ISC Bind in Active Directory

Barry S. Finkel bsfinkel at att.net
Fri Oct 19 14:08:04 UTC 2012


On 10/18/2012 3:17 PM, bind-users-request at lists.isc.org wrote:
> Hi All,
>
> I'm hopping to get some feedback from people who use ISC Bind and DHCPD in Active Directory environments.
>
> Currently we use Bind/DHCPD for dynamic DNS and DHCP.  It's been a pretty stable service, redundant and we are polling statistics with Cacti.  There is concern by Management of using a somewhat non standard approach for Active Directory SRV records being handled by ISC services and not AD.
>
> The options we are looking at is migrating to AD for DNS and DHCP services or to have Bind/DHCPD handle SRV records for AD.
>
> Some technical info on our our BIND environment.
>
> Some Client Identifiers
> 300 DHCP Pools
> Dynamic DNS
> Cacti Graphs - Reporting
> Syslog via Splunk
>
> Overall it's been a very stable design for the last 5+ years.
>
> If you have any relevant feed back I would appreciate it.  I'm looking for information on experience with Active Directory integration with ISC or if anyone has had problems/stability issues with AD doing DNS/DHCP or AD working with ISC.
>
> Thanks in advance.
>
> Here's a brief survey for Schools that have ISC running in an AD environment.
>
> http://www.surveymonkey.com/s/2VYNKWR
>
> -
> Aaron Thompson
> Network Architect for IT Operations
>
> Berklee College of Music
> 1140 Boylston Street, MS-186-NETT
> Boston, MA 02215-3693
>
> www.berklee.edu
> 617.747.8656
>
> -
> Aaron Thompson
> Network Architect for IT Operations
What I did was to have the AD zones mastered on Windows Domain Controllers.
I chose ONE of the DCs to be the "master" for slaving all of these AD zones
on my BIND servers.  There were NO CLIENT MACHINES (to my knowledge) tha
were configured to use the Windows DNS Servers as their resolvers.  All
machines pointed to the BIND slaves.

This let Windows AD register any SRV records it wanted; the updated zones
were then transferred (via DNS protocols) to my BIND slaves.  The
only problem was this - when AD first appeared, the Microsoft DNS code
would update the zone serial number, even if the DNS update made no change
to the zone (except to update an internal timestamp in the AD-integrated
zone).  After I opened a support call (in the Windows Server 2000 
timeframe),
the MS code was changed to not increase the zone serial number if the zone
contents were not really changing.  As of a year
ago, the code had been modified so zone serial numbers were increasing.
Even with MS DHCP - if a lease was renewed, the DNS update was refused, and
the DHCP server had to re-send the update with TKEY/TSIG authentication
before the update was accepted.  But the zone serial number was incremented,
causing unnecessary zone transfers from the DC to the BIND servers.
I was not allowed to open a support call with MS to see why the code was
changed and to get the code changed.
--Barry Finkel



More information about the bind-users mailing list