Recommendations for Mixing Windows and non-Windows Domains?

Thu Nov 29 21:33:57 EST 2007

In article <mailman.27.1196384841.11331.kerberos at mit.edu>,
Henry B. Hotz <hotz at jpl.nasa.gov> wrote:
>Significant services (which may need duplication or conflict  
>resolution between Unix and AD):

In general, we (MIT CSAIL) pretty much ignore Windows DNS.  The DCs
run it, because AD requires it, but we don't consider it
authoritative.  All users have Kerberos principals in the
CSAIL.MIT.EDU realm, which has one-way cross-realm (because of the DES
issue) into the AD realm.  User accounts in AD have completely random
passwords and are created to grant username at CSAIL.MIT.EDU (and
sometimes username at ATHENA.MIT.EDU if the user needs it for business
reasons) login access to the AD account.  We distribute a .reg file
for workstation users to run prior to joining the domain which creates
the right registry entries for users to log in directly to the
CSAIL.MIT.EDU realm, and domain member workstations handle this
correctly.  No services that matter to non-Windows machines run on
Windows, so their service principals are in the CSAIL.MIT.EDU realm.

>Forward DNS -- I suspect you serve separate DNS domains from BIND  
>vice AD servers

Correct.  The real DNS (driven from our WebDNS application and its
database) is authoritative.  Windows DNS is just there to make Windows
happy.

>Reverse DNS -- Which platform gets which IP numbers, i.e. do you mix  
>or segregate them?

IP addresses are assigned first-fit per subnet.  Subnets are a
combination of geographically- and function-based assignment.

>DHCP -- 1 or 2 DHCP services, provided by which?  Does DHCP care  
>about platform?

We don't use Windows DHCP.

>DynDNS -- How is this integrated with DHCP (plus the above question).

We don't support dynamic DNS at all, and tell all Windows users to
uncheck that option in their settings.  (I don't know if the AD group
policy enforces this.)

>Kerberos -- krb5.conf or DNS SRV?

We support both.  Windows machines are using the registry, of course.
(We do distribute a custom krb5.conf with our customized package of
KfW/NIM.)

>advertised DNS servers -- BIND, DC, mix, pre-configured or DHCP  
>supplied?

We want people to use our name servers, but I have no idea whether AD
member workstations actually do.  (The NS records are set up
appropriately so AD names can be looked up.)  Non-AD-member Windows
machines definitely do.  We tell all users to use DHCP.

>cross-realm -- [domain_realm] section or DNS records maintained?

Again, we do both (for the limited selection of realms we support
cross-realm with -- this is really only necessary for the
ATHENA.MIT.EDU realm).

-GAWollman
-- 
Garrett A. Wollman   | The real tragedy of human existence is not that we are
wollman at csail.mit.edu| nasty by nature, but that a cruel structural asymmetry
Opinions not those   | grants to rare events of meanness such power to shape
of MIT or CSAIL.     | our history. - S.J. Gould, Ten Thousand Acts of Kindness