|
Occasionally we hear from UNIX network administrators who want to use a UNIX-based DDNS server in place
of the Microsoft DNS server. While this might be desirable to some, the MS Windows 200x DNS server is
autoconfigured to work with Active Directory. It is possible to use BIND version 8 or 9, but it will almost
certainly be necessary to create service records (SRV records) so MS Active Directory clients can resolve
hostnames to locate essential network services. The following are some of the default service records that
Active Directory requires:
The use of DDNS is highly recommended with Active Directory, in which case the use of BIND9 is preferred for
its ability to adequately support the SRV (service) records that are needed for Active Directory. Of course,
when running ADS, it makes sense to use Microsoft's own DDNS server because of the natural affinity between ADS
and MS DNS.
-
_ldap._tcp.pdc._msdcs.
Domain
-
This provides the address of the Windows NT PDC for the domain.
-
_ldap._tcp.pdc._msdcs.
DomainTree
-
Resolves the addresses of global catalog servers in the domain.
-
_ldap._tcp.
site
.sites.writable._msdcs.
Domain
-
Provides list of domain controllers based on sites.
-
_ldap._tcp.writable._msdcs.
Domain
-
Enumerates list of domain controllers that have the writable copies of the Active Directory data store.
-
_ldap._tcp.
GUID
.domains._msdcs.
DomainTree
-
Entry used by MS Windows clients to locate machines using the global unique identifier.
-
_ldap._tcp.
Site
.gc._msdcs.
DomainTree
-
Used by Microsoft Windows clients to locate the site configuration-dependent global catalog server.
Specific entries used by Microsoft clients to locate essential services for an example domain
called quenya.org include:
-
_kerberos._udp.quenya.org Used to contact the KDC server via UDP.
This entry must list port 88 for each KDC.
-
_kpasswd._udp.quenya.org Used to locate the kpasswd server
when a user password change must be processed. This record must list port 464 on the
master KDC.
-
_kerberos._tcp.quenya.org Used to locate the KDC server via TCP.
This entry must list port 88 for each KDC.
-
_ldap._tcp.quenya.org Used to locate the LDAP service on the PDC.
This record must list port 389 for the PDC.
-
_kpasswd._tcp.quenya.org Used to locate the kpasswd server
to permit user password changes to be processed. This must list port 464.
-
_gc._tcp.quenya.org Used to locate the global catalog server for the
top of the domain. This must list port 3268.
The following records are also used by the Windows domain member client to locate vital
services on the Windows ADS domain controllers.
-
_ldap._tcp.pdc._msdcs.quenya.org
-
_ldap.gc._msdcs.quenya.org
-
_ldap.default-first-site-name._sites.gc._msdcs.quenya.org
-
_ldap.{SecID}.domains._msdcs.quenya.org
-
_ldap._tcp.dc._msdcs.quenya.org
-
_kerberos._tcp.dc._msdcs.quenya.org
-
_ldap.default-first-site-name._sites.dc._msdcs.quenya.org
-
_kerberos.default-first-site-name._sites.dc._msdcs.queyna.org
-
SecID._msdcs.quenya.org
Presence of the correct DNS entries can be validated by executing:
root# dig @frodo -t any _ldap._tcp.dc._msdcs.quenya.org
; <lt;>> DiG 9.2.2 <lt;>> @frodo -t any _ldap._tcp.dc._msdcs.quenya.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3072
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.quenya.org. IN ANY
;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.quenya.org. 600 IN SRV 0 100 389 frodo.quenya.org.
_ldap._tcp.dc._msdcs.quenya.org. 600 IN SRV 0 100 389 noldor.quenya.org.
;; ADDITIONAL SECTION:
frodo.quenya.org. 3600 IN A 10.1.1.16
noldor.quenya.org. 1200 IN A 10.1.1.17
;; Query time: 0 msec
;; SERVER: frodo#53(10.1.1.16)
;; WHEN: Wed Oct 7 14:39:31 2004
;; MSG SIZE rcvd: 171
|
