BIND9 + AD in Enterprise Environment

Kevin Darcy kcd at daimlerchrysler.com
Tue Jul 9 00:05:27 UTC 2002 

jay.millar at stjohn.org wrote:

> Hi Everyone,
>
> I didn't see any posts which specifically addressed the question I
> have, but I'm sure the general subject is a familiar one (and it seems
> many out there are struggling with it).  I work for a company with an
> existing Solaris/BIND8-based infrastructure for DNS.  We've used both
> BIND 4 and 8 for years and are, of course, extremely happy with the
> performance and stability.
>
> Our mail infrastructure is, unfortunately, based around MS Exchange
> and our Exchange folks are looking to upgrade to MS Exchange 2000.
> This upgrade apparently *requires* Active Directory, and therefore,
> our Windows group is pushing to utilize the integrated MS
> Windows-based DNS servers as it's easy, and integrates seamlessly with
> Active Directory.
>
> As we, the UNIX/midrange team, have utilized BIND only and have been
> in charge of DNS for years, this was rather unsettling.  Therefore, we
> have gone ahead and tested BIND 9.2.1 for use with Active Directory
> and it seems to work rather well....the only requirement Active
> Directory looks to have is a dynamic DNS-enabled DNS server to
> register SRV records with.
>
> In any case, we are now looking at implementing this setup (MS
> Exchange and Domain Controllers at remote sites using local BIND 9.x
> slaves as the DNS server) in an enterprise-wide fashion.  We have
> approximately 10,000 users across our corporation spread amongst 14
> major sites.
>
> Therefore, my first question is:
>
> 1. Are there any major glitches, gotchas, or other nastiness
> associated with attempting to use BIND 9 as a DNS server to support
> Microsoft Active Directory?
>
> I'm aware of the security concerns, and I expect there may be some
> lessons learned and the like regarding this, but from what I have seen
> thus far (and the things I have read) the above is a pretty straight
> forward proposition.  Given this, I have a second question which is
> the stereotypical one necessary to assuage the concerned management.
>
> 2. Is there anyone else out there currently using BIND9 to support
> Active Directory for DNS in a large enterprise environment (on the
> order of thousands of users)?  If so, can anyone relate information
> and experiences regarding your implementation?  (any comments on this,
> however brief, would be greatly appreciated!)
>
> In any event, those are the questions I had.  Thanks in advance to
> anyone who can help me out with this!

We have AD segregated into its own namespace, separate and apart from our
regular domains (daimlerchrysler.com, dcx.com, etc.) For parts of that
namespace, we host the zones on our BIND servers. For other parts, they
are hosted on MS-DNS servers. It seems to be working adequately so far,
with one big caveat: since the security mechanisms used by BIND and
Win2K/AD are incompatible, the only security we have for Dynamic Updates
is based on source-address (which is pretty weak). It's also becoming a
bit of a pain to maintain the ACLs, but fortunately we don't have that
many Domain Controllers online yet...

The only other glitch/gotcha I would mention is that if you make your
BIND box a slave to an MS-DNS box, you might experience the "floating
serial number" problem which can cause your zone transfers to temporarily
stop. I haven't seen this in a while, however, so maybe they finally
fixed the bug...


- Kevin

More information about the bind-users mailing list