This is similar to what a large enterprise customer I know of does except it is QIP based instead of BIND.
Static registration of host specific A records for the servers and dynamic update of the underscore zones; clients register or not depending on their zone and whether or not the zone is dynamic. 400 or so Domain Controllers. Thousands of servers. All in a disjoint namespace so the 400 or so DCs had host records in probably 320 or so DNS Domains. The underscore zones were in the AD namespace but also on Solaris QIP machines. The root of the AD forest is the same as the DNS name for the corporate identity which is dual-headed. External has one set of names, internal has another set. Completely different disconnected DNS servers serving both sides of the firewall. Biggest issues were misconfigured member machines (i.e. not properly configured for disjoint namespace in that they wanted to register in the AD domain name instead of their "local" DNS Zone that they should have registered in) and scavenging of DNS records which QIP was not doing at all and required me writing a perl script to clean it up. The clients registering in the wrong place isn't so much as an issue as a personal pisser-offer as it was messy and I knew it pointed out clients that probably shouldn't be on the network as they weren't standard. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS They manually enter a records? You are certainly the exception to most of the implementations I've seen where data input error was a big issue and name resolution was chaotic. It turned out that delegating the zones and even zone transfers was much cleaner and easier to implement for those folks. Just out of curiosity, this is a fairly large implementation with lots of servers and workstations in the Active Directory that you have right? Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Having Successfully Integrated W2K3 AD with BIND DNS at our public Internet DNS Name, I can say I can be done without much pain. I choose to go with Bind for all the DNS work rather on the internal network than delegate the _srv record zones to Win/AD DNS. Our environment does not use dynamic addressing, and a network Infrastructure group is responsible for managing IP addressing and DNS. The have a well established BIND infrastructure, and they continue to manage all host A level records, which are manually entered. The Service Record Zones are delegated to a specific set of BIND DNS servers that do nothing but handle the Dynamic registration for _msdcs _sites _tcp and _udp. I found this configuration more stable and easier to troubleshoot than trying to get Windows DNS and Bind to play nicely together. Some things to watch out for - Make sure you consider the SOA parameters carefully, particularly the refresh time, and make sure you use/properly configure the notify option on your zones for slaves. The actual zones are small, and on some later versions of bind incremental Transfer is an option. Lock down you BIND security using ACLs to control who can update the SRV zones and Who can get Zone Transfers. On the Windows side, what you we see is a failure (netlogon) to register domain level A records at the DNS root (AD forest root) as this is currently registered to our web server. We get regular dns authentication errors as DCs try to authenticate to the Bind servers for secure updates, but they move on and try non secure updates and everything works fine. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 8:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Bitter experience? Perhaps not bitter, but having seen (and tried) many attempts to integrate Active Directory with BIND, I would say that is not the way you want to go if you want a stable environment. It's not that it can't be done, it's that it's not a good idea in most situations I've seen where you try to directly integrate Active Directory into existing BIND zones. Better to delegate a zone to Active Directory and work on ways to modify the UPN alias'. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Mackenzie Sent: Thursday, June 10, 2004 5:42 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Debate over 'split horizon' DNS Folks, I'm looking for input to a debate we're having over whether or not to root our campus Active Directory at gla.ac.uk (which is our public internet persona) or at some other point such as ad.gla.ac.uk (which creates a pseudo department in local terms) or gla.ac.uk.local. The public DNS will stay with Bind (for ever!). The merit of paralleling our long established DNS structure is that everyone is familiar with it and the 'names' that come out automatically such as [EMAIL PROTECTED] are immediately known by the customers. There is no need to grapple (and many do) with ugly oddities that a different root produces. But there may be, down the track hard reasons not to do this. Anyone with bitter experience either way? Regards, Roger Mackenzie (Glasgow University, Scotland for the record) List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
