Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

BIND forward to Windows DNS

1,259 views
Skip to first unread message

Rutger Blom

unread,
Nov 9, 2007, 1:56:44 PM11/9/07
to
Hello,

We have a BIND server which is authoritative for zone "company.com". After some
years we implemented Microsoft AD with its own DNS server in its own
zone "ad.company.com". The Microsoft server is authoritative for
"ad.company.com"

Now we want clients that have the BIND server as their configured DNS
server to be able to resolve hosts in the "ad.company.com" zone. I
thought this was done by configuring a forward zone "ad.company.com" on the BIND
server, alternatively use the "forwarders" option. However, neither of these methods seem to work.

Is there something I am missing here?

Kind regards,
Rutger Blom


Chris Thompson

unread,
Nov 9, 2007, 3:27:57 PM11/9/07
to

Type forward won't work for a sub-zone of something you are already
authoritative for. I take it that you have not created a proper delegation
for "ad.company.com" from "company.com", nominating the Microsoft server
(really just one?), or you wouldn't have the problem in the first place.
So why not? If it's because the "ad.company.com" zone is meant to be private,
consider using views in BIND.

--
Chris Thompson
Email: ce...@cam.ac.uk


Kevin Darcy

unread,
Nov 9, 2007, 5:43:43 PM11/9/07
to
Rutger Blom wrote:
> Hello,
>
> We have a BIND server which is authoritative for zone "company.com". After some
> years we implemented Microsoft AD with its own DNS server in its own
> zone "ad.company.com". The Microsoft server is authoritative for
> "ad.company.com"
>
> Now we want clients that have the BIND server as their configured DNS
> server to be able to resolve hosts in the "ad.company.com" zone. I
> thought this was done by configuring a forward zone "ad.company.com" on the BIND
> server, alternatively use the "forwarders" option. However, neither of these methods seem to work.
>
> Is there something I am missing here?
>
>
Delegate ad.company.com from company.com. That's a prerequisite for the
forwarding to work. But, you may find after delegating it, that you
don't even need forwarding, in which case don't do it.

- Kevin

Rutger Blom

unread,
Nov 11, 2007, 1:39:58 PM11/11/07
to
Hello,

I'm no BIND expert as you noticed.
Is there some documentation on how to create a proper delegation? The "ad.company.com" domain does not need to be kept private so no need for views.

Rutger

>>> Chris Thompson <ce...@hermes.cam.ac.uk> 07-11-09 21:27 >>>


On Nov 9 2007, Rutger Blom wrote:

>Hello,
>
>We have a BIND server which is authoritative for zone "company.com". After some
>years we implemented Microsoft AD with its own DNS server in its own
>zone "ad.company.com". The Microsoft server is authoritative for
>"ad.company.com"
>
>Now we want clients that have the BIND server as their configured DNS
>server to be able to resolve hosts in the "ad.company.com" zone. I
>thought this was done by configuring a forward zone "ad.company.com" on the BIND
>server, alternatively use the "forwarders" option. However, neither of these methods seem to work.
>
>Is there something I am missing here?

Type forward won't work for a sub-zone of something you are already

Mark Andrews

unread,
Nov 11, 2007, 4:22:25 PM11/11/07
to

> Hello,
>
> I'm no BIND expert as you noticed.
> Is there some documentation on how to create a proper delegation? The "ad.com
> pany.com" domain does not need to be kept private so no need for views.
>
> Rutger


RFC 1034
4.2.2. Administrative considerations

[snip]

As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone. The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.

You *copy* the NS RRset from the child zone to the parent.
You *copy* any glue address (A/AAAA) records for the nameservers
to the parent zone.

Mark

> >>> Chris Thompson <ce...@hermes.cam.ac.uk> 07-11-09 21:27 >>>
> On Nov 9 2007, Rutger Blom wrote:
>
> >Hello,
> >
> >We have a BIND server which is authoritative for zone "company.com". After s
> ome
> >years we implemented Microsoft AD with its own DNS server in its own
> >zone "ad.company.com". The Microsoft server is authoritative for
> >"ad.company.com"
> >
> >Now we want clients that have the BIND server as their configured DNS
> >server to be able to resolve hosts in the "ad.company.com" zone. I
> >thought this was done by configuring a forward zone "ad.company.com" on the
> BIND
> >server, alternatively use the "forwarders" option. However, neither of these
> methods seem to work.
> >
> >Is there something I am missing here?
>
> Type forward won't work for a sub-zone of something you are already
> authoritative for. I take it that you have not created a proper delegation
> for "ad.company.com" from "company.com", nominating the Microsoft server
> (really just one?), or you wouldn't have the problem in the first place.
> So why not? If it's because the "ad.company.com" zone is meant to be private,
> consider using views in BIND.
>
> --
> Chris Thompson
> Email: ce...@cam.ac.uk
>
>
>
>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org


Barry Finkel

unread,
Nov 12, 2007, 10:27:51 AM11/12/07
to
"Rutger Blom" <rutge...@svalov.se> wrote:

>Hello,
>
>We have a BIND server which is authoritative for zone "company.com". After some
>years we implemented Microsoft AD with its own DNS server in its own
>zone "ad.company.com". The Microsoft server is authoritative for
>"ad.company.com"
>
>Now we want clients that have the BIND server as their configured DNS
>server to be able to resolve hosts in the "ad.company.com" zone. I
>thought this was done by configuring a forward zone "ad.company.com" on the BIND
>server, alternatively use the "forwarders" option. However, neither of these methods seem to work.
>
>Is there something I am missing here?

There are at least two solutions. The one I would recommend is to
have your BIND servers slave all of the AD zones. That way, your
customers who use BIND as their DNS will get the answers to their
queries without having to have their queries sent to another DNS
server. One word of caution - you need to configure your AD DNS
to allow zone transfers, and, if you have MS DNS Servers on multiple
Domain Controllers (AD-intergrated zones with multi-master), choose
ONLY ONE server to be the master for the BIND slaves. You probably
will need to put the BIND slave servers into the AD zones in NS
records. For more details, check the archives of this list.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFi...@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994


Rutger Blom

unread,
Nov 12, 2007, 12:09:13 PM11/12/07
to
Thank you. I solved the problem by setting up a proper delegation from
BIND to Windows DNS.

Thanks again!

Rutger

>>> Barry Finkel <b19...@britaine.ctd.anl.gov> 07-11-12 16:27 >>>

0 new messages