rapskat gets a conscience 10119

snips

Ran into a weird situation at work thanks to Windows.

I'm the netmonkey for a Win2k-based domain. Active directory, all the usual goodies. I mapped out the topology and merrily went about applying it, when I discovered something interesting.

In Linux, if I need DNS serving, I drop in bind. If I need DNS beyond that, I generally set up bind with forwarding - if it don't know the domain, it can contact the DNS servers that do. If nothing else, this keeps the pollution levels manageable.

So, I roll out the server, complete with DNS support. Log the users in and... hmm. No internet support, despite everything being set up to allow it. A quick check reveals that the problem isn't that they can't get out through the proxy, it's that they can't get name resolutions beyond the local server.

Simple enough answer: add a forwarded to the Win2K DNS server. Whoops, nope, at leat if it's serving up an AD DNS setup, it won't let you add forwarding. How weird.

Well, fine; I'm running DHCP, I'll just drop a secondary DNS server along with the first. Now it gets really weird... the clients are *still* getting name lookup failures. It seems that as long as they recognize the AD DNS server as the first in the list, they won't look at the second!

Bizarre. So I change the order; make the bind server the first they check, and the AD server the second. Now software publishing, roaming profiles and the like don't work, as they're not finding the AD server after they pull the DHCP leases.

How very, very, very weird.

I did, ultimately, get it all working, primarily by having bind set up to pull the records from the AD server and feed 'em out itself, but jolly hell, I spent something like a day and a half trying to get the fool thing to do what should have required at best an hour's work.

If the Win2K DNS servers allowed forwarding, it would have been trivial... which apparently means MS must ensure you can't do it that way. :)