video w2k8r2 joining s4 and dns problems

[tridge at samba.org]

Hi Matthieu,

 > I was rethinking at your video concerning your w2k8r2, and I remember 
 > that you were obliged to edit zone file by hand. Why not using 
 > ./scripting/bin/setup-dns.sh ?

That works fine against Windows servers, so if I had setup the Windows
box as the main DNS server then I could have used it.

Against bind9 it doesn't work as the ms-self access control we setup
for tsig-gss KRB5 DNS udpates only works for creating your own name in
the domain, it doesn't work for the $GUID._msdcs names which is what
needs to be added for a new DC.

I could have cheated by having more open access controls in the bind
config, or by using something like a HMAC-MD5 key based update policy,
but that wouldn't reflect what we need to make DNS updates seamless
with a mix or windows and Samba DCs.

We need to work on the generated bind9 config file for s4 so that we
create a config which allows DCs to add all the names (both SRV and A
names) that a DC needs to add when it joins. I'm not sure if that is
possible with the current bind9 code, and if we find it isn't then we
will need to work with the bind9 developers to find a way to make it
work.

As a longer term goal I think we should also try to find a way to
support storing the zone files in the DNS partitions of AD, which is
how windows DNS servers store them. That then allows DNS changes to
flow between DCs using DRS (and should also allow full ACL control
over DNS updates by admins). Maybe we could build a backend storage
plugin for bind that uses ldb? 

Cheers, Tridge