In article <[EMAIL PROTECTED]>, Henry B. Hotz <[EMAIL PROTECTED]> wrote: >Significant services (which may need duplication or conflict >resolution between Unix and AD):
In general, we (MIT CSAIL) pretty much ignore Windows DNS. The DCs run it, because AD requires it, but we don't consider it authoritative. All users have Kerberos principals in the CSAIL.MIT.EDU realm, which has one-way cross-realm (because of the DES issue) into the AD realm. User accounts in AD have completely random passwords and are created to grant [EMAIL PROTECTED] (and sometimes [EMAIL PROTECTED] if the user needs it for business reasons) login access to the AD account. We distribute a .reg file for workstation users to run prior to joining the domain which creates the right registry entries for users to log in directly to the CSAIL.MIT.EDU realm, and domain member workstations handle this correctly. No services that matter to non-Windows machines run on Windows, so their service principals are in the CSAIL.MIT.EDU realm. >Forward DNS -- I suspect you serve separate DNS domains from BIND >vice AD servers Correct. The real DNS (driven from our WebDNS application and its database) is authoritative. Windows DNS is just there to make Windows happy. >Reverse DNS -- Which platform gets which IP numbers, i.e. do you mix >or segregate them? IP addresses are assigned first-fit per subnet. Subnets are a combination of geographically- and function-based assignment. >DHCP -- 1 or 2 DHCP services, provided by which? Does DHCP care >about platform? We don't use Windows DHCP. >DynDNS -- How is this integrated with DHCP (plus the above question). We don't support dynamic DNS at all, and tell all Windows users to uncheck that option in their settings. (I don't know if the AD group policy enforces this.) >Kerberos -- krb5.conf or DNS SRV? We support both. Windows machines are using the registry, of course. (We do distribute a custom krb5.conf with our customized package of KfW/NIM.) >advertised DNS servers -- BIND, DC, mix, pre-configured or DHCP >supplied? We want people to use our name servers, but I have no idea whether AD member workstations actually do. (The NS records are set up appropriately so AD names can be looked up.) Non-AD-member Windows machines definitely do. We tell all users to use DHCP. >cross-realm -- [domain_realm] section or DNS records maintained? Again, we do both (for the limited selection of realms we support cross-realm with -- this is really only necessary for the ATHENA.MIT.EDU realm). -GAWollman -- Garrett A. Wollman | The real tragedy of human existence is not that we are [EMAIL PROTECTED]| nasty by nature, but that a cruel structural asymmetry Opinions not those | grants to rare events of meanness such power to shape of MIT or CSAIL. | our history. - S.J. Gould, Ten Thousand Acts of Kindness ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
