How to Enable Dynamic Updates on UNIX BIND DNS Servers (275866)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q275866

SUMMARY

To implement Windows 2000 Active Directory services, Domain Name System (DNS) must have Service Location Resource records as is noted in Request for Comments (RFC) 2782. DNS should also support dynamic updates as is noted in RFC 2136. Although Microsoft Window DNS is recommended for Windows-based networks, some customers may be using Berkeley Internet Name Daemon (BIND) DNS. This article describes how to enable dynamic updates on UNIX BIND DNS servers.

MORE INFORMATION

To enable dynamic updates on UNIX BIND DNS servers, you may need to edit the BIND configuration file (named.conf) on the UNIX server. The following is a sample named.conf file: 

//BIND Configuration File
options {
   directory "/usr/local/named";
   notify yes;
};
zone "test_sample.edu" in {
   type master;
   file "db.test_sample";
   check-names ignore;
   allow-transfer { 192.168.0.7; };
   allow-update { 192.168.0.5; 192.168.0.6; 192.168.0.100;};
};

zone "0.168.192.in-addr.arpa" in {
   type master;
   file "db.192.168.0";
   allow-transfer { 192.168.0.7; };
   allow-update { 192.168.0.5; 192.168.0.6; 192.168.0.100;};
};

zone "0.0.127.in-addr.arpa" in {
   type master;
   file "db.127.0.0";

zone "." in  {
   type hint;
   file "db.cache";
};

The following list includes some of the statements and their meanings from the preceding named.conf file:
  • Statement: notify yes

    Meaning: Instructs the master DNS server to send updates immediately to the secondary servers when changes are made to zone files instead of waiting for the refresh interval.
  • Statement: check-names ignore

    Meaning: By default, BIND checks all records to ensure that only host names are used where host names are expected to prevent accidental interoperability problems. Windows 2000 uses a sub-zone that is named "_msdcs" to hold the Active Directory data. While this sub-zone cannot conflict with any legal host name, it also makes it impossible to put hosts within this sub-zone without using what BIND considers an illegal name.

    Active Directory tries to have its global catalog server within _msdcs, but this is rejected by default. To work around this issue, Microsoft recommends that Active Directory be placed in a separate zone that is not configured to check for illegal hostnames.
  • Statement: allow transfer

    Meaning: Specifies which hosts are allowed to initiate zone transfers.
  • Statement: allow update

    Meaning: For security reasons, consider only allowing Dynamic Host Configuration Protocol (DHCP) or domain controller servers to update the DNS addresses.
For additional information about the requirements for DNS in Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

237675 Setting Up the Domain Name System for Active Directory

Modification Type:MinorLast Reviewed:10/13/2004
Keywords:kbhowto kbnetwork KB275866
©2004 Microsoft Corporation. All rights reserved.