zone subdelegation

[Scot]

I am trying to delegate a subzone of my domain (Active Directory in native
mode on Win2K) to a UNIX box.

Can it be done? Do I have to go back to mixed-mode?

If it can be done, would appreciate how-to. What I have tried so far does
not seem to be correct.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I am trying to delegate a subzone of my domain (Active
Directory in native mode on Win2K) to a UNIX box.

Isn't the delegation working?

Can it be done? Do I have to go back to mixed-mode?

I'm not sure why you think being in native mode is relevant with delegating
a sub zone in DNS to another DNS server, unless I'm missing something here.
Maybe you should explain, being in Native mode does make some changes with
Authentication and makes it impossible to have an NT4 BDC in a Win2k domain.
Maybe, you should give a little better explanation as to what you are trying
to achieve.

If it can be done, would appreciate how-to. What I have
tried so far does not seem to be correct.

There is nothing special you need to do, that is with what you have said
here, just create the delegation.

 

[Scot]

Thanks for the reply.

In

Isn't the delegation working?

I'm not sure. Other than testing for rejects on the mail proxy, is there a
way to test the delegation from the Windows side? If I dig the UNIX box it
answers up correctly for both listed and unlisted IP addresses.

I'm not sure why you think being in native mode is relevant with
delegating a sub zone in DNS to another DNS server, unless I'm
missing something here. Maybe you should explain, being in Native
mode does make some changes with Authentication and makes it
impossible to have an NT4 BDC in a Win2k domain. Maybe, you should
give a little better explanation as to what you are trying to achieve.

My concern with native mode is in the delegation of the subzone to a UNIX
box. I know you cannot have NT4 BDCs in native mode, but can you delegate a
subzone to a UNIX box in native mode?

What we are trying to achieve: UNIX box is running a program called rbldnsd
(http://www.corpit.ru/mjt/rbldnsd.html). "rbldnsd is a small and fast DNS
daemon which is especially made to serve DNSBL zones. This daemon was
inspired by Dan J. Bernstein's rbldns program found in the djbdns package."

Our mail proxy queries the rbldnsd server before passing the mail to the
Exchange server. If an address is listed the rbldnsd servers replies with
something like ":127.0.0.2:Open relay" and rejects the message.
Here is what we have:
W2K AD native-mode domain: nonprofit.local

Trying to delegate subdomain to UNIX box called: abuse.nonprofit.local

What we have tried:

In DNS right-click on server and select new zone. Select new primary. Select
Forward lookup zone. Enter Name: abuse.nonprofit.local. Select: create a new
file with this name. Click finish.

Now I have a new zone, however SOA and A point to
mainserver.nonprofit.local.

At this point I need to edit these entries to point to abuse.nonprofit.local
so I right-click and make the changes.

Should be all I need, right?

Do I need to add NS or A records to primary zone? Make any other changes?

There is nothing special you need to do, that is with what you have
said here, just create the delegation.

TIA for the continued help.

 

[William Stacey [MVP]]

I'm not sure. Other than testing for rejects on the mail proxy, is there
a

way to test the delegation from the Windows side?

yes. Just dig for records in the domain that has been delegated pointing
dig to the Win DNS server. If you set "+nord", you will see the reply the
dns server will give other dns servers - the redirect to the other NS.

My concern with native mode is in the delegation of the subzone to a UNIX
box. I know you cannot have NT4 BDCs in native mode, but can you delegate a
subzone to a UNIX box in native mode?

yes. Delegations have nothing to do with native mode and nothing to do with
unix boxes. Delegations are a fundamental DNS thing not related to unix/win
versions or Native mode, etc.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Thanks for the reply.


I'm not sure. Other than testing for rejects on the mail
proxy, is there a way to test the delegation from the
Windows side? If I dig the UNIX box it answers up
correctly for both listed and unlisted IP addresses.

My concern with native mode is in the delegation of the
subzone to a UNIX box. I know you cannot have NT4 BDCs
in native mode, but can you delegate a subzone to a UNIX
box in native mode?

Yes, you can.

What we are trying to achieve: UNIX box is running a
program called rbldnsd
(http://www.corpit.ru/mjt/rbldnsd.html). "rbldnsd is a
small and fast DNS daemon which is especially made to
serve DNSBL zones. This daemon was inspired by Dan J.
Bernstein's rbldns program found in the djbdns package."

Our mail proxy queries the rbldnsd server before passing
the mail to the Exchange server. If an address is listed
the rbldnsd servers replies with something like
":127.0.0.2:Open relay" and rejects the message.

Here is what we have:
W2K AD native-mode domain: nonprofit.local

Trying to delegate subdomain to UNIX box called:
abuse.nonprofit.local

So the Unix box can resolve abuse.nonprofit.local?

What we have tried:

In DNS right-click on server and select new zone. Select
new primary. Select Forward lookup zone. Enter Name:
abuse.nonprofit.local. Select: create a new file with
this name. Click finish.

Now I have a new zone, however SOA and A point to
mainserver.nonprofit.local.

This was incorrect, delete this forward lookup zone and follow these
instructions.
Open the forward lookup zone, nonprofit.local, right click in the zone,
select New delegation, name the delegation abuse, give the delegation the
FQDN and IP address of the Unix DNS server.

At this point I need to edit these entries to point to
abuse.nonprofit.local so I right-click and make the
changes.

Should be all I need, right?

Do I need to add NS or A records to primary zone? Make
any other changes?

What you were trying to create is a Stub zone, which Win2k does not support,
Stub zone support was added to Win2k3.

 

[Scot]

Tadah! New delegation not New zone. Put me in the corner with the dunce
cap. I certainly missed the "New delegation" choice when I was clicking
around.

Thanks for pointing me in the right direction.

In

Yes, you can.


So the Unix box can resolve abuse.nonprofit.local?

Yes it resolves correctly.

 

[Scot]

+nord. Thanks, seems I forget as much UNIX as I ever remember.

Re: delegations. It's always hard to know what is a MS thing (AD, native
mode, etc.) and what is a universal thing (dns).