Hi Carsten, Thanks for the feedback, a top notch summary!
I have little experience in the AD arena for DNS/DHCP. Without being a too loaded question, with your experience is it possible or common to have a very knowledgeable understanding of the performance and health of an AD system similar to a BIND system? (redundant, process, snmp, logging, trouble shooting, cacti integration, ect..) Aaron - Aaron Thompson Network Architect for IT Operations Berklee College of Music 1140 Boylston Street, MS-186-NETT Boston, MA 02215-3693 www.berklee.edu 617.747.8656 Twitter: @thomp318 On Oct 20, 2012, at 4:10 AM, Carsten Strotmann <c...@strotmann.de> wrote: > > Hello Aaron, > > Aaron Thompson <athomp...@berklee.edu> writes: > >> I'm hopping to get some feedback from people who use ISC Bind and >> DHCPD in Active Directory environments. > [...] >> >> If you have any relevant feed back I would appreciate it. I'm looking >> for information on experience with Active Directory integration with >> ISC or if anyone has had problems/stability issues with AD doing >> DNS/DHCP or AD working with ISC. >> > > I've seen and worked in a number of Active Directory installations > during the last 12 years that were using non Microsoft DNS and DHCP > components. > > My experience is that if implemented correctly, it is possible to run > Microsoft Active Directory with DNS and DHCP provided by BIND and ISC > DHCP. However, doing that successfully requires that the administrator > has a good understanding of: > > * the way how DNS dynamic updates work. I found that many Administrators > do not understand the inner workings of DNS dynamic update. It is > important to understand how a machine sending dynamic updates (in AD > case an AD client or a domain controller) finds the DNS zone to be > updated. Proper DNS delegation and a clean DNS design is > key. Seperating caching/resolving DNS and authoritative DNS helps much. > > * the mechanics how the Windows operating system updates the SRV a A > records in an DNS domain that is the foundation of an Active Directory > domain. Also important is the knowledge which records are expected in DNS > for successfull AD operations. The knowldegde is available on the > Internet, but the pages are often outdated (Windows 2000 is different > to Windows 2008 is different to 2012 is details) and the information > is scattered across many places. Finding it all can be difficult and > can take time. The new AD best practice analyzer that come with > Windows 2008R8 and Windows 2012 can help here. > > Microsoft extenstions like "Aging and Scavenging" support the > Administrator to operate Active directory, but are not essential. > > Getting communication between MS DNS <-> ISC DHCP or MS DHCP <-> BIND > DNS secured (TSIG vs. GSS-TSIG) can be challenging. But it is possible. > > My general experience is: working in a "all Windows OS environment" where > all components of AD is supplied by Microsoft products require less > detail knowledge and less arguing (with Management and Microsoft > oriented consultans). But running BIND and ISC DHCP gives more > flexibility and control. > > Pick you choice -- easy live vs. understanding > and fun :) > > Carsten Strotmann > Men & Mice _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users