HPE Community
Operating System - OpenVMS
1825677 Members
3787 Online
109686 Solutions
New Discussion

OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

 
joe w
Occasional Contributor

‎10-24-2006 08:22 AM

‎10-24-2006 08:22 AM

OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

Can OpenVMS perform resource record registration in a 2003 Active Directory-integrated DNS zone configured for Secure Dynamic Updating only??? If so, please provide details.

Regards
0 Kudos
Reply
10 REPLIES 10
Doug Phillips
Trusted Contributor

‎10-24-2006 09:27 AM

‎10-24-2006 09:27 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

Advanced Server for OpenVMS is Windows NT. Treat it like that. The server must update the records for them.

Just a WAG, are you using DHCP and have you enabled dynamic updates for legacy systems on the DHCP server, and are having problems with stale records? If so, look in the M$ KB for that info. (sorry, I didn't look up the link.)

If that isn't your problem:

What version of OpenVMS are you running?

What version of Advanced Server for OpenVMS are you running?

What OpenVMS TCP/IP stack (and version) are you running?

In which functional level is your network running?

What is the OpenVMS server's role?

What is or isn't happening diffently than what you expect? (In other words, what problem are you trying to solve?)
0 Kudos
Reply
Jan van den Ende
Honored Contributor

‎10-24-2006 10:13 AM

‎10-24-2006 10:13 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

Joe,

WELCOME to the VMS forum!

.. but I am afraid that is all I have to offer you just now. This is not at all my area of expertise :-(

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
joe w
Occasional Contributor

‎10-25-2006 12:56 AM

‎10-25-2006 12:56 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

We are currently running Pathworks 6.1 Advanced Server for Open VMS.

The TCP/IP Stack is TCP/IP Services for OpenVMS Alpha Version 5.4 on Alpha Server ES45 Model 2 running Open VMS v7.3-2.

The domain functional level is Windows Server 2003.

Dynamic update configuration in DNS is currently set to 'Nonsecure and Secure'.

Currently we are running a piece of code called 'LoadBroker' on Pathworks, which is a calculated load balancing mechanism for distributing the load among cluster members. It is also performing the dynamic registration of DNS resource records for OpenVMS.

What I am looking to do is switch our DNS configuration for dynamic updating from 'Nonsecure and Secure' to 'Secure Only' mode. This is dependent upon the client system performing registration through the Generic Security Service Application Interface(GSS-API, specified in RFC 2078) as a means of establishing a security context by passing security tokens between client system and the authoritative name server. The GSS-API uses Kerberos v5 as its authentication protocol as its underlying mechanism for the respective security context.

Knowing this, will our OpenVMS systems be able to perform dynamic registration if DNS is configured for Secure Dynamic Updating?
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎10-25-2006 04:36 AM

‎10-25-2006 04:36 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

I'm running TCP/IP Services v5.4 ECO 6 on a 7.3-2 system. It has a BIND 9 server, which supposedly includes all the dynamic update services required by AD.

MS says that Windows 2000 AD requires any bind 8.2.2 server, not just theirs.

Personally, I've not tried integrating it, but from what I've read, you get a lot of junk from the MS side (illegally named RR's, unnecessary updates, rapidly cycling serial numbers, etc.) Hopefully the bind 9 implementation will help ease some of those problems.

Wish I had a more definitive answer for you,
Aaron
0 Kudos
Reply
Aaron Sakovich
Super Advisor

‎10-25-2006 04:38 AM

‎10-25-2006 04:38 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

BTW, I just found this reference on MS's site where they detail the req's for a 3rd party bind server:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/w2kstart.mspx
0 Kudos
Reply
Doug Phillips
Trusted Contributor

‎10-25-2006 04:39 AM

‎10-25-2006 04:39 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

Sorry, I've never managed loadbroker and I can't answer your question, but I'll make some comments that might or might not help.

RFC 2078 was superceded by RFC 2743. Kerberos5 is included with VMS v7.3-2, but you must install it.

Pathworks 6.1 is equivalent to Windows NT 3.51 so that's the way Windows 2003 sees it.

From experience, Windows 2003 servers do not always play nicely with other non-windows servers. Active Directoy concepts are Microsoft concepts, and the rest of the world might or might not play along.

It seems to me you are trying to do two different things. One has to do with Windows 2003 networking; the other has to do with load balancing on the cluster. Loadbroker should be transparent to the rest of the network. All servers should have static IP's.

Maybe someone will tell PEN or one of the other networking masters about this thread and you'll get an answer.
0 Kudos
Reply
joe w
Occasional Contributor

‎10-25-2006 05:21 AM

‎10-25-2006 05:21 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

I reference the LoadBroker code only because it is handling the dynamic registration of DNS records on our Windows 2003 Server for the OpenVMS systems. Is there another way to configure OpenVMS to perform dynamic name registration outside of the LoadBroker code?

BIND is not an option at this time, only Windows 2003 Active Directory-integrated DNS.

Regards
0 Kudos
Reply
Doug Phillips
Trusted Contributor

‎10-26-2006 04:43 AM

‎10-26-2006 04:43 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

Joe,

All of the manuals I've read and the experiences I've had tell me that pre-Windows 2000 servers without Active Directory can _not_ actively participate in Active Directory. They can be member servers, or can be BDC's under a W2K3 Operations Master with PDC role.

I also read that pre-Windows 2000 servers (and clients) can _not_ directly update W2K3 resource records when Secure Dynamic Updating Only is set.

You are asking a Windows NT 3.51 system to do something that Windows 2003 won't let it do. It isn't a TCP/IP problem or a Pathworks problem; It's the way Windows 2003 is designed and Microsoft's reluctance to let anyone else into their Active Directory world.

You should look for a solution that does not conflict with Microsoft's proprietary Active Directory restrictions. If you must tighten your W2K3 network down to the max, then maybe you could move the preW2K servers into another zone/domain and use common means to communicate between the two.

If I'm wrong and there is a way to overcome the Active Directory problem, I hope someone jumps in to explain.
0 Kudos
Reply
Chris Barratt
Frequent Advisor

‎10-26-2006 11:30 AM

‎10-26-2006 11:30 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

I may be misreading things here, but I don't think this is anything to do with Active Directory, other than the fact that the Windows DNS is part of it.

The Load Broker stuff is a TCP/IP Services feature, as I understand it, and not really part of Advanced Server - this is where I am not completely sure of my facts, perhaps there is some AS load broker as well ??

Anyway, when you use the TCP/IP load broker, it needs to update the DNS server on a regular basis with which server in your cluster is now the least loaded.

When we looked into doing this to a Windows DNS, we found that you could only do an non-secure update. We were told by HP support that there is a secure protocol, but at that time the Load Broker did not use it. It was planned, but what was planned was with a standard protocol which was used by most Unix DNS's. Windows, of course, used another variation.

We gave up and stuck with round robin.

This is based on my memory of events from about a year ago, so I wouldn't take this as gospel. Best approach would be to log a call with HP - at least this can then get fed back into whatever mechanisms they use to determine what users are after. :-)

Cheers,
chris
0 Kudos
Reply
Chris Barratt
Frequent Advisor

‎10-26-2006 11:35 AM

‎10-26-2006 11:35 AM

Re: OpenVMS and 2003 Active Directory-integrated DNS : Secure Dynamic Update

I just remembered, I had a forum discussion at the time too.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=984653

cheers,
chris
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.