Thank you all for your replies. Unfortunately our BIND does not accept dynamic updates. Digging some more I have found the following article about third party certs on DC: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx Indeed not for the faint of heart, though doable.
I'll catch a chat with our BIND guru and see where we go from here. Thanks for the ideas. Guy On Fri, 2004-08-13 at 16:26, Mulnick, Al wrote: > Personally, I prefer the latter FWIW. Have the workstations update their > own data in the BIND zone. It would be no more (or less) secure than if you > pulled that data from Active Directory really, just more IP addrs to watch. > > Otherwise, I think the certs on the DC's are the wrong path to go down. But > if you must, there is some docs out there about putting certs on DC's > without installing PKI into the forest. It's not for the faint of heart > from what I remember. It's handled for you with certificate services if you > install it into the forest. If you don't, why not stand up a standalone CA > and generate your certs that way? Not a great long term solution, but > that's why I don't favor it. > > If you stood a server up in the forest and used it to grab the records and > do the conversion, you have no more error probability than if you have the > BIND server fetch the data itself that I can see. That's just a customized > solution is all. > > Just a few thoughts. > > Al > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, August 12, 2004 11:09 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous bind (here we go again) > > I like the idea if having some Windows machine that is part of the domain > run a task as the system or network service account and grab the info and > jam it into your BIND setup. Do you allow unsecured dynamic updates? If so > you could should be able to pretty easily do this with perl, adfind, and > nsupdate without changing your AD security or trying to cobble certs > together on the DC. > > Another possible solution is to take the workstations that are the issue > themselves and have them run a script to update the foreign DNS. This > assumes again open dynamic updates. > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Thursday, August 12, 2004 7:52 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous bind (here we go again) > > I have thought about that, but if you think about it, it only reverts the > problem: now I need to either install some software on the DC to ensure > secure connection/authentication with BIND box or do it in 3 > steps: > - get the data from AD and dump it into a flat file. > - transfer the file to BIND machine > - parse the file on BIND box > > Both approaches are rather cumbersome and error prone. > I tend to prefer installing third party certificate on the DC. > On this note, can anyone give me a hint how to generate CSR if I do not have > IIS installed ? Is there any command line tool for that maybe ? > > I tried scripting it > (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/htm > l/certenrollment.asp), but it looks like I am doing something wrong: the CA > has no problem signing the CSRs generated by IIS, but would not sign mine > (script generated) > > Thanks, > Guy > > On Thu, 2004-08-12 at 10:26, Bernard, Aric wrote: > > OK, understood. While the original idea does accomplish the desired > > outcome, I think there are still other alternatives. > > > > For example, why not create a script that runs based on a schedule on > > a machine that is a member of the forest, runs in or uses the proper > > security context to access the desired information in the OUs, writes > > that information into the zone files on the BIND server, and then > > completes the appropriate action to ensure that the data is available > > in BIND DNS (i.e. restarting the DNS daemon)? > > > > With this example, you do not need to modify the security around AD. > > If for some reason you can not perform the desired BIND tasks > > remotely, you can transfer a file containing the data to an > > appropriate location and allow a scheduled script on the BIND server > > to > perform the import, etc. > > > > - Aric > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Wednesday, August 11, 2004 10:11 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Anonymous bind (here we go again) > > > > Well, I know where the hosts should be in AD, but those hosts can > > change. The idea is that if host resides in one of the OUs in > > question, it gets to get CNAME in company.com, but the hosts can come > > and go, so I do not know what records should get CNAMEs without > > looking in > the OUs. > > > > Guy > > > > On Thu, 2004-08-12 at 03:48, Bernard, Aric wrote: > > > Since you must already know what records you want to transform into > > > CNAME records in the BIND environment, why not build your scripts on > > the > > > linux system to query the AD hosted DNS servers and then create the > > > CNAME records based on this DNS query instead of an LDAP query? > > > > > > - Aric > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > > Sent: Wednesday, August 11, 2004 2:34 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Anonymous bind (here we go again) > > > > > > > > > > > > We have W2K3 AD (FFL/DFL 2003) configured as ad.company.com There is > > > a subset of workstations (located in pre-configured OUs) that need > > > to be resolvable using the "company.com" suffix (company.com zone is > > > managed by BIND, while ad.company.com is managed by MS DNS). > > > > > > One of the ideas was to run (from Linux) LDAP queries against AD for > > the > > > machines in question, query the MS DNS for the registration and > > > build CNAME entries for BIND based on the query. > > > > > > Caveat: our AD is configured with "LDAP signing requirement: > > Negotiate", > > > which means that any attempt for simple bind will be forced to use > > > SSL/TLS (and we do not run CA or have certs installed on DCs) and > > > otherwise will fail. > > > > > > >From here two options have been proposed: > > > > > > 1) flip the 7th bit of dsHeuristics to allow anon access and grant > > > anonymous access to the required attributes (dnsHostName) > > > cons: this exposed the AD to potential DoS of LDAP service by > > anonymous > > > (am I right here ?) > > > > > > 2) install 3rd party certs on DCs and have scripts use embedded > > service > > > account for LDAP binds/queries. > > > cons/pros: I have no experience with 3rd party certs on DCs. Are > > > there any caveats or gotchas here ? Is it possible/reasonable ? > > > > > > In any case, nothing that is not already exposed by DNS is going to > > > be exposed. > > > > > > If you can think of any other way of achieving the desired result > > > (up-to-date mapping from client.ad.company.com to client.company.com > > > using CNAMEs), I would be happy to hear. Zone transfers are out of > > > the question - we do not want all the hosts from AD DNS, only the > > > certain subset of them. > > > > > > Thanks, > > > Guy > -- > Smith & Wesson - the original point and click interface > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
