *;
allow-query { any; localhost; };
allow-recursion { any; localhost;};
allow-transfer { slaveserver; localhost; };
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

logging {
# category lame-servers { null; };
# category cname { null; };
channel query_logging {
file "/var/log/named_log"
versions 3 size 100M;
print-category yes;
print-severity yes;
print-time yes;
};

category queries {
query_logging;
};
};


zone "." IN {
type hint;
file "db.root.hint";
};

zone "localhost" IN {
type master;
file "db.localhost";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.0.0.127.in-addr.arpa";
allow-update { none; };
};

#
# zone definitions
#

zone "root.company.com" IN {
type master;
file "db.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { none; };
notify yes;
};

zone "_msdcs.root.company.com" IN {
type master;
file "db._msdcs.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { addomaincontrollers; };
notify yes;
};

zone "_sites.root.company.com" IN {
type master;
file "db._sites.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { addomaincontrollers; };
notify yes;
};

zone "_tcp.root.company.com" IN {
type master;
file "db._tcp.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { addomaincontrollers; };
notify yes;
};

zone "_udp.root.company.com" IN {
type master;
file "db._udp.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { addomaincontrollers; };
notify yes;
};

zone "1.10.in-addr.arpa" IN {
type master;
file "db.1.10.in-addr.arpa";
allow-transfer { slaveserver; localhost; };
allow-update { none; };
notify yes;
};

"Herb Martin" <(E-Mail Removed)> wrote in message news:<eX8a#(E-Mail Removed)>...
> You problem is buried in the details, but to start:
>
> It is a very poor idea to try to manually create the sub-zones
> an DCs records. Let the DCs do it.
>
> Dynamic DNS is a practical requirement.
>
> It is also a good idea to use an MS DNS server (but this is not
> a strong recommendation because BIND can certainly work.)
>
> The DNS server needs to be dynamic.
>
> --
> Herb Martin
> "Kai Berssin" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I'm about to implement an Active Directory environment with Windows
> > Server 2003 Active Directory Domain Controllers and Bind 9.2.1 DNS
> > servers. For that, I've created 4 new zones "_mcds.DOMAINNAME",
> > "_sites.DOMAINNAME", "_tcp.DOMAINNAME", and "_udp.DOMAINNAME" on the
> > Bind server, each zone containing an "allow-update { IP_OF_AD_DCs; };"
> > statement (yes, I know about the security issues). Adding or updating
> > a record with "nsupdate" works fine, i.e. in general the dynamic
> > update feature works. Adding a new AD DC with DCPROMO also works (in
> > the sense that there is no error message), i.e basically the
> > communication between AD and DNS functions, and AD recognizes the DNS
> > server as to be configured for dynamic updates (otherwise DCPROMO
> > would complain). However, none of the records generated by DCPROMO
> > (the stuff you can find in netlogon.dns) is written to the Bind zone
> > files or the corresponding JNL files. Does anybody has experienced the
> > same problems and can offer me a tip as to what the problem might be ?
> > If I trace the communication between the DC AD and the DNS server
> > during DCPROMO with Netmon, I cannot find any errors or warnings; the
> > only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
> > "Prerequisite: DOMAINNAME of type Req for all on class Unknown class".
> > Apparently, the DNS record class in the prerequisites record is
> > unknown to Netmon, is it also unknown to Bind ?
> >
> > Kind regards,
> >
> > Kai

In news:(E-Mail Removed),
Kai Berssin <(E-Mail Removed)> posted their thoughts, then I offered
mine
> Dear Herb,
>
> thank you very much for this answer. Unfortunately there are some
> contraints I have to obey:
>
> a) Our DNS infrastructure is based on BIND 9.2.1 on Solaris 8, so
> Windows DNS is no option.
>
> b) I want to configure as few dynamic zones as possible. Therefore, I
> thought it's a good idea to pre-create the _msdcs, _sites, _tcp, and
> _udp zones so that the master zone can be kept static.
>
> c) To give you a better idea of what I'm trying, these are the
> relevant parts of my named.conf file:
>
<snip>

Kai, I *believe* your issue is a single label DNS domain name, that is if
"DOMAINNAME" is a relative facsimile of your domain. It should be in the
form of domainname.com or domainname.net, etc. BIND is probably barking at
that, especially from this message:

> only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
> "Prerequisite: DOMAINNAME of type Req for all on class Unknown class".

