Win 2K & Bind

Kevin Darcy kcd at daimlerchrysler.com
Tue May 1 03:10:48 UTC 2001 

Kenneth Kalan wrote:

> Lately I've been starting to see users with questions about w2K and bind.
>
> I want to upgrade to bind 9.1.1 but have recently been approached by a
> couple departments to allow them to run their own dns on a win 2k server to
> it can happily exist with the deployment of w2k desktops and active
> directories.
>
> I really don't want to do this, I'd like the dns to stay in one place.  I'd
> appreciate  if someone could point me to some resources (URL's or Books) on
> how to make win2k and bind play nice together.  What the win 2k folks need
> to do to configure their machines and also for setting up bind to work with
> win 2k and active directories.
>
> I'd like to be able to tell them that we can setup bind to work with win2k,
> keeping dns in one place (on a unix sytem), yet allowing them that same
> functionality as though dns was moved to a wintel box.

You can't keep *exactly* the same functionality. They won't be able to use the
Win2K GUI to maintain DNS and currently, no version of BIND (as far as I'm
aware) understands Win2K's flavor of TSIG (GSS-TSIG) which is used to
crypto-authenticate DNS Dynamic Updates, and no version of BIND is able to
participate in that funky "multi-master" replication. If you don't care about
the GUI, and you don't care that your update-authentication model is weak
(based on source IP address) and you don't care about "multi-master", then you
can host your Active Directory DNS zones on a BIND server. Be aware, however,
that once you enable a zone for Dynamic Update in BIND, practically speaking
you *have* to do all of your updates for that zone via Dynamic Update -- it's
not safe to mix manual and dynamic updates for the same zone. So if your
current DNS maintenance system is not based on Dynamic Update, this could be a
problem. Many folks solve that problem by delegating the "underscore"
subdomains, e.g. _tcp, _udp, _sites, and only opening those for Dynamic
Update. Those subdomains are where the Win2K Domain Controllers want to write
their SRV records.

Of course, from a manager's point of view, why not just use Win2K's DNS
server? You'll probably have to make a case for why all of the systems and
procedures and tools you've developed over the years for maintaining DNS in
BIND have enough value that it would not make good business sense to just
throw all of those away just for a pretty GUI interface and better integration
with *one* of the subsystems (Active Directory) that you happen to run in your
organization...


- Kevin

More information about the bind-users mailing list