b19...@anl.gov wrote: > > There have been lots of posts on Windows AD/BIND integration over the > years. Check the list archives. What I suggest is placing the six AD > zones > > DomainDNSZones.example.com > ForestDNSZones.example.com > _msdcs.example.com > _sites.example.com > _tcp.example.com > _udp.example.com > > on a MS Windows DNS Server on one Domain Controller and slaving those > zones on your BIND servers. That way Windows handles the GSS-TSIG > secure updates, and the BIND slaves will transfer the zones if and when > they are updated.
And don't forget to set a group policy on all DCs to not update the A records in the apex zone. Otherwise the DCs will complain in the Event logs forever... this assumes the BIND servers are authoritative for example.com, in this example. See http://support.microsoft.com/kb/246804 for Windows 2000 See http://support.microsoft.com/kb/267855 for Windows 2003 and later, specifically under "Netlogon fix" and tell it not to register the LdapIPAddress. (There is also more information there on preventing all the DCs from creating NS records in the zone, which becomes problematic when there are more than about 10 DCs. I had one customer with 100s of DCs, and each one put in an NS record in the zone for itself... ugh. With a little magic, dropped that back to a handful of DCs at big data centers.) Regards, Mike -- Michael Milligan -> mi...@acmeps.com _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
