It should be that hard to delegate those - you should be
able to create a stub zone for them pointing back to your AD
servers.
--------
Roger Seielstad
E-mail Geek
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, March 30, 2005 8:20 PM
To: [email protected]
Subject: RE: [ActiveDir] Compelling arguments?Just the service records. I don't care about the A records, our process for getting those statically created is pretty painless. It's the ACLs for dynamic updates that cause us pain.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Wednesday, March 30, 2005 8:17 PM
To: [email protected]
Subject: RE: [ActiveDir] Compelling arguments?What are you trying to delegate - PTR creation or the A record creation?--------
Roger Seielstad
E-mail Geek & MS-MVP
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, March 30, 2005 7:49 PM
To: [email protected]
Subject: RE: [ActiveDir] Compelling arguments?This is a bit off the topic of the thread, but since we are talking about using BIND DNS with AD I'll go ahead and ask. Has anyone figured out a good way of delegating the update DNS right to your DCs? At my company the DNS admins are on a completely different team and getting them to manage the ACLs is a real pain. I'd love to use TSIG or something along those lines but as far as I can tell this is not supported in windows.Any suggestions?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, March 30, 2005 7:27 PM
To: [email protected]
Subject: RE: [ActiveDir] Compelling arguments?True,I've had the same experience with SQL and Kerberos. On the bright side the issues forced all of our server admins to understand Kerberos and engage my team to make sure that it's working properly.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 30, 2005 6:32 PM
To: [email protected]
Subject: RE: [ActiveDir] Compelling arguments?SQL Server has all sorts of dorked up issues with SPNs, you have to always check them anyway. Someone was on crack that worked out that functionality for SQL Server, I have had my share of arguments with PSS over that. Instead of trying to do things through the computer account they do things through the admin installing the service who often doesn't have the appropriate rights in AD.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, March 30, 2005 12:01 PM
To: [email protected]
Subject: RE: [ActiveDir] Compelling arguments?Not only is being able to register it important, but also that DNS resolves to the correct SPN. Let's say you have a SQL server that is a member of the us.widget.net domain; however, in DNS it is registered as sql1.sea.widget.net. If you look in AD it's likely that the SPN registered will be: MSSql/sql1.us.widget.net. So when a user attempts to get a service ticket, they will pass sql.sea.widget.net and it will fail and the user will use NTLM auth instead. So if you're going to use a different DNS domain model (like we do at my company, we us QIP with regionalized domains) then make sure your SPNs match up.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 9:18 PM
To: [email protected]
Subject: RE: [ActiveDir] Compelling arguments?The permission mod you need to make is to correct this.Again, disjoint namespace works fine in the core OS. The issues that crop up are around poorly written/tested applications.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 3:43 PM
To: [email protected]
Subject: RE: [ActiveDir] Compelling arguments?If you're also talking about servers don't forget that by default computers register their SPN using the AD domain name. So if you have a server that registers HOST/someserver.myadname.net and the server actually resolves to someserver.mydnszone.net Kerberos will not work for the clients that try to connect using the DNS name.
Are there compelling arguments to use the DNS Domain name of your AD Domain as the primary DNS Suffix versus a different DNS extension from a client functionality perspective?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
Sent: Tuesday, March 29, 2005 7:06 AM
To: [email protected]
Subject: [ActiveDir] Compelling arguments?
Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix.
Any thoughts welcome.
