In message <5162e2a1.7000...@att.net>, "Barry S. Finkel" writes:
> On 4/8/2013 9:10 AM, bind-users-requ...@lists.isc.org wrote:
> > In article <mailman.59.1365230565.20661.bind-us...@lists.isc.org>, Phil
> > Mayers <p.may...@imperial.ac.uk> wrote:
> >> >Sam Wilson<sam.wil...@ed.ac.uk>  wrote:
> >> >
> >>> > >[adding an A record for ed.ac.uk.]
> >>> > >
> >> >
> >> >If your AD realm is also called ed.ac.uk then adding an A record will
> >> >definitely affect things.
> > Which is exactly the opposite of what our AD guys said, but not with
> > such great conviction.:-)
> >
> > Sam
> 
> AD clients, if they do not know about SRV records for finding the
> LDAP servers, will use the "A" records for the AD domain to locate
> the Domain Controllers.  Where I used to work we did not segregate
> AD, so internally,
> 
>       example.com
> 
> pointed to the Domain Controllers.  Externally,
> 
>       example.com
> 
> had no IP address because the DCs were not accessible from the
> external Internet.  When we had the DC addresses externally, then
> AD clients would see the addresses, try to authenticate to the AD,
> experience timeouts, and get frustrated.

Do the AD clients to the correct thing with the "no service offered"
SRV record (e.g. "SRV 0 0 0 .")?  It is designed to stop fallback to
A/AAAA records when the service is explicitly not there.

RFC 2782
        A Target of "." means that the service is decidedly not
        available at this domain.

If they do there should be no confusion with the use of address records
between AD and HTTP/HTTPS.

>  Without an external
> address, AD clients do not try to access the DCs.  The drawback
> is that we can not have
> 
>       example.com
> 
> externally have the same address as
> 
>       www.example.com
> 
> to aid browser users.
> --Barry Finkel
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to