Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
http://technet.microsoft.com/en-us/library/dd316373.aspx On Sep 20, 2010, at 10:04 AM, Tom Mikelson wrote:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
Microsoft Active directory absolutely needs dynamic DNS. However, I know that it has been integrated with bind, so I don't believe it needs Microsoft DNS. A common procedure is to delegate a subdomain to the microsoft dns server and let the Active Directory forest be built within that environment. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-----Original Message----- From: Tom Mikelson [mailto:tmikelson@gmail.com] Sent: Monday, September 20, 2010 10:05 AM To: nanog@nanog.org Subject: Active Directory requires Microsoft DNS?
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
It does not need MS DNS. $dayjob uses Infoblox appliances (BIND under the hood) for DNS and it works fine with AD. You just need to make sure you allow the Domain Controllers to do dynamic updates (AD uses SRV records). On Mon, 20 Sep 2010 08:04:49 -0600 Tom Mikelson <tmikelson@gmail.com> wrote:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
-- John
On 2010-09-20 16:04, Tom Mikelson wrote:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
Use the Force: google(Active Directory BIND) http://technet.microsoft.com/en-us/library/dd316373.aspx which is a document from 2001 btw.... Greets, Jeroen
Active directly is tied fairly closely to it's DNS. For example, if a client needs to find a Domain Controller, it does a DNS 'SRV' query for (I think, I'm doing this from memory) '_LDAP._TCP.domain.com/org/net/whatever'. I assume other 'services' like LDAP are 'advertised' (if you can call it that) via DNS as well. You MAY be able to duplicate all the records in BIND, but expect random things to not work, and have to do a bunch of research figuring out what DNS query it's doing, and what the proper answer is. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk@exempla.org -----Original Message----- From: Tom Mikelson [mailto:tmikelson@gmail.com] Sent: Monday, September 20, 2010 8:05 AM To: nanog@nanog.org Subject: Active Directory requires Microsoft DNS? Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
I have seen BIND to MS DNS zone transfers work fine before. -- Thanks, Joe On Mon, Sep 20, 2010 at 7:13 AM, Matlock, Kenneth L <MatlockK@exempla.org> wrote:
Active directly is tied fairly closely to it's DNS.
For example, if a client needs to find a Domain Controller, it does a DNS 'SRV' query for (I think, I'm doing this from memory) '_LDAP._TCP.domain.com/org/net/whatever'. I assume other 'services' like LDAP are 'advertised' (if you can call it that) via DNS as well.
You MAY be able to duplicate all the records in BIND, but expect random things to not work, and have to do a bunch of research figuring out what DNS query it's doing, and what the proper answer is.
Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk@exempla.org
-----Original Message----- From: Tom Mikelson [mailto:tmikelson@gmail.com] Sent: Monday, September 20, 2010 8:05 AM To: nanog@nanog.org Subject: Active Directory requires Microsoft DNS?
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
On 9/20/2010 9:13 AM, Matlock, Kenneth L wrote:
You MAY be able to duplicate all the records in BIND, but expect random things to not work, and have to do a bunch of research figuring out what DNS query it's doing, and what the proper answer is.
The AD server will populate out the necessary records to the dDNS server. I setup an empty base dDNS subdomain and everything was populated out by the AD server. Handles a long list of SRV records, and v4/v6 forwards were automatically populated for both servers and clients. I have a very basic setup, which works perfectly for my needs. As to if more advanced features are broken by using BIND, I have no idea. Jack
That has been the stock MS answer for a long time, but at least W2K8 makes a few concessions. Technet has some references on making "bind" configurations to work with AD, specifically the statement (and here's perhaps the best place to start...):
When a domain controller is promoted, a file named NETLOGON.DNS is created in the %systemroot%\system32\config folder. This file contains all of the DNS entries the domain controller would register. This file can be used to aid in statically entering Active Directory DNS records.
There are still "assumptions" that not only will MS provide DNS, but also DHCP, and even if you poke both of them properly with non-MS tools, you still have to insure that your naming conventions are going to work together properly (e.g., search suffix on DNS lookups to resolve domain resources when Windows clients will inevitably use an unqualified \\servername\sharename to access things). Get your windows folks in the habit of fully-qualifying servernames.domain.tld instead. Jeff On 9/20/2010 10:04 AM, Tom Mikelson wrote:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
Our Corporate Overlords run DNS on a mixed environment of Windows and Other (mostly other). Back when we were still a small company, we moved our DNS from BIND to Windows for ease of administration. It CAN be done, but it's a huge PITA since AD does things in DNS that aren't standard (and in fact, violate it willfully and knowingly to make MS Kerberos bits happy). I had my Unix servers acting as secondary servers to serve their clients off the AD primary servers, and that worked just fine. Windows Server 2003 and later are extremely stable and we've had no issues with them taking over DNS duties (I've long since just pointed all my Unix boxes at the Windows servers for DNS since the Windows servers have been so stable and reliable). Jamie -----Original Message----- From: Tom Mikelson [mailto:tmikelson@gmail.com] Sent: Monday, September 20, 2010 10:05 AM To: nanog@nanog.org Subject: Active Directory requires Microsoft DNS? Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
If your AD domain is a subdomain, like corp.job.com, you can always delegate the subdomain's name service to the MS DNS servers from the BIND servers. That way, you don't have to make huge changes to your existing environment.
