Re: AW: MS AD 2008R2 and bind

2012-01-03 Thread root 

The DC must not only be allow to update his A,  (if applicable) and PTR 
records, he must also be able to update his SRV and TXT records. Please add the 
DC to the ACL for allow-updates on the zone that corresponds to the AD 
Domain/Kerberos zone, and then confirm that it is working by restarting 
Netlogon service (necessary, because IPCONFIG /registerdns only updates A,  
(if applicable) and PTR records, while the former regenerates the SRV records, 
et al). 


Hope that helps,

 -DTK




Sent via BlackBerry from T-Mobile

-Original Message-
From: Melbinger Christian christian.melbin...@wienit.at
Sender: bind-users-bounces+root=nachtmaus...@lists.isc.orgDate: Tue, 3 Jan 2012 
13:47:30 
To: Carsten Strotmann (private)c...@strotmann.de
Cc: bind-users@lists.isc.orgbind-users@lists.isc.org
Subject: AW: MS AD 2008R2 and bind

Hello

Thanks for your answer, but unfortunately that's not the case.
When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of 
the DCs, speaking
Addresses:  10.4.4.4, 10.5.5.5

The error message
The invalid IP addresses are 10.1.1.1; 10.2.2.2.
is pointing towards the dns-servers. (bind and linux, no windows there)


I also had an old dns server running on 10.3.3.3, which was included in the 
error message too. I shut it down but the ip only got removed from the error 
once I deleted the NS Record. (yeah forgot to do that)

any ideas?



---
Ing. Christian Melbinger
Netzwerk  Security

WienIT EDV Dienstleistungsgesellschaft mbH  Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188
fax: +43 (1) 90405 88 47188
mailto:christian.melbin...@wienit.at


-Ursprüngliche Nachricht-
Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] 
Gesendet: Dienstag, 03. Jänner 2012 13:07
An: Melbinger Christian
Cc: bind-users@lists.isc.org
Betreff: Re: MS AD 2008R2 and bind

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Christian,

On 1/3/12 11:00 AM, Melbinger Christian wrote:
 
 So this is presumably not a problem of the bind servers themselves,
 but still, does anyone have an idea how to get rid of the error
 messages?
 
 Anyone know the checkbox to unset? I didn?t find one?

from the error message you've seeing, the problem is that the domain
controller has already found DNS entries for itself in the DNS, but
the entries are pointing to a different IP Address than the domain
controller has.

The domain controller will not overwrite the existing entries. You
have to remove the wrong, stale entries and after that the domain
controller should be able to register (update) the address records
with the correct IP addresses. You can force this with a reboot or
with ipconfig /registerdns from the commandline.

The old IP addresses might be leftovers from a test, and have not been
properly removed when the IP addresses of the domain controller has
been changed.

Best regards

Carsten Strotmann

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX
yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl
=uRxM
-END PGP SIGNATURE-



Hi

My company moved to a 2008R2 Domain Controller environment. Now I see the 
following message in the windows log:

Title: This domain controller must register its correct IP addresses with the 
DNS server
Severity: Error
Category: Configuration
Issue: The Domain Name System (DNS) host resource records for this domain 
controller's fully qualified domain name currently map to the IP addresses that 
do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 
10.2.2.2.
Impact: Other member computers and domain controllers in the domain or forest 
might not be able to locate this domain controller. This domain controller will 
not be able to provide a full suite of services.
Resolution: Ensure that the DNS Client service on this domain controller is 
configured and able to register valid host resource records with an 
authoritative DNS server for the domain.
More information about this best practice and detailed resolution procedures: 
http://go.microsoft.com/fwlink/?LinkId=131229


All Domain Controllers have zone updates rights on the master dns server, and 
according to the logfile updating zones works.
My DNS-Servers are running BIND 9.7.3-P3.



So this is presumably not a problem of the bind servers themselves, but still, 
does anyone have an idea how to get rid of the error messages?
Anyone know the checkbox to unset? I didn't find one.

With regards
Christian Melbinger


---
Ing. Christian Melbinger
Netzwerk  Security

WienIT EDV Dienstleistungsgesellschaft mbH  Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188
fax: +43 (1) 90405 88 47188
mailto:christian.melbin...@wienit.at



WienIT EDV Dienstleistungsgesellschaft mbH  Co KG

Re: Views and Blackhole

2008-11-18 Thread root net 
Chris,

Thanks that worked.

RootNet08

On Tue, Nov 18, 2008 at 12:46 AM, Chris Buxton [EMAIL PROTECTED]wrote:

 Remove your subnet from the bogons ACL at the beginning.

 acl bogons {
 ! 192.168.16.0/21;
 0.0.0.0/8;
 [...]
 192.168.0.0/16;
 [...]
 };

 Chris Buxton
 Professional Services
 Men  Mice

 On Nov 17, 2008, at 8:38 PM, root net wrote:

 Hello,

 I have a server I am testing before I put in production.  Working on a more
 secure bind config.  BTW if anyone has any other suggestions on locking down
 bind beside below and chroot let me know.  I was adding views which has been
 debated time and time again whether or not it really helps but anyway.  My
 problem is I have the latest bogons from team-cymru which includes my
 internal network subnet 192.168.16.0/21.  So in the bogons list it says
 192.168.0.0/16 which is blackholed.  So my local network is being
 blackholed but it works fine when users not on the bogons query the server
 from the external view.  My question is how can I get this to work without
 adding each cidr block of the 192.168.0.0/16 separately or even breaking
 it up in /21s? I have tried everything I know how.  A sanitized portion of
 my named.conf is this:

 //For length sakes I took out the other networks.

 acl i_lan { 127.0.0.1; 192.168.16.0/21};
 acl i_dns { 127.0.0.1; 192.168.16.2; 192.168.23.2;};
 acl bogons { 0.0.0.0/8;
 1.0.0.0/8;
 2.0.0.0/8;
 5.0.0.0/8;
 192.168.0.0/16;
 198.18.0.0/15;
 223.0.0.0/8;
 224.0.0.0/3;
 };

 options {
   version Go Away;
   directory /var/named;
   dump-file /var/dump/named_dump.db;
   pid-file /var/run/named/named.pid;
   statistics-file /var/stats/named.stats;
   recursion no;
   allow-query { any; };
   listen-on { 127.0.0.1; 192.168.16.2;};
   recursive-clients 1000;
   tcp-clients 1000;
   auth-nxdomain yes;
   blackhole { bogons; };

 view internal {
   match-clients { i_lan; };
   notify no;
   recursion yes;
   allow-transfer { i_dns;};
 zone localhost {
   type master;
   file localhost.zone;
 };
 zone 127.in-addr.arpa {
   type master;
   file localhost.zone;
 };
 zone 0.in-addr.arpa {
   type master;
   file named.zero;
 };
 zone 255.in-addr.arpa {
   type master;
   file named.broadcast;

 // zones go here
 };

 view external {
   match-clients { !i_lan; any; } ;
   recursion no;
   allow-transfer { i_dns;};
 // zones go here
 };


 Any help is appreciated and thanks in advanced.

 RootNet08
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users