ISC Bind in Active Directory

G.W. Haywood bind at jubileegroup.co.uk
Thu Oct 18 22:32:54 UTC 2012


Hi there,

On Thu, 18 Oct 2012, bind-users-request at lists.isc.org wrote:

ISC Bind in Active Directory (Aaron Thompson)

> I'm hopping

Sometimes AD has that effect. :)

> to get some feedback from people who use ISC Bind and DHCPD in
> Active Directory environments.

I've been working on a client's (small) system using Bind in an AD
environment for almost ten years.

When I first met the system it was Windows only.  It had been sending
the same two megabyte mail message to quite a long list of recipients
every two hours for just over two years.  In unrelated incidents it had
been riddled with viruses which for example were logging keystrokes in
the accounts department.  Oh, and the PDC's disc was full, but 80% of
the contents was garbage generated by a wayward third-party backup
Windows package which wasn't doing anything useful at all.  The firm's
directors didn't appreciate that there might be a problem until I told
them that their passwords were being sent to China as they were typed.

I cleaned out the viruses and binned the Microsoft mail, name and DHCP
services and the backup package.  I installed open source replacements.
Peace at last.  Unfortunately I'm unable (yet:) to bin the Windows DCs
or I'd do that tomorrow.  One of them crashes within seconds if I log
on using remote desktop and I still don't know why.  I can't take it
to bits to find out so I simply don't do it any more.  To manage the
dodgy DC I added another one, a virtual machine on a Linux box which
by now hosts half a dozen other Windows VMs.  Eventually I hope that
all the Windows machines will be VMs so I can fix them when they go
wrong without leaving my office...

> Currently we use Bind/DHCPD for dynamic DNS and DHCP.  It's been a
> pretty stable service, redundant and we are polling statistics with
> Cacti.  There is concern by Management ...

Where have I heard all that before? :)

> ...of using a somewhat non standard approach for Active Directory
> SRV records being handled by ISC services and not AD.

At the moment I'm chasing down a particular AD problem which _might_
have been caused by the promotion of a server to a DC.  The symptoms
are (1) a bunch of clients being unable to find resources that they
could find last week and (2) all the SRV records disappearing from the
DCs.  I've spent most of the past week hitting the search engines but
I don't think I'm nearer now to knowing if these things are related
(and how I'm going to fix them) than I was a week ago although tonight
I did stumble upon this little gem:

http://support.microsoft.com/kb/241505

If your Management is concerned about their software, ask them how
they audit the source. :)

> Overall it's been a very stable design for the last 5+ years.
> If you have any relevant feed back I would appreciate it.

If it ain't broke, don't fix it.

> I'm looking for information on experience with Active Directory
> integration with ISC or if anyone has had problems/stability issues
> with AD doing DNS/DHCP or AD working with ISC.

To be fair I don't think there are any big interoperability problems
with the services you're asking about, and if they aren't accessible
to the Big Nasty World out there they shouldn't present too much of a
security risk.  Nevertheless the main things which prevent me from
throwing out the rest of my client's Windows boxes are a niche market
accounting package that you've never heard of, a few printer drivers,
Microsoft Office and AutoCAD.

--

73,
Ged.



More information about the bind-users mailing list