Active Directory Support
kcd at daimlerchrysler.com
Mon Jan 5 21:29:43 UTC 2004
User, Public wrote:
>I am looking to consolidate DNS to a single platform for all systems on
>our network. Currently BIND8 is being used for all name resolution. We
>will be adding a large Active Directory environment, and am looking for
>the best way to implement DNS. What we do not want is all WinXP/2000
>workstations DNS entries to show up in the BIND files, but want the AD
>and Windows DNS to synchronize, but not completely. I am envisioning
>having DNS on Windows handle the AD servers and workstations, and the
>BIND8 servers to handle everything else. I would like to have all
>entries in BIND8 synced to AD DNS, but not the other way. My questions
>are as follows:
>Can I currently do this with BIND8? Need to implement BIND9?
>Can I have BIND9 be the primary AD DNS supporting DDNS? Does this need
>to support GSS-TSIG updates?
>What are the possibilities of having BIND8 be primary to Windows DNS
>servers, and keep our administration in BIND8 rather than move over to
>Windows DNS for central DNS administration?
>I know this may pose more questions for Microsoft DNS folks, but I want
>to get the capabilities of BIND to see if it will be possible to
>maintain BIND as the central DNS service for the whole environment.
>Christopher P. Jenkins, Senior Consultant
>E: chris.jenkins at concordantinc.com
Technically speaking the only thing Active Directory _per_se_ needs in
DNS are SRV records and the occasional A and/or CNAME record. What many
folks do is just delegate the "underscore" domains -- "_tcp", "_udp",
"_msdcs", etc. -- from their main domain (e.g. _tcp.example.com,
_udp.example.com, _msdcs.example.com) to the Microsoft DNS servers and
let them populate those subzones with whatever SRV records they want.
The AD-related A/CNAME records may still need to be maintained in the
regular domain, but you already have a process in place for updating the
A/CNAME records of servers in the main domain, right?
Having said all of that, however, if you want *client*auto*registration*
(as found in Win2K and beyond), that is technically not necessary for
Active Directory, and presents much bigger challenges for a hybrid
MSDNS/BIND environment, especially when forward/reverse synchronization
is taken into account.
To answer your questions briefly: neither native BIND 8 nor BIND 9
support GSS-TSIG, which would be necessary (if you care at all about
security) to allow the workstations to automatically register themselves
via a BIND master. Modified versions of BIND (supposedly the Lucent
VitalQIP version, it is rumored) might have this capability. Both BIND 8
and BIND 9, of course, support delegating "underscore" domains to MSDNS
servers. If you don't want to bother with delegating the "underscore"
domains, you could host them instead on BIND, giving the domain
controllers Dynamic Update capability to them, but in the absence of
GSS-TSIG, the best way you could authenticate those updates would be by
source IP address (this might be acceptable under your local security
policy, perhaps if the domain controllers are on restricted VLANs, using
IPSEC or whatever). If the SRV records don't change very often, perhaps
the domain controllers don't need Dynamic Update capability at all and
you could maintain them directly in BIND...
More information about the bind-users