Active Directory requires Microsoft DNS?
nanog at bitfreak.org
Fri Sep 24 12:50:59 CDT 2010
Phil Regnauld wrote:
> Darren Pilgrim (nanog) writes:
>> Tom Mikelson wrote:
>>> Presently our organization utilizes BIND for DNS services, with the
>>> Networking team administering. We are now being told by the Systems team
>>> that they will be responsible for DNS services and that it will be changed
>>> over to the Microsoft DNS service run on domain controllers. The reason
>>> given is that the Active Directory implementation requires the Microsoft DNS
>>> service and dynamic DNS.
>> Bunk. At work we have a network of ~1500 computers with over 600 of
>> them running Windows. Our nameservers are all BIND, which have
>> dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
>> The DCs have no problem creating, updating and deleting the various
>> RR's they use to publish the domain. The Systems team folks will
>> see errors/warnings in the Windows logs because the Windows machines
>> are unable to set up secure connections to the nameservers and due
>> to an implementation difference between what BIND accepts and what
>> Microsoft's OSes send; but in practice these seem to be little more
>> than noise.
> Agreed. What about dynamic updates of the client ? It's usually not
> a problem in this direction (Windows client -> BIND DNS), but as you
> say it won't be secure (GSS-TSIG).
Yes, Windows logs on all 600+ machines have warnings about insecure DNS
updates, but they still update. There's effort to delegate the DS
subdomain to the DCs just to get rid of the thousands-per-day nonsense.
More information about the NANOG