Peter, Though it may appear that I have a vested interest in keeping you on our OS, those that know me know that if a reasonable argument is presented - I will assist in the migration for our customers. It's simply good practice and good relations.
Typically, when I hear that a customer wants to move from Windows DNS to BIND, there is a reason. I'm interested in yours, and will provide guidance in kind. If it's Politically motivated (and you're not the instigator) I think that we can help you with the case to stay the course. Again - there has to be a reason. Management doesn't make decisions lightly (in most cases...). Did someone just get to Gartner (which there is a big Symposium going on this week) and pull a 'hey... Gartner says...' Those are always fun to shoot down. If the issue is of cost - it's not a good one, and I can provide the reasons for why this move will cost more. If it's inter-operability with other BIND implementation, again - I can provide the reasons for why this might not be a good move. If it's Security - let's talk about how to lock down the OS. If it's simply security, Linux is not the answer. If it is that this server is going in the DMZ for external serving of DNS - let's talk about the benefits of getting you there. I, like the rest of this group, want to find out why you want to move your DNS to BIND. Make no mistake - Active Directory works best with Microsoft DNS. Every implementation I have done otherwise has had problems. Not insurmountable, but your BIND Admins have to learn a whole new set of skills to handle "those damn Windows Machines". As to answering your questions: 1. Very viable (again, given the caveat that Windows DNS works best when dealing with MS clients and Active Directory - BIND requires some added care and feeding. As to scalability - BIND is as scalable as anything else. It carries less overhead, if it's the only daemon serving off of the system. Scale for BIND is width, not depth, but you can grow a box to meet the requirements, which are more request query (read) oriented, and write with updates from other DNS. 2. Versions used have been 4.x on up through 9. (whatever the latest version of 9 is/was) If for Active Directory, Must be greater than 8.2.... (for DDNS support) 3. Because MS-DNS and BIND use two different methods of doing secure updates (authN to the actual box for confirming I can re-write the record or enter a new one) the issue of secure updates isn't even in the picture. To me, it's a low to medium risk issue. It all depends where you're going to use it and how well the rest of the box is secured. Windows DNS with its secure updates may not be as secure as most admins think - security begins at the OS, not the DNS service level. 4. Gotchas... Huh. Biggest one I've already mentioned. MS DNS works best WITH Active Directory. MS DNS works great with BIND as a peer or (in the typical hierarchical DNS structure) parent DNS. Forwarding, conditional, stub zones - they all work extremely well, and IMHO - surpass BIND in capability. There is (not to my knowledge at least) a good interface for BIND. Seems that most BIND admins are pretty much at home with Vi and Lint or Dig. (Funny, though - if someone is so hardcore that they want to do that on Windows - they can....) All of these tools exist for use on MS DNS as well. Most shops dedicate ~50% of a resource's time to managing BIND. I'd spend, typically 30 minutes daily checking logs and adding static requests for servers that required such. So, there you have what I can skim off the top of my head. Again - toss your reasons for wanting to do this. I'm sure many of us are quite curious. Rick [msft] -- Posting is provided "AS IS", and confers no rights or warranties ... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, October 18, 2005 2:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND on Linux I would be interested to here from people who have migrated Windows DNS to Linux. I am aware of the basic issues (need for DDNS and service records.) I am particularly interested in: 1) Viability and scalability 2) Versions used and recommended 3) Security ramifications due to lack of secure updates 4) Gotchas or other ramifications. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