-----Original Message----- From: Tom Mikelson [mailto:tmikelson@gmail.com] Sent: Monday, September 20, 2010 7:05 AM To: nanog@nanog.org Subject: Active Directory requires Microsoft DNS?
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Not being a Microsoft administrator I do not know the veracity of these claims. Anyone out there had any experiences with a situation like this? I am a bit leery of changing something that is already working.
Tom Mikelson wrote:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS.
Bunk. At work we have a network of ~1500 computers with over 600 of them running Windows. Our nameservers are all BIND, which have dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs. The DCs have no problem creating, updating and deleting the various RR's they use to publish the domain. The Systems team folks will see errors/warnings in the Windows logs because the Windows machines are unable to set up secure connections to the nameservers and due to an implementation difference between what BIND accepts and what Microsoft's OSes send; but in practice these seem to be little more than noise.
Darren Pilgrim (nanog) writes:
Tom Mikelson wrote:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS.
Bunk. At work we have a network of ~1500 computers with over 600 of them running Windows. Our nameservers are all BIND, which have dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs. The DCs have no problem creating, updating and deleting the various RR's they use to publish the domain. The Systems team folks will see errors/warnings in the Windows logs because the Windows machines are unable to set up secure connections to the nameservers and due to an implementation difference between what BIND accepts and what Microsoft's OSes send; but in practice these seem to be little more than noise.
Agreed. What about dynamic updates of the client ? It's usually not a problem in this direction (Windows client -> BIND DNS), but as you say it won't be secure (GSS-TSIG). Cheers, Phil
Phil Regnauld wrote:
Darren Pilgrim (nanog) writes:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS. Bunk. At work we have a network of ~1500 computers with over 600 of
Tom Mikelson wrote: them running Windows. Our nameservers are all BIND, which have dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs. The DCs have no problem creating, updating and deleting the various RR's they use to publish the domain. The Systems team folks will see errors/warnings in the Windows logs because the Windows machines are unable to set up secure connections to the nameservers and due to an implementation difference between what BIND accepts and what Microsoft's OSes send; but in practice these seem to be little more than noise.
Agreed. What about dynamic updates of the client ? It's usually not a problem in this direction (Windows client -> BIND DNS), but as you say it won't be secure (GSS-TSIG).
Yes, Windows logs on all 600+ machines have warnings about insecure DNS updates, but they still update. There's effort to delegate the DS subdomain to the DCs just to get rid of the thousands-per-day nonsense.
At Fri, 24 Sep 2010 19:45:09 +0200, Phil Regnauld wrote:
What about dynamic updates of the client ? It's usually not a problem in this direction (Windows client -> BIND DNS), but as you say it won't be secure (GSS-TSIG).
Recent versions of BIND 9 include GSS-TSIG support. It's harder to use than it should be, partly due to lack of documentation (mea culpa), and has some limitations, but does work for the basic task of letting clients (Windows or otherwise) in an Active Directory environment perform DDNS updates using GSS-TSIG authentication. See https://lists.isc.org/pipermail/bind-users/ for recent discussion.
AD works just fine with BIND as long as dynamic updates are allowed to the AD zone's from the DC's. Exchange 2007 by default also wants to be able to dynamically register it's record's but it can be disabled. All you need to do is configure the DNS server's in the IP settings and restart the net logon service on the DC's and watch all the records get populated into the zone on BIND. That's all you need to do to migrate from MS DNS to BIND as well. The only issue I ran into was old records not being deleted properly in BIND (removing a DC) so you had to manually delete them from the zone but it wasn't a big deal since there's not many records and easy to identify. If your worried about all the records not being registered properly you can look at a local file on the DC and it will list the records that should be in DNS. http://support.microsoft.com/kb/816587 There is also a utility you can run on the DC's that will verify all the records that should be in DNS and report any errors. I don't recall for sure but I think it was netdiag. http://support.microsoft.com/kb/321708 -Dan On Fri, Sep 24, 2010 at 11:17 AM, Darren Pilgrim <nanog@bitfreak.org> wrote:
Tom Mikelson wrote:
Presently our organization utilizes BIND for DNS services, with the Networking team administering. We are now being told by the Systems team that they will be responsible for DNS services and that it will be changed over to the Microsoft DNS service run on domain controllers. The reason given is that the Active Directory implementation requires the Microsoft DNS service and dynamic DNS.
Bunk. At work we have a network of ~1500 computers with over 600 of them running Windows. Our nameservers are all BIND, which have dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs. The DCs have no problem creating, updating and deleting the various RR's they use to publish the domain. The Systems team folks will see errors/warnings in the Windows logs because the Windows machines are unable to set up secure connections to the nameservers and due to an implementation difference between what BIND accepts and what Microsoft's OSes send; but in practice these seem to be little more than noise.
participants (15)
-
Daniel -
Darren Pilgrim -
Jack Bates -
Jamie Bowden -
Jared Mauch -
Jeff Kell -
Jeroen Massar -
JoeSox -
John Peach -
Matlock, Kenneth L -
Matthew Huff -
Nathan Eisenberg -
Phil Regnauld -
Rob Austein -
Tom Mikelson