Re: Active Directory requires Microsoft DNS?

[Darren Pilgrim <nanog () bitfreak org>]

Phil Regnauld wrote:
> Darren Pilgrim (nanog) writes:
> > Tom Mikelson wrote:
> > > Presently our organization utilizes BIND for DNS services, with the
> > > Networking team administering.  We are now being told by the Systems team
> > > that they will be responsible for DNS services and that it will be changed
> > > over to the Microsoft DNS service run on domain controllers.  The reason
> > > given is that the Active Directory implementation requires the Microsoft DNS
> > > service and dynamic DNS.
> > Bunk.  At work we have a network of ~1500 computers with over 600 of
> > them running Windows.  Our nameservers are all BIND, which have
> > dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
> > The DCs have no problem creating, updating and deleting the various
> > RR's they use to publish the domain.  The Systems team folks will
> > see errors/warnings in the Windows logs because the Windows machines
> > are unable to set up secure connections to the nameservers and due
> > to an implementation difference between what BIND accepts and what
> > Microsoft's OSes send; but in practice these seem to be little more
> > than noise.
>
>         Agreed.  What about dynamic updates of the client ?  It's usually not
>         a problem in this direction (Windows client -> BIND DNS), but as you
>         say it won't be secure (GSS-TSIG).

Yes, Windows logs on all 600+ machines have warnings about insecure DNS 
updates, but they still update.  There's effort to delegate the DS 
subdomain to the DCs just to get rid of the thousands-per-day nonsense.