It doesn't really work right, but you can hack and slash, lowering security to make it fit. You'll have to explicitly trust any updates from a set of defined IP's (ACL). Later on there's a link to some nifty ways to re-secure the relationships by directing who writes where.
Including...
1)your w2k Domain controller(s)
2)IF you use and configure your DHCP server correctly
(DHCP Manager-so it registers both A & PTR records for a client) you only need to trust it.
3) any none-DHCP fed PCs
FYI the secure GSS TSIG (?) trasnmission format w2k DC uses is not supported by BIND, and won't be anytime soon.
If you want to make it semi secure you need to modify all the PC's Go to: My Computer -Properties-Next-Network Identification tab-Properties-Identification Changes-More-"Primary DNS suffix of this computer" AND you'll have to follow the link below to adjust for this change.
Setting that to something, it will appear as a child (w2k.yourdomain.com). If you DON'T do that you have to allow any PC to write directly to your top level zone (scarry). A users could change his PC name to mail, overwrite your existing mailserver record, and become mail.yourdomain.com.
At this point in time let me defer to this article. You really should read it. The last example is how to do it right.
http://www.linux-mag.com/2001-03/bind_04.html
Now that you know what can happen if you do the following, the really quick and dirty "just get the damn thing working" way is to trust all the local IP's to update forward and reverse zones by putting this line in named.conf's zone records.
allow-update{ "localnets";};
zone "fx.movie.edu" {
type master;
file "db.fx.movie.edu";
allow-update { "localnets"; };
};
zone "254.253.192.in-addr.arpa" {
type master;
file "db.192.253.254";
allow-update { "localnets"; };
};
This of course assumes all users and servers also have a local IP. Good luck. Feed back welcome. That article is by far the only good w2k domain / BIND resurce I've ever found.
BIND DNS for Windows 2000 clients
