Primary Domain Controller (PDC) : WINS or not WINS?

Question

Primary Domain Controller (PDC) : WINS or not WINS?

Hello brains,

When I promote a server to be a Primary Domain Controller, do I need to designate the server as a WINS server as well (considering there's no other server on the network acting as one)? Or can I leave it off?

See, I've been trying to join a Win XP Pro laptop to the domain of the newly-promoted PDC, but I keep getting an error stating there's no SRV record in DNS for ldap._tcp.dc.msdcs.<myDomain>.

I thought, since the error is so clear, that I could add the SRV record manually, but then thought, if it's not added automatically by ServerAdmin, maybe there's something wrong going on.

I've just read this post:

forums.macosxhints.com/archive/index.php/t-67102.html

... Which seems to say the problem is actually in OS X. And they recommend to turn on WINS, although this is at a price of lower security. And since I've been told for the past 6 years than been paranoid is cool, I kinda not like that 🙂

So?

1. WINS or no WINS?

2. If no WINS, is it possible something's wrong in my config that prevents ServerAdmin to add the SRV record to the DNS config?

3. If no WINS, and it's normal there's no SRV records automatically added in the DNS, what other SRV record beside LDAP should I enter manually? kerberos? kpasswd? other?

Thanks in advance...

iMac G5 (2005/10/15, not the 2005/10/16 :(, Mac OS X (10.4.2)

Posted on Jun 16, 2007 7:05 PM

Reply

Answer 1

Jun 18, 2007 11:23 AM in response to Frederic Denis

FD, I'd love to hear your solution if you get one. We have the same message and I tried every combination of settings I could think of with no success.

jhb

Reply

Answer 2

Jun 20, 2007 5:13 PM in response to jaybull44

If I do get a solution (by myself or from the help of other(s)), be assured I'll let you know... 🙂

... just haven't had time to play on the server since last time...

FD

Reply

Answer 3

Jun 21, 2007 11:56 AM in response to Frederic Denis

Hi Frederic: I used this feature to register with an actual Windows WINS Server. I did not see any problems. I’ve also used this when OSX Server is the only Server and it did not seem to make a difference one way or another. However it was in a test environment and one PC only was used.

By the way is the Server an OD master?

Tony

Reply

Answer 4

Jun 21, 2007 12:49 PM in response to Antonio Rocco

Hi Tony,

So you're saying that, both when you were using a Windows WINS Server and a Mac as a WINS Server, joining PC was working without problem? Interesting...

I'm actually too in a test environment for now, trying to have every little bricks verified before I go to the full-fledged setup. The Mac Server is OD master (OS X S 10.4.9), with DNS running, with Kerberos enabled, AFP running - and I'm now trying to have the Windows services part running...

Someone on AFP548.com suggested that joining the Windows client to the domain might require a different procedure that joining a standard Active Directory domain, as OS X would be actually managing a NT-style domain(?)... I have to investigate that...

Tony, did you try joining a domain managed by the Mac Server without WINS running?

Thanks,

Reply

Answer 5

Jun 21, 2007 2:42 PM in response to Frederic Denis

Hi Frederic:

So you're saying that, both when you were using a
Windows WINS Server and a Mac as a WINS Server,
joining PC was working without problem?
Interesting...

Not at the same time. I registered a Standalone Mac Server with an existing WINS Server as that is better at providing NetBIOS name resolution anyway.

I'm actually too in a test environment for now,
trying to have every little bricks verified before I
go to the full-fledged setup. The Mac Server is OD
master (OS X S 10.4.9), with DNS running, with
Kerberos enabled, AFP running - and I'm now trying to
have the Windows services part running...

The PDC role does not use Kerberos for Windows services. Mail and other services can be configured to use Kerberos for Windows users who have shared directory (LDAP) accounts. You probably know this already.

Someone on AFP548.com suggested that joining the
Windows client to the domain might require a
different procedure that joining a standard Active
Directory domain, as OS X would be actually managing
a NT-style domain(?)... I have to investigate
that...

I’m not familiar with that AFP548 post. The Windows Services 10.4 manual on page 14 talks about the PDC role supporting Windows-NT compatible workstations. This includes – according to the manual – Windows NT, Win 2K and Win XP PCs.

Other things to consider is Samba 3 is what you get on OSX Server – www.samba.org has the latest version for download – although I have not tried this. I don’t think Digital signing is supported either but I’m not sure.

For what its worth I have my own Windows AD Server and not surprisingly it does a better job at providing Windows Services. This is not meant to be flippant.

Tony, did you try joining a domain managed by the Mac
Server without WINS running?

I tried it both ways as stated in the previous post. Did not seem to make a difference. However I only tested it with one PC client. I would imagine NetBios resolution becomes important once there are more PC clients.

Tony

Reply

Answer 6

Jun 21, 2007 4:00 PM in response to Antonio Rocco

Hi again,

So you're saying that, both when you were using a
Windows WINS Server and a Mac as a WINS Server,
joining PC was working without problem?
Interesting...

Not at the same time. I registered a Standalone Mac
Server with an existing WINS Server as that is better
at providing NetBIOS name resolution anyway.

[...]

Tony, did you try joining a domain managed by the

Mac

Server without WINS running?

I tried it both ways as stated in the previous post.
Did not seem to make a difference. However I only
tested it with one PC client. I would imagine NetBios
resolution becomes important once there are more PC
clients.

Tony

Maybe it's the hectic week, maybe it's the lack of sleep, but I feel like I'm a bit slow. Which one of the following have you tried exactly?

1) PDC by Mac with WINS by Windows
2) PDC by Mac with WINS by Mac
3) PDC by Mac without WINS by anything

It assumed first you did #1 and #2 (not at the same time, understood). But maybe you meant you did #3 also... Which would mean I'm lost completely and should think about hiring a consultant.

(don't you consultant readers get on the phone yet, though...) 🙂

Thanks,

FD

Reply

Answer 7

Jun 21, 2007 7:48 PM in response to Frederic Denis

AFAIK, WINS is a legacy technology. In other words, your XP machines couldn't care less about WINS. If you had WIN98 or 3.1, you'd need to think about WINS. DNS, properly configured, is what you should worry about.

hth

Jeff

Reply

Answer 8

Jun 22, 2007 12:54 AM in response to Frederic Denis

Hi Frederic: Jeff has said it in fewer words. I do tend to go on a bit!

For XP Clients it does not seem to matter what you do in terms of resolving NetBios names, I tried all three of your questions. I can’t say how important a WINS Service is for anything other than XP as its been at least 2 years since I used anything else. Is that clearer?

Reply

Answer 9

Jun 22, 2007 6:49 AM in response to Antonio Rocco

Thanks to you both,

It does make it clearer: WINS is not necessary with XP boxes.

So, would that mean my config is broken, if the XP laptop I try to join to my domain looks for SRV record in the DNS and can't find them?

Or is it normal, and I'd have to enter the SRV record manually?

I'll try the latter anyway, sometimes in the next days, and see if any further errors pop up...

Thanks again,

FD

Reply

Answer 10

Aug 17, 2007 5:46 AM in response to Frederic Denis

In case someone need the information someday, we had it working finally:

- Indeed, I would have needed to add manually an SRV record to the DNS in order to join a PC to my mac-hosted domain. That's what the mac consultant we hired told me.

- However, latest update of mac os x server fixed that little problem. The Win XP box is not complaining anymore about such record. So it all works well now...

Reply