Active Directory requires Microsoft DNS?

Daniel accesss801 at
Fri Sep 24 17:49:35 UTC 2010

AD works just fine with BIND as long as dynamic updates are allowed to the
AD zone's from the DC's. Exchange 2007 by default also wants to be able to
dynamically register it's record's but it can be disabled.

All you need to do is configure the DNS server's in the IP settings and
restart the net logon service on the DC's and watch all the records get
populated into the zone on BIND. That's all you need to do to migrate from
MS DNS to BIND as well.

The only issue I ran into was old records not being deleted properly in BIND
(removing a DC) so you had to manually delete them from the zone but it
wasn't a big deal since there's not many records and easy to identify.

If your worried about all the records not being registered properly you can
look at a local file on the DC and it will list the records that should be
in DNS.

There is also a utility you can run on the DC's that will verify all the
records that should be in DNS and report any errors. I don't recall for sure
but I think it was netdiag.


On Fri, Sep 24, 2010 at 11:17 AM, Darren Pilgrim <nanog at> wrote:

> Tom Mikelson wrote:
>> Presently our organization utilizes BIND for DNS services, with the
>> Networking team administering.  We are now being told by the Systems team
>> that they will be responsible for DNS services and that it will be changed
>> over to the Microsoft DNS service run on domain controllers.  The reason
>> given is that the Active Directory implementation requires the Microsoft
>> DNS
>> service and dynamic DNS.
> Bunk.  At work we have a network of ~1500 computers with over 600 of them
> running Windows.  Our nameservers are all BIND, which have dynamic DNS
> enabled for updates sent from our 2003 and 2008R2 DCs.  The DCs have no
> problem creating, updating and deleting the various RR's they use to publish
> the domain.  The Systems team folks will see errors/warnings in the Windows
> logs because the Windows machines are unable to set up secure connections to
> the nameservers and due to an implementation difference between what BIND
> accepts and what Microsoft's OSes send; but in practice these seem to be
> little more than noise.

More information about the NANOG mailing list