Hi Lawrence, I'm going to answer your questions a bit out of order, but hopefully things'll still be clear.
> How do you have an AD domain where your AD servers aren't authoritative > for itself? > > This is how our AD domain is set up -- the root of the AD domain is brandeis.edu, but the domain controllers do not run the MS DNS Server service. Client computers get the main campus DNS resolvers via DHCP, and are set not to use the MS DNS Client service. We've set up dynamic zones in BIND for the zones needed by AD: _msdcs.brandeis.edu, _tcp.brandeis.edu, _udp.brandeis.edu, etc. Microsoft TechNet has some really thorough docs on this: http://technet.microsoft.com/en-us/library/dd316373.aspx It's a bit dated, but the principles still apply. The more general Microsoft docs: http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/cc772774%28v=ws.10%29.aspx are also quite good. Had a strange problem where our servers couldn't resolve hosts in an AD > subdomain. > Can you clarify the problem a bit here? Is it that the authoritative nameservers for foo.example.com are unable to resolve ads.foo.example.com? Do the foo.example.com servers look to themselves for recursion? Am I correct that a department on campus is running their own AD environment with a root of ads.foo.example.com, and you simply delegate the subdomain to them? > This was in the zone file: > > $ORIGIN foo.example.com. > ... > ads NS ads.foo.example.com > ... > ... > ... > ads A a.b.c.d > ... > ... > ... > > This looks pretty normal if you're delegating the ads.foo.example.com zone to a server called ads.foo.example.com. A little confusing to use the same name for the nameserver as the subdomain itself, but it seems like it should work. So changing to: > > $ORIGIN foo.example.com > ... > ads NS dc2.foo.example.com. > NS dc3.foo.example.com. > dc2 A a.b.c.e > dc3 A a.b.c.f > ... > > This looks very odd indeed. If the root of the AD domain is ads.foo.example.com, why do the DCs live in the parent zone? Is that something you allow? The first zone config looked more appropriate. Without going any further into this, it looks as though the department may have set their AD domain up as "foo.example.com" when in reality it should be "ads.foo.example.com." Can you clarify this? John
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
