dhcpd & AD DDNS

Simon Hobson dhcp1 at thehobsons.co.uk
Sun May 17 08:13:43 UTC 2009

<jim.sifferle at tektronix.com> wrote:

>Our environment currently uses MS DNS and DHCP and AD integrated dns 
>zones and DDNS.  We're not satisfied with the split scope option for 
>dhcp redundancy and don't have plans to use the MS Clustering 
>Service to gain redundancy.
>I'd like to take advantage of ISC dhcpd's dhcp failover feature. 
>Can ISC dhcpd perform GSS-TSIG DDNS updates to an AD integrated DNS 
>zone, either directly

No, ISC and MS can't talk directly with the security stuff turned on 
as the MS signing stuff is still closed.

>or through ISC BIND 9.5 as a proxy?

Sort of !

You have two options :

1) You turn off signed updates (don't know how/if you can do that on 
the MS server) in which case the ISC DHCP server can update the MS 
DNS server. You'll then need to figure out what security controls 
need to be in place. However, if you do this, then it's only step 
further to use BIND for the DNS.

2) You run the top level domain on BIND, and delegate the AD forest 
zones (there are six of them IIRC) to the MS server. I did set this 
up for a customer some time ago and it works fine - they aren't a 
customer any more, but I know the gateway this is on is still running 
and has done so without intervention for several years !
If you do it this way, ISC DHCP and BIND can play happily together 
with your root level domain, the MS server can happily play with the 
AD stuff.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list