[129978] in North American Network Operators' Group
Re: Active Directory requires Microsoft DNS?
daemon@ATHENA.MIT.EDU (Phil Regnauld)
Fri Sep 24 13:45:23 2010
Date: Fri, 24 Sep 2010 19:45:09 +0200
From: Phil Regnauld <regnauld@nsrc.org>
To: Darren Pilgrim <nanog@bitfreak.org>
In-Reply-To: <4C9CDD1C.5090609@bitfreak.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Darren Pilgrim (nanog) writes:
> Tom Mikelson wrote:
> >Presently our organization utilizes BIND for DNS services, with the
> >Networking team administering. We are now being told by the Systems team
> >that they will be responsible for DNS services and that it will be changed
> >over to the Microsoft DNS service run on domain controllers. The reason
> >given is that the Active Directory implementation requires the Microsoft DNS
> >service and dynamic DNS.
>
> Bunk. At work we have a network of ~1500 computers with over 600 of
> them running Windows. Our nameservers are all BIND, which have
> dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
> The DCs have no problem creating, updating and deleting the various
> RR's they use to publish the domain. The Systems team folks will
> see errors/warnings in the Windows logs because the Windows machines
> are unable to set up secure connections to the nameservers and due
> to an implementation difference between what BIND accepts and what
> Microsoft's OSes send; but in practice these seem to be little more
> than noise.
Agreed. What about dynamic updates of the client ? It's usually not
a problem in this direction (Windows client -> BIND DNS), but as you
say it won't be secure (GSS-TSIG).
Cheers,
Phil
