Making windows 2003 DNS work with old BIND 8 DNS

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Nov 17 14:55:16 UTC 2004 

I wrote:

BF> To summarize what I have posted in the past:
BF>
BF> 1) Use a MS W2k/W2k+3 DNS Server for the "_" zones; use AD-integrated
BF>     zones on ONLY ONE Domain Controller.
BF>
BF> 2) Have those four (six for 2003) zones slaved on your BIND servers.

and Jonathan de Boyne Pollard <J.deBoynePollard at Tesco.NET> replied:

>Both of those are bad advice.  There's no reason to explicitly restrict 
>the use of Active Directory integrated "zones" to just one domain 
>controller.  Indeed, doing that prevents one from reaping one of the 
>primary benefits of Active Directory integration: multi-master 
>replication via Active Directory.  Moreover, there's no reason that the 
>"'_' zones" have to be served from a Microsoft DNS server.  One simply 
>needs a server that is capabable of serving up the various resource 
>record types (which some older server softwares are not).  The Microsoft 
>documentation clearly describes the type of service that is required.  
>Finally, there's no reason for the BIND servers to have secondary copies 
>of the relevant "zones", and good reason (doing so would mix and match 
>different DNS database replication mechanisms, which is a bad idea) for 
>them *not* to do so.
>
><URL:http://microsoft.com./technet/itsolutions/migration/linux/mvc/cfgbind.mspx>
><URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-soa-field-semantics.html#Replication>
>
>As always, don't expect good advice about Microsoft's DNS server in the 
>discussion forum for ISC's BIND.  If you want to know about Microsoft's 
>DNS server and Active Directory, read the Microsoft product 
>documentation (It's actually the best documented DNS server of them 
>all.) and (then) ask in the Microsoft newsgroups (where, naturally 
>enough, there are people who know a lot more about Microsoft's server 
>than those in the ISC's BIND discussion forum do).

I disagree.  Here are relevant pieces of your reply with my comments:

> There's no reason to explicitly restrict 
> the use of Active Directory integrated "zones" to just one domain 
> controller.  Indeed, doing that prevents one from reaping one of the 
> primary benefits of Active Directory integration: multi-master 
> replication via Active Directory.

With a multi-master scenario, there may be serial number problems, as
MS has documented in Q282826.  In my setup, with the AD zones slaved
on multiple servers, I do not need the benefits of multi-master.

> Moreover, there's no reason that the 
> "'_' zones" have to be served from a Microsoft DNS server.  One simply 
> needs a server that is capabable of serving up the various resource 
> record types (which some older server softwares are not).  The Microsoft 
> documentation clearly describes the type of service that is required.

If one does not have the "_" zones on a MS DNS Server, then one has
two choices:

     BIND with static DNS - In this case the DNS administrator has to
         know when there are DC changes so that the updated 
         netlogon.dns file from the DC can be FTPed to the BIND box
         and reloaded into DNS.  I have 39 DCs in the AD setup, and
         I do not want to have to worry about each one.  If the owner
         of a DC decides to make changes, remove the DC, or add a new
         DC, I do not have to be contacted.  The single MS master
         handles the DDNS updates securely, and the updated zones are
         transfered to the slaves.

     BIND with dynamic DNS - In this case, one has to worry about the
         security of the DDNS, as the MS security model has not been
         implemented in BIND.

>Finally, there's no reason for the BIND servers to have secondary copies 
>of the relevant "zones", and good reason (doing so would mix and match 
>different DNS database replication mechanisms, which is a bad idea) for 
>them *not* to do so.

In my setup, ALL of the machines here - whether Unix, VMS, Mac, or MS -
refer to my two internal DNS servers for name/address resolution.
This was true before we installed W2k and AD.  If I did not have the
MS zones slaved on my BIND servers, then either

     a) Client DNS lookups would first go to my BIND servers and then
        maybe be forwarded to the MS DNS Server for final resolution.
        This would result in one unnecessary step in the DNS process.
or
     b) Clients would have to be reconfigured to use the MS W2k DNS
        Server as one of their DNS servers.  But the W2k DNS Server
        has only the AD zones, so general queries to the W2k Server
        would have to be forwarded to the BIND server.  Another
        unnecessary step.

In either case, there would be more traffic to the W2k DNS Server,
and I would have to have firewall conduits open to it for DNS access
from the Internet.  I have chosen to have the MS W2k Server (actually
2003) be a "hidden master".

> As always, don't expect good advice about Microsoft's DNS server in the 
> discussion forum for ISC's BIND.

The setup I have chosen to implement here works fine (after I had MS
fix problems in their DNS implementation).  I see no need to change
the setup.  You can suggest other setups that may work in your
environment, but that does not make my advice wrong or bad.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list