DNS & Active Directory Questions

Kevin Darcy kcd at daimlerchrysler.com
Wed Jan 17 02:50:41 UTC 2001 

The core issue here, as I'm sure you realize, is that BIND only supports
standardized, RFC'ed transaction security mechanisms, whereas Win2K only
supports its own "extension" of TSIG, GSS-TSIG, currently in Internet Draft
status. So if you mix BIND and Win2K AD the most security you can get today is
*weak* authentication, i.e. by IP address or address range. For some
organizations, this is acceptable. I happen to know of one large organization
(not us) who has gone this route. We, on the other hand, haven't made the
decision yet; we are testing AD with weakly-authenticated updates and will no
doubt make the decision once we decide to go production with it. If strong
authentication is deemed to be a requirement and BIND doesn't support
GSS-TSIG by that time, then we will have to abandon BIND or any product based
on it for our AD-related zones. _Generally_ we prefer to test with the same
software mix as we plan to use in production, but in this case we weren't sure
what we would be using in production, so we chose to use BIND for testing
simply because we're more familiar with that DNS platform (we've never used any
Microsoft DNS products in our infrastructure).

Of course, I'm only discussing the Active Directory component of Win2K. There
is also a client registration component in which the Win2K DHCP server and/or
the client may attempt to Dynamically Update the nameserver, without
implicating Active Directory at all. That's a whole other issue. We have simply
avoided that issue by outright deciding not to implement Win2K's client
registration feature (we already have another product to do DHCP, which has
DDNS integration if we want it, so that feature of Win2K really didn't have
much value to us anyway).


- Kevin


Smith, William E., Jr. wrote:

> My company is currently in the process of a Windows 2000 migration.  One of
> the big issues facing us is DNS and how we will implement/support it in a
> W2K environment. In particular, how DNS is implemented to provide full AD
> integrated support.  We are currently using QIP for our primary DNS server
> and standard BIND on our secondaries.  We were hoping to avoid Windows 2000
> DNS servers but it seems more & more likely we'll have to bring some up to
> get the full AD integration.  I was wondering how others working on a W2K
> migration are handling the DNS issues with respect to AD integration.  Are
> you planning on bringing up W2K DNS servers to support your W2K domains and
> then transferring that info to your BIND/3rd Party DNS while having the
> current servers handle everything else.   Or do you have something else in
> mind?  Generally after what hybrid designs others are looking into to
> achieve full AD integration.  Any insight, etc that anyone can provide would
> be greatly appreciated.
>
> Thanks,
>
> Bill Smith
> <mailto:bill.smith at jhuapl.edu>
> The Johns Hopkins University                    Washington DC: 240-228-5523
> Applied Physics Laboratory                      MD: 443-778-5523
> 11100 Johns Hopkins Road                        Fax: 443-778-5727
> Laurel, MD 20723-6099                           Web:
> <http://www.jhuapl.edu/>

More information about the bind-users mailing list