ISC Bind in Active Directory

Carsten Strotmann cas at strotmann.de
Sat Oct 20 08:10:46 UTC 2012


Hello Aaron,

Aaron Thompson <athompson at berklee.edu> writes:

> I'm hopping to get some feedback from people who use ISC Bind and
> DHCPD in Active Directory environments.
[...]
>
> If you have any relevant feed back I would appreciate it.  I'm looking
> for information on experience with Active Directory integration with
> ISC or if anyone has had problems/stability issues with AD doing
> DNS/DHCP or AD working with ISC.
>

I've seen and worked in a number of Active Directory installations
during the last 12 years that were using non Microsoft DNS and DHCP
components.

My experience is that if implemented correctly, it is possible to run
Microsoft Active Directory with DNS and DHCP provided by BIND and ISC
DHCP. However, doing that successfully requires that the administrator
has a good understanding of:

* the way how DNS dynamic updates work. I found that many Administrators
  do not understand the inner workings of DNS dynamic update. It is
  important to understand how a machine sending dynamic updates (in AD
  case an AD client or a domain controller) finds the DNS zone to be
  updated. Proper DNS delegation and a clean DNS design is
  key. Seperating caching/resolving DNS and authoritative DNS helps much.

* the mechanics how the Windows operating system updates the SRV a A
  records in an DNS domain that is the foundation of an Active Directory
  domain. Also important is the knowledge which records are expected in DNS
  for successfull AD operations. The knowldegde is available on the
  Internet, but the pages are often outdated (Windows 2000 is different
  to Windows 2008 is different to 2012 is details) and the information
  is scattered across many places. Finding it all can be difficult and
  can take time. The new AD best practice analyzer that come with
  Windows 2008R8 and Windows 2012 can help here.

Microsoft extenstions like "Aging and Scavenging" support the
Administrator to operate Active directory, but are not essential.

Getting communication between MS DNS <-> ISC DHCP or MS DHCP <-> BIND
DNS secured (TSIG vs. GSS-TSIG) can be challenging. But it is possible.

My general experience is: working in a "all Windows OS environment" where
all components of AD is supplied by Microsoft products require less
detail knowledge and less arguing (with Management and Microsoft
oriented consultans).  But running BIND and ISC DHCP gives more
flexibility and control. 

Pick you choice -- easy live vs. understanding
and fun :)

Carsten Strotmann
Men & Mice



More information about the bind-users mailing list