BIND9 + AD in Enterprise Environment

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Sun Jul 7 18:59:49 UTC 2002


Jay T. Millar <jay.millar at stjohn.org> wrote:

> Hi Everyone,

> I didn't see any posts which specifically addressed the question I
> have, but I'm sure the general subject is a familiar one (and it seems
> many out there are struggling with it).  I work for a company with an
> existing Solaris/BIND8-based infrastructure for DNS.  We've used both
> BIND 4 and 8 for years and are, of course, extremely happy with the
> performance and stability.

> Our mail infrastructure is, unfortunately, based around MS Exchange
> and our Exchange folks are looking to upgrade to MS Exchange 2000. 
> This upgrade apparently *requires* Active Directory, and therefore,
> our Windows group is pushing to utilize the integrated MS
> Windows-based DNS servers as it's easy, and integrates seamlessly with
> Active Directory.

> As we, the UNIX/midrange team, have utilized BIND only and have been
> in charge of DNS for years, this was rather unsettling.  Therefore, we
> have gone ahead and tested BIND 9.2.1 for use with Active Directory
> and it seems to work rather well....the only requirement Active
> Directory looks to have is a dynamic DNS-enabled DNS server to
> register SRV records with.

> In any case, we are now looking at implementing this setup (MS
> Exchange and Domain Controllers at remote sites using local BIND 9.x
> slaves as the DNS server) in an enterprise-wide fashion.  We have
> approximately 10,000 users across our corporation spread amongst 14
> major sites.

> Therefore, my first question is:  

> 1. Are there any major glitches, gotchas, or other nastiness
> associated with attempting to use BIND 9 as a DNS server to support
> Microsoft Active Directory?

> I'm aware of the security concerns, and I expect there may be some
> lessons learned and the like regarding this, but from what I have seen
> thus far (and the things I have read) the above is a pretty straight
> forward proposition.  Given this, I have a second question which is
> the stereotypical one necessary to assuage the concerned management.

> 2. Is there anyone else out there currently using BIND9 to support
> Active Directory for DNS in a large enterprise environment (on the
> order of thousands of users)?  If so, can anyone relate information
> and experiences regarding your implementation?  (any comments on this,
> however brief, would be greatly appreciated!)

> In any event, those are the questions I had.  Thanks in advance to
> anyone who can help me out with this!

So far you have been enjoying a reliable and cost-efficient DNS 
presence on Internet. 

Removing that source of reliability seems to be a shoot-in-the foot.

The issue of moving from one form of unreliable mail to another does
not ( in my opinion) motivate that you should destroy another asset.

What _should_ be done is to prepend whatever wintendo toys your organization
uses for mail with a unix/sendmail combination, which will among other
things give you an opportunity to filter smap via dnsbl.  Other features
you will get by this is an increased security since you don't have to
have unsecure systems reachable from Internet.

So my advice, keep your DNS ( although an upgrade to 9.2.1 is advicable)
and get one or two sendmail boxes to frontend your mailsystems.

Then your organization might be able to switch to whetever mailsystem 
they like without jeopardizing your security.

Peter h
> - Jay Millar


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.


More information about the bind-users mailing list