Seems someone doesn't follow the KISS method :)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 11:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS It' 6000+ users/workstations spread across Canada. They (network support) Have a process where addresses are assigned and Zone Files for A records are updated on a regular basis. Users request a new Workstation or Server Address from a centralized IP address management group, it is assigned from an IP Address management system which creates the zone files, which are then uploaded to the BIND servers on a predetermined schedule. They have been doing it for so long that it is a well established and pretty much error free process. That was one of the major reasons for staying with BIND. The only exception to the A record management is the DC/GC A records associated with the _msdcs zone. These are handled dynamically by the DC/GCs to the BIND servers hosting the Dynamic Zones for service records just like all the other records for these zones. I must admit I was sceptical at first, but it has proven to be very solid. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS They manually enter a records? You are certainly the exception to most of the implementations I've seen where data input error was a big issue and name resolution was chaotic. It turned out that delegating the zones and even zone transfers was much cleaner and easier to implement for those folks. Just out of curiosity, this is a fairly large implementation with lots of servers and workstations in the Active Directory that you have right? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Having Successfully Integrated W2K3 AD with BIND DNS at our public Internet DNS Name, I can say I can be done without much pain. I choose to go with Bind for all the DNS work rather on the internal network than delegate the _srv record zones to Win/AD DNS. Our environment does not use dynamic addressing, and a network Infrastructure group is responsible for managing IP addressing and DNS. The have a well established BIND infrastructure, and they continue to manage all host A level records, which are manually entered. The Service Record Zones are delegated to a specific set of BIND DNS servers that do nothing but handle the Dynamic registration for _msdcs _sites _tcp and _udp. I found this configuration more stable and easier to troubleshoot than trying to get Windows DNS and Bind to play nicely together. Some things to watch out for - Make sure you consider the SOA parameters carefully, particularly the refresh time, and make sure you use/properly configure the notify option on your zones for slaves. The actual zones are small, and on some later versions of bind incremental Transfer is an option. Lock down you BIND security using ACLs to control who can update the SRV zones and Who can get Zone Transfers. On the Windows side, what you we see is a failure (netlogon) to register domain level A records at the DNS root (AD forest root) as this is currently registered to our web server. We get regular dns authentication errors as DCs try to authenticate to the Bind servers for secure updates, but they move on and try non secure updates and everything works fine. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 8:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Bitter experience? Perhaps not bitter, but having seen (and tried) many attempts to integrate Active Directory with BIND, I would say that is not the way you want to go if you want a stable environment. It's not that it can't be done, it's that it's not a good idea in most situations I've seen where you try to directly integrate Active Directory into existing BIND zones. Better to delegate a zone to Active Directory and work on ways to modify the UPN alias'. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Mackenzie Sent: Thursday, June 10, 2004 5:42 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Debate over 'split horizon' DNS Folks, I'm looking for input to a debate we're having over whether or not to root our campus Active Directory at gla.ac.uk (which is our public internet persona) or at some other point such as ad.gla.ac.uk (which creates a pseudo department in local terms) or gla.ac.uk.local. The public DNS will stay with Bind (for ever!). The merit of paralleling our long established DNS structure is that everyone is familiar with it and the 'names' that come out automatically such as [EMAIL PROTECTED] are immediately known by the customers. There is no need to grapple (and many do) with ugly oddities that a different root produces. But there may be, down the track hard reasons not to do this. Anyone with bitter experience either way? Regards, Roger Mackenzie (Glasgow University, Scotland for the record) List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
