ISC Bind in Active Directory
Aaron Thompson
athompson at berklee.edu
Mon Oct 22 18:11:23 UTC 2012
Hi Carsten,
Thanks for the feedback, a top notch summary!
I have little experience in the AD arena for DNS/DHCP. Without being a too loaded question, with your experience is it possible or common to have a very knowledgeable understanding of the performance and health of an AD system similar to a BIND system? (redundant, process, snmp, logging, trouble shooting, cacti integration, ect..)
Aaron
-
Aaron Thompson
Network Architect for IT Operations
Berklee College of Music
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693
www.berklee.edu
617.747.8656
Twitter: @thomp318
On Oct 20, 2012, at 4:10 AM, Carsten Strotmann <cas at strotmann.de> wrote:
>
> Hello Aaron,
>
> Aaron Thompson <athompson at berklee.edu> writes:
>
>> I'm hopping to get some feedback from people who use ISC Bind and
>> DHCPD in Active Directory environments.
> [...]
>>
>> If you have any relevant feed back I would appreciate it. I'm looking
>> for information on experience with Active Directory integration with
>> ISC or if anyone has had problems/stability issues with AD doing
>> DNS/DHCP or AD working with ISC.
>>
>
> I've seen and worked in a number of Active Directory installations
> during the last 12 years that were using non Microsoft DNS and DHCP
> components.
>
> My experience is that if implemented correctly, it is possible to run
> Microsoft Active Directory with DNS and DHCP provided by BIND and ISC
> DHCP. However, doing that successfully requires that the administrator
> has a good understanding of:
>
> * the way how DNS dynamic updates work. I found that many Administrators
> do not understand the inner workings of DNS dynamic update. It is
> important to understand how a machine sending dynamic updates (in AD
> case an AD client or a domain controller) finds the DNS zone to be
> updated. Proper DNS delegation and a clean DNS design is
> key. Seperating caching/resolving DNS and authoritative DNS helps much.
>
> * the mechanics how the Windows operating system updates the SRV a A
> records in an DNS domain that is the foundation of an Active Directory
> domain. Also important is the knowledge which records are expected in DNS
> for successfull AD operations. The knowldegde is available on the
> Internet, but the pages are often outdated (Windows 2000 is different
> to Windows 2008 is different to 2012 is details) and the information
> is scattered across many places. Finding it all can be difficult and
> can take time. The new AD best practice analyzer that come with
> Windows 2008R8 and Windows 2012 can help here.
>
> Microsoft extenstions like "Aging and Scavenging" support the
> Administrator to operate Active directory, but are not essential.
>
> Getting communication between MS DNS <-> ISC DHCP or MS DHCP <-> BIND
> DNS secured (TSIG vs. GSS-TSIG) can be challenging. But it is possible.
>
> My general experience is: working in a "all Windows OS environment" where
> all components of AD is supplied by Microsoft products require less
> detail knowledge and less arguing (with Management and Microsoft
> oriented consultans). But running BIND and ISC DHCP gives more
> flexibility and control.
>
> Pick you choice -- easy live vs. understanding
> and fun :)
>
> Carsten Strotmann
> Men & Mice
More information about the bind-users
mailing list