Recommendations on integrating BIND and AD

Bell, William IT WBell at
Thu Jan 29 04:21:44 UTC 2004

Hi all,
I've read the 'DNS and Windows 2000' section in Chapter 16 of "DNS and
BIND", and I've searched through the BIND archives and the internet.  Not
much luck, so I'd like to ask my questions here on the two lists that should
know the most about it...

Our company is in the midst of implementing AD for its Windows servers and
PC workstations, but the heart and soul of our data center is UNIX, both IBM
AIX and Sun Solaris.  Here's how we're configured:

- ALL internal DNS is handled by two Solaris servers running BIND 9; all
PC's and servers resolve their DNS from these two servers
- These two servers also handle the DHCP (running ISC DHCP v3), but we don't
do any DDNS
- All servers have static DNS entries
- All PC workstations do DHCP and get their network & TCP/IP settings from
these DNS/DHCP servers
- AD is running on Windows 2003 Server

The AD admin has proposed that we change our blissful existence by doing the
- Create a subdomain for AD
- Change TCP/IP settings on all PC workstations and Windows servers to point
to the AD servers for DNS resolution
- Remove all Windows servers from BIND DNS and move to AD (and it's
subdomain), leaving only UNIX and network devices in BIND DNS
- For any DNS requests not resolved in AD, forward them to our BIND DNS
- Take over DHCP (Microsoft DHCP) so that they can do secure dynamic updates
and begin using Microsoft's Remote Installation Services (RIS)
- Microsoft DHCP server will do DDNS updates

I proposed the solution contained in Chap. 16 (Problems with Windows 2000
and BIND) using the existing BIND DNS servers as primary, creating the 4
delegated microsoft "SRV" subdomains, and allowing the DDNS for the PCs',
services, etc. to pass thru to the AD server.  The AD admin claims that this
is more difficult to implement.  He also states that ISC DHCP won't do
secure dynamic updates with AD, thus preventing them from working together.
In addition, he says that ISC doesn't properly expire leases in AD.

So which way is best:
Is it better to make the BIND servers forward off any AD queries to the AD
servers (Chap. 16 solution) or is it better to have the AD servers forward
off any non-AD queries to the BIND servers (Windows solution)?

If there's strong support for doing this using the Chap. 16 method, I could
use some good arguments, examples, and any tales of woe that you can
provide.  It's best to have lots of ammo when heading into a firefight.  ;)

Also, does ISC DHCP play nice with Microsoft's AD now, cleaning up leases
and securely updating the DDNS entries?

Thanks in advance for any help!

This communication and any files or attachments transmitted with it may contain information that is confidential, privileged and exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient, you are hereby notified that any use, dissemination, or copying of this communication is prohibited by federal law. If you have received this communication in error, please destroy it and notify the sender.

More information about the bind-users mailing list