Windows/BIND integration [was: Combined master + forward zone]

Michael Milligan milli at
Thu Apr 23 02:11:50 UTC 2009

b19141 at wrote:
> There have been lots of posts on Windows AD/BIND integration over the
> years.  Check the list archives.  What I suggest is placing the six AD
> zones
> on a MS Windows DNS Server on one Domain Controller and slaving those
> zones on your BIND servers.  That way Windows handles the GSS-TSIG
> secure updates, and the BIND slaves will transfer the zones if and when
> they are updated.

And don't forget to set a group policy on all DCs to not update the A
records in the apex zone.  Otherwise the DCs will complain in the Event
logs forever... this assumes the BIND servers are authoritative for, in this example.

See for Windows 2000

See for Windows 2003 and later,
specifically under "Netlogon fix" and tell it not to register the

(There is also more information there on preventing all the DCs from
creating NS records in the zone, which becomes problematic when there
are more than about 10 DCs.  I had one customer with 100s of DCs, and
each one put in an NS record in the zone for itself...  ugh.  With a
little magic, dropped that back to a handful of DCs at big data centers.)


Michael Milligan                                   -> milli at

More information about the bind-users mailing list