Active Directory requires Microsoft DNS?

Darren Pilgrim nanog at
Fri Sep 24 17:50:59 UTC 2010

Phil Regnauld wrote:
> Darren Pilgrim (nanog) writes:
>> Tom Mikelson wrote:
>>> Presently our organization utilizes BIND for DNS services, with the
>>> Networking team administering.  We are now being told by the Systems team
>>> that they will be responsible for DNS services and that it will be changed
>>> over to the Microsoft DNS service run on domain controllers.  The reason
>>> given is that the Active Directory implementation requires the Microsoft DNS
>>> service and dynamic DNS.
>> Bunk.  At work we have a network of ~1500 computers with over 600 of
>> them running Windows.  Our nameservers are all BIND, which have
>> dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
>> The DCs have no problem creating, updating and deleting the various
>> RR's they use to publish the domain.  The Systems team folks will
>> see errors/warnings in the Windows logs because the Windows machines
>> are unable to set up secure connections to the nameservers and due
>> to an implementation difference between what BIND accepts and what
>> Microsoft's OSes send; but in practice these seem to be little more
>> than noise.
> 	Agreed.  What about dynamic updates of the client ?  It's usually not
> 	a problem in this direction (Windows client -> BIND DNS), but as you
> 	say it won't be secure (GSS-TSIG).

Yes, Windows logs on all 600+ machines have warnings about insecure DNS 
updates, but they still update.  There's effort to delegate the DS 
subdomain to the DCs just to get rid of the thousands-per-day nonsense.

More information about the NANOG mailing list