[129980] in North American Network Operators' Group
Re: Active Directory requires Microsoft DNS?
daemon@ATHENA.MIT.EDU (Darren Pilgrim)
Fri Sep 24 13:52:02 2010
Date: Fri, 24 Sep 2010 10:50:59 -0700
From: Darren Pilgrim <nanog@bitfreak.org>
To: Phil Regnauld <regnauld@nsrc.org>
In-Reply-To: <20100924174508.GQ31091@macbook.catpipe.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Phil Regnauld wrote:
> Darren Pilgrim (nanog) writes:
>> Tom Mikelson wrote:
>>> Presently our organization utilizes BIND for DNS services, with the
>>> Networking team administering. We are now being told by the Systems team
>>> that they will be responsible for DNS services and that it will be changed
>>> over to the Microsoft DNS service run on domain controllers. The reason
>>> given is that the Active Directory implementation requires the Microsoft DNS
>>> service and dynamic DNS.
>> Bunk. At work we have a network of ~1500 computers with over 600 of
>> them running Windows. Our nameservers are all BIND, which have
>> dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
>> The DCs have no problem creating, updating and deleting the various
>> RR's they use to publish the domain. The Systems team folks will
>> see errors/warnings in the Windows logs because the Windows machines
>> are unable to set up secure connections to the nameservers and due
>> to an implementation difference between what BIND accepts and what
>> Microsoft's OSes send; but in practice these seem to be little more
>> than noise.
>
> Agreed. What about dynamic updates of the client ? It's usually not
> a problem in this direction (Windows client -> BIND DNS), but as you
> say it won't be secure (GSS-TSIG).
Yes, Windows logs on all 600+ machines have warnings about insecure DNS
updates, but they still update. There's effort to delegate the DS
subdomain to the DCs just to get rid of the thousands-per-day nonsense.
