Unix BIND and Windows 2003 DNS coexist problem with Forwarder on.

[Guest]

Hi,

We are planning to upgrade NT 4 to 2003 AD. I setup a lab for all the testing.
Our current DNS server is running in UNIX BIND and all windows clients are
point to UNIX BIND for hostname/internet resoulution. We need to keep it that
way.
Therefore, I setup delegation in UNIX BIND server to Windows 2003 DNS. UNIX
BIND setup remainsd the authoritative name server and Windows 2003 DNS just
for SRV records and all Window clients are stil pointing to UNIX BIND server.
Here is the problem, If i turn OFF forwarder in UNIX BIND server, Windows
clients are able to join the new Windows 2k3 AD (by entering DNS FQDN)
without any problem. But if i turn ON the forwarder in UNIX BIND server, none
of the Windows clients are able to join the new W2K3 AD (it said cannot find
the SRV records etc). It looks like UNIX BIND server treat the windows client
request as out of zone request and forward to the external DNS servers.
Anyone seem that before?

 

[Guest]

BTW,

Here is the link of how i setup between UNIX BIND and Windows DNS.

http://support.microsoft.com/kb/q255913/

Thanks.

 

[Ace Fekay [MVP]]

BTW,

Here is the link of how i setup between UNIX BIND and Windows DNS.

http://support.microsoft.com/kb/q255913/

Thanks.

Exactly what namespace did you delegate? Is the AD DNS domain name a child
zone of the zone that BIND is hosting? E.g. domain.com, and the AD name is
ad.domain.com and you delegated the "ad" child zone to the Win2k3 server. In
that scenario, we normally forward from the child (W2k3)back to the parent
(BIND).

Now if you just delegated the SRV records (_msdcs, etc), then a forwarder
from the W2k3 back to the parent may do the trick, because the SRV records
would have the service location resources FQDN, which need to be resolved by
the parent.

Otherwise, post a little more info about the zones, etc.

Thanks.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================

 

[Deji Akomolafe]

if, as you say, you have delegated the AD zone to your AD DNS servers, then
the AD servers should be the authoritative servers for that zone. This means
that all your AD computers (clients and servers) should now point to the AD
(windows) servers and no one should be pointing to your UNIX servers
anymore. The only place where your BIND servers should be visible is on the
forwarders tab of your AD DNS servers.

If this is not the way you have it setup, then I recommend that you do so.
The only reason you might want to do it any other way is IF the zone is NOT
delegated to your AD servers. In which case, you are looking at something
entirely different.

--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Guest]

Hi,

Exactly what namespace did you delegate? Is the AD DNS domain name a child
zone of the zone that BIND is hosting? E.g. domain.com, and the AD name is
ad.domain.com and you delegated the "ad" child zone to the Win2k3 server. In
that scenario, we normally forward from the child (W2k3)back to the parent
(BIND).

If you see my previous post attched URL. I am doing option 4.
I am not using child domain. I use MS _underscore zone files (_tcp, _udp,
_msdcs etc) in UNIX Bind and 2K3 AD DNS server. The Root domain name of BIND
is "domain.com" and the AD DNS name is "domain.com"

Now if you just delegated the SRV records (_msdcs, etc), then a forwarder
from the W2k3 back to the parent may do the trick, because the SRV records
would have the service location resources FQDN, which need to be resolved by
the parent.

I guess it is what i am doing (delegated the SRV records _tcp, _udp, _msdcs
etc)
But how do i make w2k3 forward back to the parent UNIX BIND? Can you point
me out a document or steps to do that please?
Like i mention before,It is very strange. It is working perfectly fine if i
turn OFF forwarder in UNIX BIND. Any new Windows clients will be able to join
the NEW AD by enter "domain.com". But once i turn ON forwarder in UNIX BIND,
None of the Windows clients are able to join the NEW AD (Cannot locate any
SRV records)

This is a very very critical step before i can roll out AD. If it is not
working which mean i cannot have new Windwos XP client to join AD or doing
any SRV resolution.

I know everyone in here will say run AD DNS as Root server and take over
UNIX BIND. I wish i could but i am working in a comany that will use UNIX as
every possible way and my boss is a UNIX guy. That's why i have to do it by
this way but i am sure there's a lot of company doing like we are.

What version of BIND are you using?
8.3.x

YES, dynamic updates are important for domain controllers, unless you want
to enter them manually each time. SRV records need to updated whenever a
change occurs. If you don't want to have your clients updated, that's up to
you, but you would definitely need to update the DCs.

I don't really worry about client update dynamically because the UNIX guy
here will update the hotsname in UNIX manually and all Windows clients are
always pointing to UNIX BIND. But for the DCs. We will only have 2 DCs in
single AD domain (Primary/backup) and i hardly think we will change the ip
address or hostname of the DCs. In that case, Do i still need to update the
DCs manually or there is something other than ip and hostaname need to be
update manually if not running dymanic update?

 

[Ace Fekay [MVP]]

If you see my previous post attched URL. I am doing option 4.
I am not using child domain. I use MS _underscore zone files (_tcp,
_udp, _msdcs etc) in UNIX Bind and 2K3 AD DNS server. The Root
domain name of BIND is "domain.com" and the AD DNS name is
"domain.com"

I don't know if the other responses helped you, between this thread and
thread in windows.server.dns, but this is how you setup a forwarder. This
will allow the delegated DNS to resolve the actual FQDN, which I believe is
the problem here. Sad that BIND admins are particular about their DNS
servers and won't work together with Windows admins, considering AD's DNS
requirements.

Enable Forwarding and Confitional Forwarders in W2k3:
http://www.microsoft.com/technet/tr...ntserver/sag_DNS_pro_EnableCondForwarders.asp

Understanding forwarders:
http://www.microsoft.com/resources/...ard/proddocs/en-us/sag_DNS_und_Forwarders.asp

Ace