Moving an AD Zone from Windows to BIND

[Gordon A. Lang]

For what it's worth, we moved 100% of all our DNS from MS DNS to BIND.

Doing so solved the problem of the MS DNS servers periodically (randomly) 
losing critical glue records.  It also eliminated the need for 6 pairs of 
DNS servers to support the 6 independent domains, each needing to own the 
reverse domains.  It also allowed us to significantly boost the DNS 
performance and capacity without carrying the weight of domain controller 
functionality.
There were also some other significant manageability gains by moving to 
BIND.

The most significant down side was that we lost SECURE dynamic updates 
because GSS-TSIG was not available in BIND at the time, but I understand it 
is available now.

We also found a problem where, on occasion, when the MS servers perform 
their daily dynamic delete and re-add of there DNS records (which the do to 
prevent aging/scavenging from taking their records away), the ADD part 
doesn't stick, and intervention is necessary to manually re-add the record. 
I believe this is caused by the fact that both the add and delete are issued 
with the same time stamp, and I suspect our version of BIND might be 
processing them out of order -- we still don't know for sure.  But whatever 
this problem turns out to be, I am sure there is or will be a fix for it.

And the only other loss is the multi-master feature of the AD-integrated 
DNS, but that feature was not performing adequately anyway, so it wasn't 
really much of a loss.  If our single BIND master dies, we have the ability 
to move it's ip address to another box and reconstruct the master in much 
less than an hour.

So, from my experience, I would encourage anyone who is considering it to go 
ahead and put 100% of all DNS into BIND, and scrap the MS DNS all together. 
It is much easier to manage than having to split the zones all over the 
place, and it just works better.

--
Gordon A. Lang