Presently our organization utilizes BIND for DNS services, with the
Networking team administering. We are now being told by the Systems team
that they will be responsible for DNS services and that it will be changed
over to the Microsoft DNS service run on domain controllers. The reason
given is that the Active Directory implementation requires the Microsoft DNS
service and dynamic DNS. Not being a Microsoft administrator I do not know
the veracity of these claims. Anyone out there had any experiences with a
situation like this? I am a bit leery of changing something that is already
working.
Microsoft Active directory absolutely needs dynamic DNS. However, I know that it has been integrated with bind, so I don't believe it needs Microsoft DNS. A common procedure is to delegate a subdomain to the microsoft dns server and let the Active Directory forest be built within that environment.
It does not need MS DNS. $dayjob uses Infoblox appliances (BIND under
the hood) for DNS and it works fine with AD. You just need to make sure
you allow the Domain Controllers to do dynamic updates (AD uses SRV
records).
Use the Force: google(Active Directory BIND)
http://technet.microsoft.com/en-us/library/dd316373.aspx
which is a document from 2001 btw....
Greets,
Jeroen
Active directly is tied fairly closely to it's DNS.
For example, if a client needs to find a Domain Controller, it does a
DNS 'SRV' query for (I think, I'm doing this from memory)
'_LDAP._TCP.domain.com/org/net/whatever'. I assume other 'services' like
LDAP are 'advertised' (if you can call it that) via DNS as well.
You MAY be able to duplicate all the records in BIND, but expect random
things to not work, and have to do a bunch of research figuring out what
DNS query it's doing, and what the proper answer is.
Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk@exempla.org
That has been the stock MS answer for a long time, but at least W2K8 makes a few
concessions. Technet has some references on making "bind" configurations to work with
AD, specifically the statement (and here's perhaps the best place to start...):
When a domain controller is promoted, a file named NETLOGON.DNS is created in the
%systemroot%\system32\config folder. This file contains all of the DNS entries the
domain controller would register. This file can be used to aid in statically entering
Active Directory DNS records.
There are still "assumptions" that not only will MS provide DNS, but also DHCP, and even
if you poke both of them properly with non-MS tools, you still have to insure that your
naming conventions are going to work together properly (e.g., search suffix on DNS
lookups to resolve domain resources when Windows clients will inevitably use an
unqualified \\servername\sharename to access things). Get your windows folks in the
habit of fully-qualifying servernames.domain.tld instead.
Jeff
I have seen BIND to MS DNS zone transfers work fine before.
Our Corporate Overlords run DNS on a mixed environment of Windows and
Other (mostly other). Back when we were still a small company, we moved
our DNS from BIND to Windows for ease of administration. It CAN be
done, but it's a huge PITA since AD does things in DNS that aren't
standard (and in fact, violate it willfully and knowingly to make MS
Kerberos bits happy). I had my Unix servers acting as secondary servers
to serve their clients off the AD primary servers, and that worked just
fine. Windows Server 2003 and later are extremely stable and we've had
no issues with them taking over DNS duties (I've long since just pointed
all my Unix boxes at the Windows servers for DNS since the Windows
servers have been so stable and reliable).
Jamie
The AD server will populate out the necessary records to the dDNS server. I setup an empty base dDNS subdomain and everything was populated out by the AD server. Handles a long list of SRV records, and v4/v6 forwards were automatically populated for both servers and clients.
I have a very basic setup, which works perfectly for my needs. As to if more advanced features are broken by using BIND, I have no idea.
Jack
If your AD domain is a subdomain, like corp.job.com, you can always delegate the subdomain's name service to the MS DNS servers from the BIND servers. That way, you don't have to make huge changes to your existing environment.
Tom Mikelson wrote:
Presently our organization utilizes BIND for DNS services, with the
Networking team administering. We are now being told by the Systems team
that they will be responsible for DNS services and that it will be changed
over to the Microsoft DNS service run on domain controllers. The reason
given is that the Active Directory implementation requires the Microsoft DNS
service and dynamic DNS.
Bunk. At work we have a network of ~1500 computers with over 600 of them running Windows. Our nameservers are all BIND, which have dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs. The DCs have no problem creating, updating and deleting the various RR's they use to publish the domain. The Systems team folks will see errors/warnings in the Windows logs because the Windows machines are unable to set up secure connections to the nameservers and due to an implementation difference between what BIND accepts and what Microsoft's OSes send; but in practice these seem to be little more than noise.
Darren Pilgrim (nanog) writes:
Tom Mikelson wrote:
>Presently our organization utilizes BIND for DNS services, with the
>Networking team administering. We are now being told by the Systems team
>that they will be responsible for DNS services and that it will be changed
>over to the Microsoft DNS service run on domain controllers. The reason
>given is that the Active Directory implementation requires the Microsoft DNS
>service and dynamic DNS.Bunk. At work we have a network of ~1500 computers with over 600 of
them running Windows. Our nameservers are all BIND, which have
dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
The DCs have no problem creating, updating and deleting the various
RR's they use to publish the domain. The Systems team folks will
see errors/warnings in the Windows logs because the Windows machines
are unable to set up secure connections to the nameservers and due
to an implementation difference between what BIND accepts and what
Microsoft's OSes send; but in practice these seem to be little more
than noise.
Agreed. What about dynamic updates of the client ? It's usually not
a problem in this direction (Windows client -> BIND DNS), but as you
say it won't be secure (GSS-TSIG).
Cheers,
Phil
AD works just fine with BIND as long as dynamic updates are allowed to the
AD zone's from the DC's. Exchange 2007 by default also wants to be able to
dynamically register it's record's but it can be disabled.
All you need to do is configure the DNS server's in the IP settings and
restart the net logon service on the DC's and watch all the records get
populated into the zone on BIND. That's all you need to do to migrate from
MS DNS to BIND as well.
The only issue I ran into was old records not being deleted properly in BIND
(removing a DC) so you had to manually delete them from the zone but it
wasn't a big deal since there's not many records and easy to identify.
If your worried about all the records not being registered properly you can
look at a local file on the DC and it will list the records that should be
in DNS.
http://support.microsoft.com/kb/816587
There is also a utility you can run on the DC's that will verify all the
records that should be in DNS and report any errors. I don't recall for sure
but I think it was netdiag.
http://support.microsoft.com/kb/321708
-Dan
Phil Regnauld wrote:
Darren Pilgrim (nanog) writes:
Tom Mikelson wrote:
Presently our organization utilizes BIND for DNS services, with the
Networking team administering. We are now being told by the Systems team
that they will be responsible for DNS services and that it will be changed
over to the Microsoft DNS service run on domain controllers. The reason
given is that the Active Directory implementation requires the Microsoft DNS
service and dynamic DNS.Bunk. At work we have a network of ~1500 computers with over 600 of
them running Windows. Our nameservers are all BIND, which have
dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
The DCs have no problem creating, updating and deleting the various
RR's they use to publish the domain. The Systems team folks will
see errors/warnings in the Windows logs because the Windows machines
are unable to set up secure connections to the nameservers and due
to an implementation difference between what BIND accepts and what
Microsoft's OSes send; but in practice these seem to be little more
than noise.Agreed. What about dynamic updates of the client ? It's usually not
a problem in this direction (Windows client -> BIND DNS), but as you
say it won't be secure (GSS-TSIG).
Yes, Windows logs on all 600+ machines have warnings about insecure DNS updates, but they still update. There's effort to delegate the DS subdomain to the DCs just to get rid of the thousands-per-day nonsense.
Recent versions of BIND 9 include GSS-TSIG support. It's harder to
use than it should be, partly due to lack of documentation (mea
culpa), and has some limitations, but does work for the basic task of
letting clients (Windows or otherwise) in an Active Directory
environment perform DDNS updates using GSS-TSIG authentication.
See https://lists.isc.org/pipermail/bind-users/ for recent discussion.