Active Directory Support

Kevin Darcy kcd at
Mon Jan 5 21:29:43 UTC 2004

User, Public wrote:

>Content-Type: text/plain;
>	charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>I am looking to consolidate DNS to a single platform for all systems on
>our network.  Currently BIND8 is being used for all name resolution.  We
>will be adding a large Active Directory environment, and am looking for
>the best way to implement DNS.  What we do not want is all WinXP/2000
>workstations DNS entries to show up in the BIND files, but want the AD
>and Windows DNS to synchronize, but not completely.  I am envisioning
>having DNS on Windows handle the AD servers and workstations, and the
>BIND8 servers to handle everything else.  I would like to have all
>entries in BIND8 synced to AD DNS, but not the other way.  My questions
>are as follows:
>Can I currently do this with BIND8?  Need to implement BIND9?
>Can I have BIND9 be the primary AD DNS supporting DDNS?  Does this need
>to support GSS-TSIG updates?
>What are the possibilities of having BIND8 be primary to Windows DNS
>servers, and keep our administration in BIND8 rather than move over to
>Windows DNS for central DNS administration?
>I know this may pose more questions for Microsoft DNS folks, but I want
>to get the capabilities of BIND to see if it will be possible to
>maintain BIND as the central DNS service for the whole environment.
>  <>=20
>Christopher P. Jenkins, Senior Consultant
>Concordant, Inc.
>P:  508-820-3080
>F:  508-820-4367
>C:  508-241-7415
>E:  chris.jenkins at
Technically speaking the only thing Active Directory _per_se_ needs in 
DNS are SRV records and the occasional A and/or CNAME record. What many 
folks do is just delegate the "underscore" domains -- "_tcp", "_udp", 
"_msdcs", etc. -- from their main domain (e.g.,, to the Microsoft DNS servers and 
let them populate those subzones with whatever SRV records they want. 
The AD-related A/CNAME records may still need to be maintained in the 
regular domain, but you already have a process in place for updating the 
A/CNAME records of servers in the main domain, right?

Having said all of that, however, if you want *client*auto*registration* 
(as found in Win2K and beyond), that is technically not necessary for 
Active Directory, and presents much bigger challenges for a hybrid 
MSDNS/BIND environment, especially when forward/reverse synchronization 
is taken into account.

To answer your questions briefly: neither native BIND 8 nor BIND 9 
support GSS-TSIG, which would be necessary (if you care at all about 
security) to allow the workstations to automatically register themselves 
via a BIND master. Modified versions of BIND (supposedly the Lucent 
VitalQIP version, it is rumored) might have this capability. Both BIND 8 
and BIND 9, of course, support delegating "underscore" domains to MSDNS 
servers. If you don't want to bother with delegating the "underscore" 
domains, you could host them instead on BIND, giving the domain 
controllers Dynamic Update capability to them, but in the absence of 
GSS-TSIG, the best way you could authenticate those updates would be by 
source IP address (this might be acceptable under your local security 
policy, perhaps if the domain controllers are on restricted VLANs, using 
IPSEC or whatever). If the SRV records don't change very often, perhaps 
the domain controllers don't need Dynamic Update capability at all and 
you could maintain them directly in BIND...

                                                - Kevin

                                                            - Kevin

More information about the bind-users mailing list