Using Bind 9.1.1 with active directory

Jim Reid jim at rfc1035.com
Tue Apr 3 09:26:32 UTC 2001


>>>>> "Adrian" == Adrian Mink <akmink at austin.rr.com> writes:

    Adrian> Does anyone have any information on using Bind 9 to support
    Adrian> a Win2K active directory instead of using Win2K's dns?

What do you mean by "support"? IIUC Active Directory *only* works with
the W2K name server. The multi-master capabilities of AD are alien to
the DNS where there's exactly one master server. That feature of AD
relies on some protocol known only to Microsoft. The dynamic updates
used in AD/W2K use an undocumented authentication scheme, GSS-TSIG,
though Microsoft say they are going to publish this as an Internet
RFC. This means that only a W2K name server can authenticate the
extended Kerberos tickets in those update requests. Unless you allow
just about anything to make dynamic update requests, which is a very
foolish thing to do.

It's perfectly possible to have a non M$ name server act as a slave
(secondary) for a zone that's been delegated to a W2K name server for
Active Directory.


More information about the bind-users mailing list