does AD need to have any DNS functionality?

Kevin Darcy kcd at daimlerchrysler.com
Sat Mar 3 05:18:39 UTC 2001 

AD needs to be able to write SRV and other types of records into DNS via
Dynamic Update. This presents a couple of challenges:

1) if the AD namespace is constructed to mirror the existing
DNS namespace, or even to have the same apex, e.g. example.com, then one
or more existing DNS zones need to be enabled for Dynamic Update. This
is problematic, because then *all* maintenance for those zones needs to
be done via Dynamic Update. You can get around this somewhat by choosing
a totally different namespace for Active Directory. This could be a
parallel namespace (e.g. example.net instead of example.com), or it
could be a subdomain (e.g. ad.example.com). For the SRV records, it's
even possible to create subzones like "_tcp", "_udp", "_msdcs", etc. off
of your existing zones, to contain and segregate the Active
Directory-related records. Such a method is described in one of the
BIND FAQ's, I believe. But I consider this somewhat of a kludge. Among
other things, what if you ever want to use SRV records someday for
purposes *other* than AD?

2) Security issues. BIND and Win2K/AD don't agree on how to do
crypto-authenticated Dynamic Updates. BIND knows standard TSIG and
DNSSEC; Win2K/AD knows only the GSS-TSIG variant of TSIG. They don't
interoperate. The bottom line on this is that the best security you can
get today, when allowing Dynamic Updates from Win2K/AD to BIND is
IP-address-based security. Obviously, this is quite weak (unless you
have anti-spoofing security mechanisms in place). If you want anything
stronger, though, then you have to use Microsoft DNS for your
DNS instead of BIND.


- Kevin

Farid Hamjavar wrote:

> Last year we created a  small  test  bed  with  several
> systems trying to see if we can install AD on a win2k.
>
> We're still not anywhere meaningful!  I  have  a  basic
> question.   Our goal is to bring up a win2k box with AD
> functionality.  Just because we want to  have  a  win2k
> box  with AD functionality does it mean that this win2k
> box needs to have  DNS  functionality  itself  (at  any
> level)?
>
> Can anyone confirm that answer is no so we go ahead and
> wipe the DNS off that win2k.
>
> Or if on the other hand, the answer is yes, can  anyone
> please  confirm  that win2k box we like to configure to
> have AD functionality needs to be  a  DNS  server  i.e.
> that  we  need  to  allocate  a classC or a subset of a
> classC for this win2k box to be a DNS server for?
>
> Thanks, Farid
> UNM

More information about the bind-users mailing list