Исходное сообщение
"Bind+Windows 2003 " Отправлено Saler, 08-Дек-05 14:12
>ИМХО в Вашем случае лучше вообще убрать BIND и делать все на >родном Microsoft DNS. Назовите хоть одну реальную причину для сохранения >BIND? В ближайшем будушем собираемся перетаскивать зону с провайдера на себя и выставлять днс наружу, а выставлять винду наружу, по моему не есть хорошо,патчить её постоянно, да и вообще помоему это муветон, практически не встречал внешних днс на мурософте, а вот для локалки можно конечно и перетащить всё на винду, но зачем это делать если можно просто создать зону для виндовых машин для их авторизации и работы в АД, и оставить струтуры сети. а разрешать теже динамически обновления, когда практически любой юзер взяв nsupdate может натворить много зла.... Microsoft предлагает четыре варианта, "как быть", был выбран 2ой, выдержка из статьи http://babs.its.yale.edu/yalead/ddns.asp   A Microsoft white paper (and other information) documents four models for managing Active Directory DNS information in the presence of BIND name servers:    1. Run the BIND servers in dynamic mode.  All dynamic functions are enabled so the AD performs in much the same way is if the DNS servers were Windows 2000 machines.  Typically, only a specific set of machines (usually the W2K domain controllers) are allowed to make changes to the DNS records because secure update is not supported.  BIND versions 4.9 and higher support dynamic update.    2. Use a combination of BIND and W2K DNS servers.  In this model, the BIND servers are in static mode and the Windows 2000 servers are dynamic.  The BIND ervers remain the authoritative name servers for theorganization.  Records of type NS ("delegation" records) are used so that the Windows servers handle all AD-specific traffic and BIND servers handle the rest.  This is also somewhat more secure because the W2K servers can run in "secure" mode so that changes to the DNS information must be authenticated.    3. Move all Active Directory activity into a separate DNS zone.  All machines that participate in the AD are moved into a DNS zone of their own, usually under the main DNS zone for the organization.  For example, an organization might make a DNS zone called "ad.company.com" under their main "company.com" DNS zone.  The Active Directory is then "rooted" at "ad.company.com".  This created a dichotomy between the DNS structure of the company and its AD structure in many cases, which has the potential for confusion.    4. Manually manage DNS information by hand-editing DNS tables to include SRV records for the critical services.  In this model, the DNS entries that would normally have been made automatically by the servers to register their functions with the AD are entered by hand into a static name server.  Since a single DC can make 30 or more entries in the DNS system, this quickly becomes a huge amount of work.  Also, since the information is dynamic, the AD loses some of its fault tolerance because the DNS system can not be updated automatically to reflect changes in the environment such as a server that is out of action or a role change.  This model would work in a very small domain that is extraordinarily stable, but is impractical for most real-world operations.

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	>>ИМХО в Вашем случае лучше вообще убрать BIND и делать все на >>родном Microsoft DNS. Назовите хоть одну реальную причину для сохранения >BIND? > В ближайшем будушем собираемся перетаскивать зону с провайдера на себя и выставлять > днс наружу, а выставлять винду наружу, по моему не есть хорошо,патчить > её постоянно, да и вообще помоему это муветон, практически не встречал > внешних днс на мурософте, а вот для локалки можно конечно и > перетащить всё на винду, но зачем это делать если можно просто > создать зону для виндовых машин для их авторизации и работы в > АД, и оставить струтуры сети. > а разрешать теже динамически обновления, когда практически любой юзер взяв > nsupdate может натворить много зла.... > Microsoft предлагает четыре варианта, "как быть", был выбран 2ой, > выдержка из статьи http://babs.its.yale.edu/yalead/ddns.asp > A Microsoft white paper (and other information) documents four models for managing > Active Directory DNS information in the presence of BIND name servers: > 1. Run the BIND servers in dynamic mode. > All dynamic functions are enabled so the AD performs in much > the same way is if the DNS servers were Windows 2000 > machines. Typically, only a specific set of machines (usually the > W2K domain controllers) are allowed to make changes to the DNS > records because secure update is not supported. BIND versions 4.9 > and higher support dynamic update. > 2. Use a combination of BIND and W2K DNS > servers. In this model, the BIND servers are in static > mode and the Windows 2000 servers are dynamic. The BIND > ervers remain the authoritative name servers for theorganization. Records of > type NS ("delegation" records) are used so that the Windows servers > handle all AD-specific traffic and BIND servers handle the rest. > This is also somewhat more secure because the W2K servers can > run in "secure" mode so that changes to the DNS information > must be authenticated. > 3. Move all Active Directory activity into a separate > DNS zone. All machines that participate in the AD are > moved into a DNS zone of their own, usually under the > main DNS zone for the organization. For example, an organization > might make a DNS zone called "ad.company.com" under their main "company.com" > DNS zone. The Active Directory is then "rooted" at "ad.company.com". > This created a dichotomy between the DNS structure of the > company and its AD structure in many cases, which has the > potential for confusion. > 4. Manually manage DNS information by hand-editing DNS tables > to include SRV records for the critical services. In this > model, the DNS entries that would normally have been made automatically > by the servers to register their functions with the AD are > entered by hand into a static name server. Since a > single DC can make 30 or more entries in the DNS > system, this quickly becomes a huge amount of work. Also, > since the information is dynamic, the AD loses some of its > fault tolerance because the DNS system can not be updated automatically > to reflect changes in the environment such as a server that > is out of action or a role change. This model > would work in a very small domain that is extraordinarily stable, > but is impractical for most real-world operations.
	Введите код, изображенный на картинке: