Integrating BIND 9 & ISC DHCP with MS AD (on Win2003 Server)

Bell, William IT WBell at
Thu Jan 29 18:13:01 UTC 2004

Hi all,
I've read the 'DNS and Windows 2000' section in Chapter 16 of "DNS and
BIND", and researched on the internet.  Now I'm looking here for help...

Our company is in the midst of implementing AD (running on Windows 2003
Server) for all Windows hardware, but the heart and soul of our data center
is UNIX, both IBM AIX and Sun Solaris.  We're currenlty running BIND 9 for
ALL internal DNS.

Here's my question:
Is it better to keep the BIND servers as primary and forward off any Active
Directory (AD) queries to the AD servers (Chap. 16 solution) or is it better
to have the AD servers be primary and forward off any non-AD queries to the
BIND servers (Windows solution)?

If there's strong support for doing this using the Chap. 16 solution, I
could use some good arguments, examples, and any tales of woe that you might
have.  It's best to have lots of ammo when heading into a firefight.  ;)

Here's how we're configured:
- ALL DNS resolution is handled by two Solaris servers running BIND 9
- These two servers also handle the DHCP (running ISC DHCP v3)
- We don't currently do any DDNS
- All servers have static DNS entries
- All workstations do DHCP and get their network (TCP/IP) settings from
these DNS/DHCP servers
- All internal DNS is on a single domain (no subdomains), e.g.
- All external DNS is hosted by an ISP
- Our external domain name is different than our internal domain, e.g.
- We use MS Exchange for email  :(

The AD admin has proposed that we change our blissful existence by doing the
- Create a subdomain for AD: (note that this has the same
root domain name as our external DNS:
- Change TCP/IP settings on all PC workstations and Windows servers to point
to the AD servers for DNS resolution
- Remove all Windows servers from BIND DNS and move to AD (and it's
subdomain), leaving only UNIX and network devices in BIND DNS
- For any DNS requests not resolved in AD, forward them to our BIND DNS
- Take over DHCP (Microsoft DHCP) so that they can do secure dynamic updates
and begin using Microsoft's Remote Installation Services (RIS)
- Microsoft DHCP server will do DDNS updates

I proposed the solution contained in Chap. 16 ('Problems with Windows 2000
and BIND') using the existing BIND DNS servers as primary, creating the 4
delegated "_" subdomains, and allowing the DDNS for the PCs', services, etc.
to pass thru to the AD server.  The AD admin claims that this is more
difficult to implement.  I disagreed, but don't have any experience to
support my position.  He also states that ISC DHCP won't do secure dynamic
updates with AD, thus preventing them from working together securely.  In
addition, he says that ISC doesn't properly expire leases in AD.

In addition to the questions above, I'd like to know if ISC DHCP plays nice
with Microsoft's AD now, cleaning up leases and securely updating the DDNS
entries using the same protocol?

Please excuse any mistakes or inaccuracies that reflect my ignorance of this

Thanks in advance for any help!

This communication and any files or attachments transmitted with it may contain information that is confidential, privileged and exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient, you are hereby notified that any use, dissemination, or copying of this communication is prohibited by federal law. If you have received this communication in error, please destroy it and notify the sender.

More information about the bind-users mailing list