MS Active Directory and DNS and Bind 4TH Edition
Kevin Darcy
kcd at daimlerchrysler.com
Fri Jun 18 00:27:41 UTC 2004
Martin McCormick wrote:
> The Book DNS and Bind 4TH Edition describes 3 architectures
>for supporting Microsoft's Active Directory with bind-based DNS.
>
> The architecture they recommended most highly was one in which
>the Active Directory controllers are allowed to update the top-level
>AD zone plus the 6 special sub zones that are required. The dhcp
>server dynamically handles the A records for individual work stations
>in the AD domain.
>
> I understand that bind9.3 can now use GSS-tsig signatures which is
>what MS DNS's use.
>
> What has this development changed about the suggested
>architecture? Is the method recommended as best practice still valid?
>
The GSS-TSIG stuff is still relatively new. 9.3 is still in beta. I
think it's a little premature to be talking about changing best
practices. Also, GSS-TSIG is not the only factor here, there are also
operational considerations. How easy is it to configure and maintain all
of the Kerberos-principal gunk in BIND? How likely is it that a DC will
go insane and munge your zone data? Best practices emerge from extensive
field experience, and very few people, if any, have that with respect to
the new GSS-TSIG support in BIND (perhaps some of the Lucent QIP users
could speak up at this point?, since QIP's modified BIND has supported
GSS-TSIG for a while now)
- Kevin
More information about the bind-users
mailing list