On 07/27/2010 07:10 AM, Arnoud Tijssen wrote:
I`m facing kind of a challenge. At the moment we have BIND and
windows DNS within our corporate network.
I would like to get rid of windows DNS and switch completely over to
BIND, but since DNS is so intertwined with AD this is not an option
since it probably introduces more problems then it solves
You can do it. We run a large AD domain with DNS completely on bind.
So my next option was to delegate all the windows specific subdomains
(i.e. _tcp.example.com, _udp.example.com, _sites.example.com,
_msdcs.example.com etc.) to windows DNS for dynamic updates and let
You can run these on bind too (we do). Since updates to these special
zones are by AD controllers only, you can use IP-based update policies.
Obviously this is less secure.
Recent versions of bind also have GSSAPI (secure update) support. It
seems pretty sparsely documented though.
the main domain, .example.com, reside on BIND. After setting up BIND
and windows DNS and removing the main domain entry from the windows
DNS servers, leaving only the windows specific subdomains, and
pointing the dns resolvers of windows to the BIND servers the windows
clients were unable to register themselves within DNS and AD
properly. It seems the clients register themselves in the main zone
file of the domain, which resides on BIND.
Yes. This is windows default behaviour. You can turn this off in group
policy, or again, recent version of bind support GSSAPI and you can have
the clients do secure update. The problem is that bind does not have the
garbage collection support that windows DNS does for client registrations.
Since I don`t want all dynamic updates from windows clients polluting
my main zone file, but still want one primary DNS serving the main
domain instead of two, BIND and windows, what it is the best option
if there is one.
Sorry - I don't follow. You say you don't want windows clients updating
the zone, and they're not. So what's the problem (i.e what have I
misunderstood)?
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
