bind, Microsoft Active Directory, Exchange and Magic Pixie Dust

Martin McCormick martin at dc.cis.okstate.edu
Fri Jul 15 16:48:26 UTC 2005 

Barry Finkel writes:
>     All of the zones on the MS DNS Server are slaved on my four local
>          BIND servers and two off-site BIND servers.
>
>     ALL clients (Windows, Mac, Unix, VMS, et alia) are configured to
>          use my local BIND servers for DNS resolution; no client should
>          ever query my MS DNS Server (but there is no harm if it does).
>      
>     There are at least six MS Exchange Servers here, and none has DNS
>     problems.

	What happened here was that someone got the idea that we must
configure all Windows clients' resolvers to use a couple of the domain
controllers as their master DNS's in order to make updates work on the
Microsoft DNS.  In practice, this is not necessary because the clients
learn of the delegated zone from the master and the updates work
anyway.

	This topology does give us a big headache in that all the
Windows clients are behind a caching-only DNS regarding every other
zone than the Microsoft zones so one gets all the latency issues that
a caching DNS has when there is no positive update procedure.

	One difference between our setup, a very similar setup at
another university, and the one Barry Finkel describes at ANL is that
we actually delegated the AD zone with glue records rather than slave
it which I originally thought would be a better idea.  It
turns out that the other university we spoke with did slave their MS
zones and had the latency problem due to the difference in
authentication protocols between MS and bind that existed at the time
which meant that there was no secure way to notify and transfer, then.

	We got by that one on pure luck in that the same folks that
insisted on the Microsoft DNS resolver entries also insisted that we
delegate the AD zone.

	What it boils down to is that both us and the university we
compared notes with had to reconsider some actions.  I believe
they have since delegated their AD zone rather than slaving it and we
are trying to convince the powers that be that pointing the Windows
resolvers at the MS DNS is not a good idea.

	Ah, for a perfect world in which the techies rule in such
matters.

	I've been involved with trying to support Microsoft's Active
Directory with bind for about 3 years and the technical issues haven't
been hard to implement or to understand but the fact that in many
cases, the push to set it up has come from groups that have no
networking or DNS background has been terribly difficult to resolve.
They have usually heard lots from vendors and each other, but haven't
looked at the technical literature from more impartial sources.  We've
simply got to keep trying to educate and inform.  That has been the
biggest single obstacle in this whole phase of growth.

More information about the bind-users mailing list