Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting
steve at aserve.net
steve at aserve.net
Sun Feb 8 15:21:18 UTC 2009
Microsoft DNS can work well, HOWEVER.... much time needs to be spent
understanding its operations.
This is a VERY long winded post, so I hope no one gets upset, I realize this
is not the MS DNS group LOL
I am going to assume, that you are running an Active Directory Domain that
includes these servers, as this IS the year 2009 =P
MS DNS Servers on an Active Directory Domain, are "Integrated" into the
directory, they can and usually do operate in DDNS Mode. This can "Allow" a
machine to register its records in DNS.
A machine that is a Domain member, is given the ability to register its
records based on the "SID" it aquires when joining the domain, and that is
very important, because the machine must maintain that SID to update those
records on a day to day basis, the default TTL for this is 22 hours on an MS
System.
So.. what I described above is the bare bones basics of it, sounds great
huh? not even close lol, read on
First off, the TTL I spoke of (22 hours), is a "Client" configuration, the
server knows nothing about this timing.
The server, relies on something called "Scavenging and Ageing" to remove
"Stale" and "Orphaned" records. The defaults for this, are 7 Days MIN and 14
Days MAX, Scavening/Aging can be configured seperatley for each domain an MS
server is managing. This is configurable on the front end only, meaning, you
can reduce the 7 days to say one day, but the 14 days is a hard set limit.
So what does that mean you say? well, let me detail that.
A machine registers itself in MS DDNS, then it goes offline for say 9 days,
well, at day 7, the server SHOULD remove the record after attempting to
verify nothing is on that IP. This is important now, the Record INDEX in the
DDNS Database, is the machine NAME, and NOT the IP, still sounds ok? read
more lol.
Now things get sticky.... all of the above, ASSUMES, the administrator has
properly configured Scavenging and actually turned it on! you can not
believe how many do NOT!
Now follow this,
Scenario one:
Machine A - gets a DHCP lease from DHCP server on Monday, this is a VERY
heavily loaded DHCP Scope, only a few spare addresses, it registers IP
1.2.3.4 with DNS, then the machine goes home for the day, and will not
return until next monday
Machine B - gets a DHCP lease on Tuesday, because the scope is out of
addresses, it give out the address that Machine A had yesterday 1.2.3.4 ,
andf Machine B now registers itself with DDNS.
NOW your problems are starting, as I said, the INDEX is the machine name in
MS DDNS, so now, you have 2 NAME records in DDNS, that both have the same
IP!!
Scenario two:
A machine is renamed for who knows what reason, and of course, has to aquire
a new Domain SID, when it is rebooted with the new name, it requests and
gets the same IP from DHCP based on MAC addy, then registers itself in MS
DDNS, again, we now have 2 NAME records with the same IP
Scenario three:
A machine has an OS failure, and the OS is reinstalled, the machine has the
SAME NAME, but now has a new SID. The old DDNS NAME entry, can only be
updated using the old SID, hmm so now a machine can not even update its own
records!! another orphaned record! remember above when I said the SID is
important?
oh boy, this is not right! well first off, it CAN and DOES happen, all the
time. Despite having Scavenging enabled like a good administrator, you can
see how the problems are just begining, all caused by the DHCP scope not
having enough free DNS records? or some Deskside technician doing his job
and reinstalling the OS for a customer? well, not completely, it is sort of
the nature of DDNS in the MS world.
My scenarios above, are very real, I got up early this Sunday morning to do
some work on a client, that due to Misconfiguration/lack of managment, has
over 5,000 duplicate/orphan records in their DDNS, spread across and
replicated across 40 some odd Inregrated Active Directory DDNS servers, what
a headache!
facts:
If you must use MS DDNS in a large environment, you must also use MS DHCP,
and configure DDNS updates to come from the DHCP server and NOT from the
Client machine (notice my scenarios are all stemming from the MACHINE doing
the updates to DDNS), this is the only way to prevent what I described
above.
This MS DHCP/DDNS configuration is very critical and not for the entry level
Admin.
MS DDNS/DHCP can work very very well, but... take what I said above, and go
forth and read! lol.
Pay close attention, to the fact that Microsoft does DNS "Their" way to
support what their systems need, and in many cases, they are not following
RFC specs.
One example in closing for ya, go try and get an RFC complient Bind server
to respond to a request for name resoloution on a host that has an _
(underscore) in the name, MS allows this, and a zone transfer of this kinda
stuff between and MS Server and a Bind server, can give you MUCH grief!
Good luck!!
<wiskbroom at hotmail.com> wrote in message
news:BAY133-W543F0F7A46C3153066CF86B4C10 at phx.gbl...
>
>
> Hello;
>
> My site is presently using a product derived from BIND-8 for internal DNS
> only.
>
> For years our Windows team has been arguing that they want to be
> non-dependent on the non-MS DNS servers; which they say causes them much
> grief on firmwide shutdown/bootups.
>
> Well, their concerns have fallen on ears of those who can make that
> decision and it now appears as though we must either come up with good
> reasons why we should retain BIND, or a BIND derived product, or simply a
> plan to allow MSDNS and BIND to coexist at all.
>
> Can anyone provide me, or point me at, any good docs on this subject, I am
> certain that their a tons of stuff out there, I need simple, to the point
> type of stuff.
>
> Also, can anyone think of any good reason why our internal, non-public
> accessible network, should not just be allowed to run either a mixed
> BIND/MS-DNs setup? The slave/cache/whatever-but not master, would have to
> be BIND.
>
>
> The case the windows team made was ease of adding entries, you simply add
> into the MMC, or even easier, when you join a host into a domain, it adds
> itself.
>
> Thanks all,
>
> .vp
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list