From: Tony van Lingen (tony.vanlingen@epa.qld.gov.au)
Date: Mon Jan 24 2005 - 20:14:59 EST
G'day all.
It seems that I succeeded in completely obfuscating my problem. I
apologise for that... it was late and I may have been a bit giddy after
days of trying to solve this.
Allow me to start afresh.
*Justification:* "I am a Unix SysAdmin and have been so for over a
decade. I started out in IT in 1985. I know the basics (some -a vigilant
Jim Seymour in particular- seem to doubt this), in fact I hold several
relevant certifications. The situation I am describing is on our main
enterprise dns server, not some toy. The outages to production are also
very real. I do have the O'Reilly DNS book and I understand the need for
revers-lookups and hint zones. In fact, I have been setting up many dns
servers for many a client over the past decade. I did indeed put in the
required effort to solve this myself." [ Sad that I have to defend
myself like this, isn't it? Can't we at least *assume* the posters are
professionals and that problems posted here are real? ]
I set this up several years ago, and it always worked fine. The exerpts
of the dns-configuration i showed in my previous posting is what I
thought the important bits of the database that I had changed. The
actual files contain several hundreds of lines, which is why I showed
only those that I did. I am sorry if this was more a hinder than a help.
One server is a Netra T1, the other an Enterprise 420R. I used the exact
same configuration on both machines, as well as the exact same binary.
It works perfectly on the E420R, but fails on the Netra. The only
difference I can identify is this:
- the hardware (Netra vs E420R)
- the applications they run (SunOne/iPlanet Proxy vs. Steltor Calendar)
Otherwise the two servers were installed identically (I did that, some
years ago) and patched up to the 22/Dec Recommended patch set.
With the advent of Active Directory, someone came in and decided to
create a new domain, under the fantasy root-domain of 'internal'.
Subsequently Microsoft servers were moved into there and backup servers,
which run a proper OS, started failing to find them. There are two
avenues to solve this, the Q&D and a clean way:
- Q&D: put in a forward zone ( as in : zone "..." { type forward;
... } ) in the main dns servers to have queries on this loose branch,
called 'prod.ad.internal', forwarded to the AD servers. And run the risk
that some bright MCSE comes in and decides to put in a forward for
'internal' in the AD server and we've got a loop...
- Clean (as I see it): put in a root zone for the fantasy 'internal'
root domain on the primary and delegate the ad. and its children to the
Micro$oft servers.
(there is a third, of course: forget about the main DNS servers and use
the AD servers in their place. This is not an option, however)
I think clean is the way to go, but if someone has a different opinion
on this I'd gladly hear it. Anyhow, I put in glue records, NS records
for the ad zone and A records for the NS servers, exactly as described
on page 232 of the book [...]. This works as advertised on the E420R. As
stated above, with the exact same (md5 correct) configuration and
database files as well as named binary, the delegation does not work on
the Netra. 2 other delegations (also for the AD transition, but within
the 2 real domains that we have) show similar strange behaviour:
On the E420R, all delegations work as expected.
On the Netra, only the delegation *within the domain that it logically
belongs to* works as expected, the other 2 fail.
Queries on all other zones within the database work perfectly on both
machines. Again, the root hint file, 127.0.0 zone and all reverse-lookup
zones do exist and are up-to-date. During my investigations I used the
exact same conf. on both, although one is supposed to be a slave of the
other. The resolv.conf files on both boxes are also equal.
Logically, as all other factors appear equal, I suspect some interaction
with either the resolver or the ICS Bind binary and a hard-ware specific
component, but I fail to find any. Perhaps there is interaction with
SunOne/iPlanet proxy server and ICS Bind? Has anyone ever heard of such
interaction?
Yours,
-- Tony van Lingen Technical Consultant ___________________________ Disclaimer This e-mail, including attachments if any, has originated from a Queensland government agency and may contain information that is confidential, or covered by legal professional privilege, and is intended for the named recipient(s) only. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer system network. Any form of disclosure, modification, distribution and/or publication of this e-mail, including attachments is prohibited. Unless otherwise stated, this e-mail, including attachments represents the views of the sender and not the views of the Environmental Protection Agency. Although this e-mail has been checked for the presence of computer viruses, the Environmental Protection Agency provides no warranty that all possible viruses have been detected and cleaned. Any use of this e-mail could harm your computer system. ___________________________ _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:03 EDT