Personally, I prefer the latter FWIW. Have the workstations update their own data in the BIND zone. It would be no more (or less) secure than if you pulled that data from Active Directory really, just more IP addrs to watch.
Otherwise, I think the certs on the DC's are the wrong path to go down. But if you must, there is some docs out there about putting certs on DC's without installing PKI into the forest. It's not for the faint of heart from what I remember. It's handled for you with certificate services if you install it into the forest. If you don't, why not stand up a standalone CA and generate your certs that way? Not a great long term solution, but that's why I don't favor it. If you stood a server up in the forest and used it to grab the records and do the conversion, you have no more error probability than if you have the BIND server fetch the data itself that I can see. That's just a customized solution is all. Just a few thoughts. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 12, 2004 11:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) I like the idea if having some Windows machine that is part of the domain run a task as the system or network service account and grab the info and jam it into your BIND setup. Do you allow unsecured dynamic updates? If so you could should be able to pretty easily do this with perl, adfind, and nsupdate without changing your AD security or trying to cobble certs together on the DC. Another possible solution is to take the workstations that are the issue themselves and have them run a script to update the foreign DNS. This assumes again open dynamic updates. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Thursday, August 12, 2004 7:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous bind (here we go again) I have thought about that, but if you think about it, it only reverts the problem: now I need to either install some software on the DC to ensure secure connection/authentication with BIND box or do it in 3 steps: - get the data from AD and dump it into a flat file. - transfer the file to BIND machine - parse the file on BIND box Both approaches are rather cumbersome and error prone. I tend to prefer installing third party certificate on the DC. On this note, can anyone give me a hint how to generate CSR if I do not have IIS installed ? Is there any command line tool for that maybe ? I tried scripting it (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/htm l/certenrollment.asp), but it looks like I am doing something wrong: the CA has no problem signing the CSRs generated by IIS, but would not sign mine (script generated) Thanks, Guy On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote: > OK, understood. While the original idea does accomplish the desired > outcome, I think there are still other alternatives. > > For example, why not create a script that runs based on a schedule on > a machine that is a member of the forest, runs in or uses the proper > security context to access the desired information in the OUs, writes > that information into the zone files on the BIND server, and then > completes the appropriate action to ensure that the data is available > in BIND DNS (i.e. restarting the DNS daemon)? > > With this example, you do not need to modify the security around AD. > If for some reason you can not perform the desired BIND tasks > remotely, you can transfer a file containing the data to an > appropriate location and allow a scheduled script on the BIND server > to perform the import, etc. > > - Aric > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > Sent: Wednesday, August 11, 2004 10:11 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous bind (here we go again) > > Well, I know where the hosts should be in AD, but those hosts can > change. The idea is that if host resides in one of the OUs in > question, it gets to get CNAME in company.com, but the hosts can come > and go, so I do not know what records should get CNAMEs without > looking in the OUs. > > Guy > > On Thu, 2004-08-12 at 03:48, Bernard, Aric wrote: > > Since you must already know what records you want to transform into > > CNAME records in the BIND environment, why not build your scripts on > the > > linux system to query the AD hosted DNS servers and then create the > > CNAME records based on this DNS query instead of an LDAP query? > > > > - Aric > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > > Sent: Wednesday, August 11, 2004 2:34 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Anonymous bind (here we go again) > > > > > > > > We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com There is > > a subset of workstations (located in pre-configured OUs) that need > > to be resolvable using the "company.com" suffix (company.com zone is > > managed by BIND, while ad.company.com is managed by MS DNS). > > > > One of the ideas was to run (from Linux) LDAP queries against AD for > the > > machines in question, query the MS DNS for the registration and > > build CNAME entries for BIND based on the query. > > > > Caveat: our AD is configured with "LDAP signing requirement: > Negotiate", > > which means that any attempt for simple bind will be forced to use > > SSL/TLS (and we do not run CA or have certs installed on DCs) and > > otherwise will fail. > > > > >From here two options have been proposed: > > > > 1) flip the 7th bit of dsHeuristics to allow anon access and grant > > anonymous access to the required attributes (dnsHostName) > > cons: this exposed the AD to potential DoS of LDAP service by > anonymous > > (am I right here ?) > > > > 2) install 3rd party certs on DCs and have scripts use embedded > service > > account for LDAP binds/queries. > > cons/pros: I have no experience with 3rd party certs on DCs. Are > > there any caveats or gotchas here ? Is it possible/reasonable ? > > > > In any case, nothing that is not already exposed by DNS is going to > > be exposed. > > > > If you can think of any other way of achieving the desired result > > (up-to-date mapping from client.ad.company.com to client.company.com > > using CNAMEs), I would be happy to hear. Zone transfers are out of > > the question - we do not want all the hosts from AD DNS, only the > > certain subset of them. > > > > Thanks, > > Guy -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
