SCIENTIFIC-LINUX-USERS Archives

January 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: DNS Servers
From:
"James M. Pulver" <[log in to unmask]>
Reply To:
James M. Pulver
Date:
Fri, 10 Jan 2014 13:51:40 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (36 lines) 
We run a small AD setup with BIND as DNS. We don't even allow dynamic updates, and it all works fine. We get some event log spam, but as long as you register the DNS entries somehow, the automated stuff from the clients doesn't need to do it.
OT:
As to whether AD makes sense - well back in 2008 when we were planning our setup, it made a lot of sense. Here in 2014 I think SAMBA 4 for auth and Puppet for conf management might just make more sense, if it ties as well in with SL6 as SL6 SSSD to AD. The major pain I have right now is I have *too many choices* for how to configure Windows (Is that a problem??). I can use Group Policy, I can use Fusion Inventory, I can use Puppet. It's a trick to work out which is best for what.

I will say, I've hit "interesting" bugs in GPO deployment, and so much of the debugging seems obfuscated for no reason. Puppet at least has a "force a run" that easily gives you details about what's going on so you can debug quickly. GPO debugging feels far more like black magic - there's at least 3 different ways to go about it and you have to go through each till you find the problem, and the fix may well be "Reinstall Windows" because you can't remove and reinstall just the GP client. With Puppet, I've left GPP registry settings and attempts to manage third party apps (unless they come with an ADM(x) file - because why reinvent the wheel) behind.
--
James Pulver
CLASSE Computer Group
Cornell University


-----Original Message-----
From: [log in to unmask] [mailto:[log in to unmask]] On Behalf Of Nico Kadel-Garcia
Sent: Friday, January 10, 2014 12:36 AM
To: Jeremy Wellner
Cc: [log in to unmask]; [log in to unmask]
Subject: Re: DNS Servers

AD does many things, many of them quite badly. If you need an drop-in authentication server, you might consider if y9ou really need AD, or if  Samba 4.1.x will do the job. I've got RPM building tools for that at https://github.com/nkadel/samba4repo, and they work well on Scientific Linux 6 with the necessary RPM's built up from scratch.

AD is handy for easy integration with Microsoft servers, such as Exchange and SQL, and for providing Windows trained personnel familiar tools. But its DNS is.... not good. It allows multiple PTR records for the same IP address, configuring DNS views is a nightmare, its "export" tool is a proprietary format that looks vaguely like valid DNS but isn't, It does not understand that "foor.bar.com" may hve *nothing to do* in any logical sense with "bar.com" DNS

If you need it for things like the authenticated dynamic DNS for your laptops and wi-fi, and don't want to spend the time building up Samba or similar tools, cool. But keep it the heck away from your server DNS. If you need chroot cages and good source control managed configurations backups consider looking up my presentation at SVNday in Berlin a few years: "How to Subvert Masters and Slaves, BIND Them, and Make Them Report Names and Addresses".


On Thu, Jan 9, 2014 at 9:37 PM, Jeremy Wellner <[log in to unmask]> wrote:
> That's a resounding stay the course and I don't mind that one bit.  
> It's been rock solid and I've been happy with it.
>
> So as a secondary question, we are planning on adding Active Directory 
> in to our network and I know that it is very particular about it's 
> DNS.  Will AD be happy with being given a delegate domain to have as 
> it's sandbox or does that throw my BIND install out the window?
>
> Thank you all for the advise!! :)

ATOM RSS1 RSS2