If you cannot allow dynamic updates, don't manually create them one by one
as it appears you are saying you're doing. Share out the system32\config
folder to allow access to the netlogon.dns files. This is the data you want
to register. One of the local universities do it that way for their
departments that require AD, and the BIND guys create the zones from that
file.

It would be nice to use DNS locally on the DC and allow zone transfers to
the BIND server to create a secondary. Would be alot easier.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

"Kai Berssin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Dear Herb,
>
> thank you very much for this answer. Unfortunately there are some
> contraints I have to obey:
> a) Our DNS infrastructure is based on BIND 9.2.1 on Solaris 8, so
> Windows DNS is no option.

It is frequently best to just delegate the Zone from the BIND
servers to a child zone for Win2000+

But BIND can work.

> b) I want to configure as few dynamic zones as possible. Therefore, I
> thought it's a good idea to pre-create the _msdcs, _sites, _tcp, and
> _udp zones so that the master zone can be kept static.

Probably a bad idea and definitely overcomplicated.

Better than this is to just use the idea above and delegate all
of Win2000 to a child zone.

> c) To give you a better idea of what I'm trying, these are the
> relevant parts of my named.conf file:

I can do BIND but it's going to be error prone and not worth
the trouble. You will hate it forever.

--
Herb Martin
>
> acl slaveserver {
> ...
> };
>
> acl masterserver {
> ...
> };
>
> acl addomaincontrollers {
> ...
> };
>
> options {
> directory "/var/named";
> # the default is to fail, if the master file is not correct
> # check-names master warn;
>
> pid-file "/var/run/named.pid";
>
> datasize default;
> stacksize default;
> coresize default;
> files unlimited;
> recursion yes;
>
> listen-on-v6 { any; };
> listen-on { any; };
> // query-source address * port *;
> allow-query { any; localhost; };
> allow-recursion { any; localhost;};
> allow-transfer { slaveserver; localhost; };
> };
>
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
> };
>
> logging {
> # category lame-servers { null; };
> # category cname { null; };
> channel query_logging {
> file "/var/log/named_log"
> versions 3 size 100M;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
>
> category queries {
> query_logging;
> };
> };
>
>
> zone "." IN {
> type hint;
> file "db.root.hint";
> };
>
> zone "localhost" IN {
> type master;
> file "db.localhost";
> allow-update { none; };
> };
>
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "db.0.0.127.in-addr.arpa";
> allow-update { none; };
> };
>
> #
> # zone definitions
> #
>
> zone "root.company.com" IN {
> type master;
> file "db.root.company.com";
> allow-transfer { slaveserver; localhost; };
> allow-update { none; };
> notify yes;
> };
>
> zone "_msdcs.root.company.com" IN {
> type master;
> file "db._msdcs.root.company.com";
> allow-transfer { slaveserver; localhost; };
> allow-update { addomaincontrollers; };
> notify yes;
> };
>
> zone "_sites.root.company.com" IN {
> type master;
> file "db._sites.root.company.com";
> allow-transfer { slaveserver; localhost; };
> allow-update { addomaincontrollers; };
> notify yes;
> };
>
> zone "_tcp.root.company.com" IN {
> type master;
> file "db._tcp.root.company.com";
> allow-transfer { slaveserver; localhost; };
> allow-update { addomaincontrollers; };
> notify yes;
> };
>
> zone "_udp.root.company.com" IN {
> type master;
> file "db._udp.root.company.com";
> allow-transfer { slaveserver; localhost; };
> allow-update { addomaincontrollers; };
> notify yes;
> };
>
> zone "1.10.in-addr.arpa" IN {
> type master;
> file "db.1.10.in-addr.arpa";
> allow-transfer { slaveserver; localhost; };
> allow-update { none; };
> notify yes;
> };
>
> "Herb Martin" <(E-Mail Removed)> wrote in message
news:<eX8a#(E-Mail Removed)>...
> > You problem is buried in the details, but to start:
> >
> > It is a very poor idea to try to manually create the sub-zones
> > an DCs records. Let the DCs do it.
> >
> > Dynamic DNS is a practical requirement.
> >
> > It is also a good idea to use an MS DNS server (but this is not
> > a strong recommendation because BIND can certainly work.)
> >
> > The DNS server needs to be dynamic.
> >
> > --
> > Herb Martin
> > "Kai Berssin" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > I'm about to implement an Active Directory environment with Windows
> > > Server 2003 Active Directory Domain Controllers and Bind 9.2.1 DNS
> > > servers. For that, I've created 4 new zones "_mcds.DOMAINNAME",
> > > "_sites.DOMAINNAME", "_tcp.DOMAINNAME", and "_udp.DOMAINNAME" on the
> > > Bind server, each zone containing an "allow-update { IP_OF_AD_DCs; };"
> > > statement (yes, I know about the security issues). Adding or updating
> > > a record with "nsupdate" works fine, i.e. in general the dynamic
> > > update feature works. Adding a new AD DC with DCPROMO also works (in
> > > the sense that there is no error message), i.e basically the
> > > communication between AD and DNS functions, and AD recognizes the DNS
> > > server as to be configured for dynamic updates (otherwise DCPROMO
> > > would complain). However, none of the records generated by DCPROMO
> > > (the stuff you can find in netlogon.dns) is written to the Bind zone
> > > files or the corresponding JNL files. Does anybody has experienced the
> > > same problems and can offer me a tip as to what the problem might be ?
> > > If I trace the communication between the DC AD and the DNS server
> > > during DCPROMO with Netmon, I cannot find any errors or warnings; the
> > > only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
> > > "Prerequisite: DOMAINNAME of type Req for all on class Unknown class".
> > > Apparently, the DNS record class in the prerequisites record is
> > > unknown to Netmon, is it also unknown to Bind ?
> > >
> > > Kind regards,
> > >
> > > Kai

> Kai, I *believe* your issue is a single label DNS domain name, that is if
> "DOMAINNAME" is a relative facsimile of your domain. It should be in the
> form of domainname.com or domainname.net, etc. BIND is probably barking at
> that, especially from this message:

IF that is the case then delegating a CHILD zone for
Win2000 Domain becomes virtually mandatory.

--
Herb Martin
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in
message news:#(E-Mail Removed)...
> In news:(E-Mail Removed),
> Kai Berssin <(E-Mail Removed)> posted their thoughts, then I offered
> mine
> > Dear Herb,
> >
> > thank you very much for this answer. Unfortunately there are some
> > contraints I have to obey:
> >
> > a) Our DNS infrastructure is based on BIND 9.2.1 on Solaris 8, so
> > Windows DNS is no option.
> >
> > b) I want to configure as few dynamic zones as possible. Therefore, I
> > thought it's a good idea to pre-create the _msdcs, _sites, _tcp, and
> > _udp zones so that the master zone can be kept static.
> >
> > c) To give you a better idea of what I'm trying, these are the
> > relevant parts of my named.conf file:
> >
> <snip>
>
> Kai, I *believe* your issue is a single label DNS domain name, that is if
> "DOMAINNAME" is a relative facsimile of your domain. It should be in the
> form of domainname.com or domainname.net, etc. BIND is probably barking at
> that, especially from this message:
>
> > only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
> > "Prerequisite: DOMAINNAME of type Req for all on class Unknown class".
>
> If you cannot allow dynamic updates, don't manually create them one by one
> as it appears you are saying you're doing. Share out the system32\config
> folder to allow access to the netlogon.dns files. This is the data you
want
> to register. One of the local universities do it that way for their
> departments that require AD, and the BIND guys create the zones from that
> file.
>
> It would be nice to use DNS locally on the DC and allow zone transfers to
> the BIND server to create a secondary. Would be alot easier.
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
> This posting is provided "AS-IS" with no warranties and confers no
> rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> pig. --
> =================================
>
>

In news:(E-Mail Removed),
Herb Martin <(E-Mail Removed)> posted their thoughts, then I offered mine
>> Kai, I *believe* your issue is a single label DNS domain name, that
>> is if "DOMAINNAME" is a relative facsimile of your domain. It should
>> be in the form of domainname.com or domainname.net, etc. BIND is
>> probably barking at that, especially from this message:
>
> IF that is the case then delegating a CHILD zone for
> Win2000 Domain becomes virtually mandatory.
>

Since we haven't heard back, I'm assuming it is a single label name...
Tricky, even with delegation. But the reg needs changed to force it to allow
reg.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================