First a small correction: in DHCP MMC right click on DHCP server, then Properties (not option)
Yes, unchecking all three options in the DNS tab will stop dynamic DNS updates by the DHCP server. Things to consider/test: - rDNS cleanup may have issues when clients power down a system improperly (power button) - some DHCP clients may not do dynamic DNS updates (DHCP/DNS reverse records may not be consistent) - may not be able to update DNS settings as you outline below on all types of DHCP client devices Other suggestions: - consider using ISC DHCP instead of MS DHCP as it may solve from the DHCP side (preferred) - consider a commercial product such as Bluecat Networks Best, Frank -----Original Message----- From: bind-users-boun...@lists.isc.org on behalf of Borgia, Joe A CTR USAF AFMC AFRL/RIOS Sent: Mon 6/15/2009 1:07 PM To: Frank Pikelner; bind-users@lists.isc.org Subject: RE: Windows AD, Windows DHCP, BIND, and DDNS I'm not an AD guy at all, so I have to ask the following: Will un-checking that still allow the host to register itself in the AD namespace? ------------------------------------ Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 -----Original Message----- From: Frank Pikelner [mailto:frank.pikel...@netcraftcommunications.com] Sent: Monday, June 15, 2009 12:52 PM To: Borgia, Joe A CTR USAF AFMC AFRL/RIOS; bind-users@lists.isc.org Subject: RE: Windows AD, Windows DHCP, BIND, and DDNS Joe, On your Windows DHCP server, use DHCP MMC, right click on DHCP server name, and select options. In Options, select DNS tab and uncheck the required DNS registration options. Best, Frank -----Original Message----- From: bind-users-boun...@lists.isc.org on behalf of Borgia, Joe A CTR USAF AFMC AFRL/RIOS Sent: Mon 6/15/2009 10:27 AM To: bind-users@lists.isc.org Subject: Windows AD, Windows DHCP, BIND, and DDNS Folks, I need some help. At my site, I am running Windows AD, Windows DHCP, and BIND version 9.6.0-P1. The AD namespace that my customer implemented is different from the BIND namespace. The majority of the clients here are Windows XP/Vista-based systems that receive their IP via Windows DHCP. We'd like to have these systems register themselves manually via DDNS to our BIND namespace. Just for proof-of-concept before we even try to tackle TSIG to secure it, we're using the "allow-update" directive. DHCP Server: 10.10.10.10 We setup allow-update for 10.10.10.10 for both the forward lookup "hosts" file and reverse lookup "hosts.rev" file. Our BIND namespace is bind.domain.mil Our AD namespace is our.ds.domain.mil When a client gets an IP with the BIND server configured to allow the Windows DHCP server to do the updating, rather than registering that client as host.bind.domain.mil, it registers it only in the reverse lookup table as host.our.ds.domain.mil, which is undesirable. We want the host to be host.bind.domain.mil on the BIND servers, both forward and reverse. When I setup an ACL called "dynamic-update" for 10.10.0.0/16 and allow all of that network to perform the updates on the BIND server, it works better, but not completely because to make that work, we had to go into the client's TCP/IP settings, and tell it to register specifically as bind.domain.mil. Doing that caused the client to register itself properly in both forward and reverse lookup zones. However, apparently, the DHCP server is also registering the reverse lookup IP with host.our.ds.domain.mil. When you do a reverse lookup on the client, you get both FQDNs back in the response. The two problems with this are first, to make this work, each client has to be touched to configure that DNS namespace to register it properly and second, we need to get the DHCP server to stop doing this registration for AD in the BIND servers. It'd be ideal if we could just have the Windows DHCP server update the BIND servers with the proper DNS suffix. I've looked around the Internet and it doesn't seem as if there are too many people with different namespaces between BIND and AD trying to do what we're doing. If the namespaces matched, this would work perfectly. Unfortunately, we are not in a position to change either namespace, so we have to make this work somehow. Anyone have any ideas? Thanks in advance, Joe ------------------------------------ Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
