Starting with Win2k, Microsoft has come up with a new way(for Microsoft) of containing configuration data and they call it "Active Directory". Active Directory consists mostly of an LDAP database which is tied to DNS, accounts, groups, policies. To be able to administer a large environment of computers, you would place all those computers(clients) in a domain and the servers of that domain will be called domain controllers. Previously with NT 4.0, clients would use WINS(a dynamic like DNS system) to be able to find their domain controller. With NT 5, clients would use DNS to do same thing. Most of the time DNS is very static and unchanging. To make DNS behave like WINS Microsoft decided to use DDNS(Dynamic DNS).
To setup an Active Directory domain the official recommendation from Microsoft is to retire your (unix/linux) DNS system and run Microsoft's DNS servers. There's a few documents from Microsoft on how to configure your Bind DNS to work with Active Directory but they all are very arcane and don't explain much. The basic design of the AD DNS interraction is that the Domain Controllers notify DNS that they are the domain controllers for the domain. The clients then connect to DNS and find out who the Domain Controllers are, they also have an option to Dynamic update the DNS server called Dynamic update(we'll get to that part later on).
Looking closer at Microsoft's DNS setup, they are using four subdomains to control the process: _msdcs, _sites, _tcp and _udp. Domain controllers insert SRV records into these subdomains. An SRV record is similar to what you specify in your resolv.conf in the nameserver line.
1. Now the easiest way would be be to enable DDNS on your Bind DNS to let all your clients be able to write to the DNS database. That's not recommended because not only is it a security risk but it will also make your DNS database file very messy. In your /etc/named.conf put:
zone "yourdomain.com" {
type master;
allow-update {
192.168.0.0;
};
check-names ignore;
file "yourdomain.com.db";
};
// Domain controllers for yourdomain.com
acl DC-yourdomain.com {
192.168.0.1;
192.168.0.2;
};
// Active Directory - _msdcs
zone "_msdcs.yourdomain.com" {
type master;
allow-update {
DC-yourdomain.com;
};
check-names ignore;
file "_msdcs.yourdomain.com.db";
};
// Active Directory - _sites
zone "_sites.yourdomain.com" {
type master;
allow-update {
DC-yourdomain.com;
};
check-names ignore;
file "_sites.yourdomain.com.db";
};
// Active Directory - _tcp
zone "_tcp.yourdomain.com" {
type master;
allow-update {
DC-yourdomain.com;
};
check-names ignore;
file "_tcp.yourdomain.com.db";
};
// Active Directory - _udp
zone "_udp.yourdomain.com" {
type master;
allow-update {
DC-yourdomain.com;
};
check-names ignore;
file "_udp.yourdomain.com.db";
};
zone "_msdcs.yourdomain.com" {
type forward;
forward only;
check-names ignore;
forwarders {
192.168.0.1;
192.168.0.2;
};
};
zone "_tcp.yourdomain.com" {
type forward;
forward only;
check-names ignore;
forwarders {
192.168.0.1;
192.168.0.2;
};
};
zone "_udp.yourdomain.com" {
type forward;
forward only;
check-names ignore;
forwarders {
192.168.0.1;
192.168.0.2;
};
};
zone "_sites.yourdomain.com" {
type forward;
forward only;
check-names ignore;
forwarders {
192.168.0.1;
192.168.0.2;
};
};
On all Windows 2000 clients in the tcp/ip properties there's an option to update the dns server. This is there for the client to connect to a dns server and dynamically create an entry for itself. When an administrator wants to remotely connect to the client and administer it, the server will try to find the client based on that dynamic entry. This option is not possible with bind unless you go with option 1 which pretty much ruins your security.
What we do here is create a hack by setting up DNS on your domain controller and transfer all DNS information from your bind server. For DHCP clients we would setup DHCP server to dynamically update DNS to zone: ddns.yourdomain.com.(ddns subdomain is there so it will not write to your main zone). On Windows DNS delegate control of ddns.yourdomain.com back to your real DNS(bind). Then create cnames of ddns.yourdomain.com on your Windows DNS to yourdomain.com, in other words on windows DNS there will be these kind of entries: client.yourdomain.com CNAME client.ddns.yourdomain.com. Since there's no program out there that would do this I created a perl program to update dns and would run it on windows server, every 15 minutes for cname transfers and every 57 minutes for static dns transfers. To run this program you would need to install perl on windows, you can download perl package from activestate.com. You would also need a specific perl module, Net::DNS, you can use ppm and then type install Net::DNS. Click here to download dnstransfer.pl.