ISC Bind in Active Directory

Aaron Thompson athompson at berklee.edu
Mon Oct 22 18:11:23 UTC 2012


Hi Carsten,

Thanks for the feedback, a top notch summary!

I have little experience in the AD arena for DNS/DHCP.  Without being a too loaded question, with your experience is it possible or common to have a very knowledgeable understanding of the performance and health of an AD system similar to a BIND system? (redundant, process, snmp, logging, trouble shooting, cacti integration, ect..)


Aaron
-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music         
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu
617.747.8656
Twitter: @thomp318

On Oct 20, 2012, at 4:10 AM, Carsten Strotmann <cas at strotmann.de> wrote:

> 
> Hello Aaron,
> 
> Aaron Thompson <athompson at berklee.edu> writes:
> 
>> I'm hopping to get some feedback from people who use ISC Bind and
>> DHCPD in Active Directory environments.
> [...]
>> 
>> If you have any relevant feed back I would appreciate it.  I'm looking
>> for information on experience with Active Directory integration with
>> ISC or if anyone has had problems/stability issues with AD doing
>> DNS/DHCP or AD working with ISC.
>> 
> 
> I've seen and worked in a number of Active Directory installations
> during the last 12 years that were using non Microsoft DNS and DHCP
> components.
> 
> My experience is that if implemented correctly, it is possible to run
> Microsoft Active Directory with DNS and DHCP provided by BIND and ISC
> DHCP. However, doing that successfully requires that the administrator
> has a good understanding of:
> 
> * the way how DNS dynamic updates work. I found that many Administrators
>  do not understand the inner workings of DNS dynamic update. It is
>  important to understand how a machine sending dynamic updates (in AD
>  case an AD client or a domain controller) finds the DNS zone to be
>  updated. Proper DNS delegation and a clean DNS design is
>  key. Seperating caching/resolving DNS and authoritative DNS helps much.
> 
> * the mechanics how the Windows operating system updates the SRV a A
>  records in an DNS domain that is the foundation of an Active Directory
>  domain. Also important is the knowledge which records are expected in DNS
>  for successfull AD operations. The knowldegde is available on the
>  Internet, but the pages are often outdated (Windows 2000 is different
>  to Windows 2008 is different to 2012 is details) and the information
>  is scattered across many places. Finding it all can be difficult and
>  can take time. The new AD best practice analyzer that come with
>  Windows 2008R8 and Windows 2012 can help here.
> 
> Microsoft extenstions like "Aging and Scavenging" support the
> Administrator to operate Active directory, but are not essential.
> 
> Getting communication between MS DNS <-> ISC DHCP or MS DHCP <-> BIND
> DNS secured (TSIG vs. GSS-TSIG) can be challenging. But it is possible.
> 
> My general experience is: working in a "all Windows OS environment" where
> all components of AD is supplied by Microsoft products require less
> detail knowledge and less arguing (with Management and Microsoft
> oriented consultans).  But running BIND and ISC DHCP gives more
> flexibility and control. 
> 
> Pick you choice -- easy live vs. understanding
> and fun :)
> 
> Carsten Strotmann
> Men & Mice




More information about the bind-users mailing list