Hi there, On Thu, 18 Oct 2012, bind-users-requ...@lists.isc.org wrote:
ISC Bind in Active Directory (Aaron Thompson)
I'm hopping
Sometimes AD has that effect. :)
to get some feedback from people who use ISC Bind and DHCPD in Active Directory environments.
I've been working on a client's (small) system using Bind in an AD environment for almost ten years. When I first met the system it was Windows only. It had been sending the same two megabyte mail message to quite a long list of recipients every two hours for just over two years. In unrelated incidents it had been riddled with viruses which for example were logging keystrokes in the accounts department. Oh, and the PDC's disc was full, but 80% of the contents was garbage generated by a wayward third-party backup Windows package which wasn't doing anything useful at all. The firm's directors didn't appreciate that there might be a problem until I told them that their passwords were being sent to China as they were typed. I cleaned out the viruses and binned the Microsoft mail, name and DHCP services and the backup package. I installed open source replacements. Peace at last. Unfortunately I'm unable (yet:) to bin the Windows DCs or I'd do that tomorrow. One of them crashes within seconds if I log on using remote desktop and I still don't know why. I can't take it to bits to find out so I simply don't do it any more. To manage the dodgy DC I added another one, a virtual machine on a Linux box which by now hosts half a dozen other Windows VMs. Eventually I hope that all the Windows machines will be VMs so I can fix them when they go wrong without leaving my office...
Currently we use Bind/DHCPD for dynamic DNS and DHCP. It's been a pretty stable service, redundant and we are polling statistics with Cacti. There is concern by Management ...
Where have I heard all that before? :)
...of using a somewhat non standard approach for Active Directory SRV records being handled by ISC services and not AD.
At the moment I'm chasing down a particular AD problem which _might_ have been caused by the promotion of a server to a DC. The symptoms are (1) a bunch of clients being unable to find resources that they could find last week and (2) all the SRV records disappearing from the DCs. I've spent most of the past week hitting the search engines but I don't think I'm nearer now to knowing if these things are related (and how I'm going to fix them) than I was a week ago although tonight I did stumble upon this little gem: http://support.microsoft.com/kb/241505 If your Management is concerned about their software, ask them how they audit the source. :)
Overall it's been a very stable design for the last 5+ years. If you have any relevant feed back I would appreciate it.
If it ain't broke, don't fix it.
I'm looking for information on experience with Active Directory integration with ISC or if anyone has had problems/stability issues with AD doing DNS/DHCP or AD working with ISC.
To be fair I don't think there are any big interoperability problems with the services you're asking about, and if they aren't accessible to the Big Nasty World out there they shouldn't present too much of a security risk. Nevertheless the main things which prevent me from throwing out the rest of my client's Windows boxes are a niche market accounting package that you've never heard of, a few printer drivers, Microsoft Office and AutoCAD. -- 73, Ged. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users