We run a small AD setup with BIND as DNS. We don't even allow dynamic updates, and it all works fine. We get some event log spam, but as long as you register the DNS entries somehow, the automated stuff from the clients doesn't need to do it. OT: As to whether AD makes sense - well back in 2008 when we were planning our setup, it made a lot of sense. Here in 2014 I think SAMBA 4 for auth and Puppet for conf management might just make more sense, if it ties as well in with SL6 as SL6 SSSD to AD. The major pain I have right now is I have *too many choices* for how to configure Windows (Is that a problem??). I can use Group Policy, I can use Fusion Inventory, I can use Puppet. It's a trick to work out which is best for what.
I will say, I've hit "interesting" bugs in GPO deployment, and so much of the debugging seems obfuscated for no reason. Puppet at least has a "force a run" that easily gives you details about what's going on so you can debug quickly. GPO debugging feels far more like black magic - there's at least 3 different ways to go about it and you have to go through each till you find the problem, and the fix may well be "Reinstall Windows" because you can't remove and reinstall just the GP client. With Puppet, I've left GPP registry settings and attempts to manage third party apps (unless they come with an ADM(x) file - because why reinvent the wheel) behind. -- James Pulver CLASSE Computer Group Cornell University -----Original Message----- From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Nico Kadel-Garcia Sent: Friday, January 10, 2014 12:36 AM To: Jeremy Wellner Cc: owner-scientific-linux-us...@listserv.fnal.gov; SCIENTIFIC-LINUX-USERS@FNAL.GOV Subject: Re: DNS Servers AD does many things, many of them quite badly. If you need an drop-in authentication server, you might consider if y9ou really need AD, or if Samba 4.1.x will do the job. I've got RPM building tools for that at https://github.com/nkadel/samba4repo, and they work well on Scientific Linux 6 with the necessary RPM's built up from scratch. AD is handy for easy integration with Microsoft servers, such as Exchange and SQL, and for providing Windows trained personnel familiar tools. But its DNS is.... not good. It allows multiple PTR records for the same IP address, configuring DNS views is a nightmare, its "export" tool is a proprietary format that looks vaguely like valid DNS but isn't, It does not understand that "foor.bar.com" may hve *nothing to do* in any logical sense with "bar.com" DNS If you need it for things like the authenticated dynamic DNS for your laptops and wi-fi, and don't want to spend the time building up Samba or similar tools, cool. But keep it the heck away from your server DNS. If you need chroot cages and good source control managed configurations backups consider looking up my presentation at SVNday in Berlin a few years: "How to Subvert Masters and Slaves, BIND Them, and Make Them Report Names and Addresses". On Thu, Jan 9, 2014 at 9:37 PM, Jeremy Wellner <jwell...@stanwood.wednet.edu> wrote: > That's a resounding stay the course and I don't mind that one bit. > It's been rock solid and I've been happy with it. > > So as a secondary question, we are planning on adding Active Directory > in to our network and I know that it is very particular about it's > DNS. Will AD be happy with being given a delegate domain to have as > it's sandbox or does that throw my BIND install out the window? > > Thank you all for the advise!! :)
