11

I would like to remove the DNS feature of Windows Domain Controllers and point the DNS servers to our BIND9 servers.

I know it's possible to setup coexistence but this requires a number of extra Windows DNS Servers equals to the number of Domain Controllers in the network.

Active Directory expects the _msdcs zone and other things like _tcp, _udp; etc.

The main question is: how to make BIND9 takes care of all this AD specific data? And with dynamic updating to make AD even more happier.

Thanks,

PS: Making BIND9 points to the Windows DNS Servers to resolve the Active Directory specific zones isn't an option. We already do this...

EDIT: As today, I'm running without Windows DNS. I'm writing up a guide on how to do this, and I'll update this topic.

Vinícius Ferrão
  • 5,520
  • 11
  • 55
  • 95
  • 2
    From Ron Aitchison, author of Pro DNS and BIND, "...you'd have to be high to run an AD domain on BIND". I'll cite that with a page number when I get home from work. – Bigbio2002 May 22 '13 at 15:04

2 Answers2

9

  1. "I would like to remove the DNS feature of Windows Domain Controllers" - This is incorrect. The DC role and the DNS role are two separate roles. They're very often installed on the same machine but this isn't a requirement.

  2. "I know it's possible to setup coexistence but this requires a number of extra Windows DNS Servers equals to the number of Domain Controllers in the network." - This is alos incorrect. You do not require a matching number of DNS servers to Domain Controllers.

  3. You can use a non Microsoft DNS server as long as it meets the requirements of DNS in support of AD. If Bind9 meets those requirements then you're more than welcome to use it.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • The documentation from Microsoft says that using an DNS Server per DC is a good practice. But I can understand that my premises are wrong. No problem with it, but the real solution for the problem wasn't presented. I'm doing some tests on my own at this moment, trying to solve this. – Vinícius Ferrão May 20 '13 at 00:52
  • 3
    You haven't actually stated a problem in your question. You asked if BIND9 can be used as the DNS server for AD and I answered that it can if it meets the requirements for supporting AD. This article implies that it does: http://technet.microsoft.com/en-us/library/dd316373.aspx – joeqwerty May 20 '13 at 01:08
  • Hm, I thought that the main question was clear: "How to make BIND9 takes care of all this AD specific data? And with dynamic updating to make AD even more happier." Sorry if I was unable to express myself... I've done some progress, but cannot update the DNS server with the name of a joined machine in the domain; any idea Joe? I got this error on BIND9: "May 13 16:20:34 debian named[5994]: client 172.16.144.107#60932: update 'domain.com/IN' denied" But giving permission to all IP address wasn't a viable option. – Vinícius Ferrão May 20 '13 at 03:22
  • Is there a setting in BIND DNS to allow unsecure updates? If so, that's probably what you need to enable. – joeqwerty May 20 '13 at 03:37
  • 2
    @ViníciusFerrão You need to properly configure BIND to support dynamic updates from your AD server. Refer to the BIND documentation. Honestly I would not recommend this - If you have a Microsoft/AD network you should use the Microsoft DNS server and AD Integrated Zones (possibly making your BIND servers slaves for the AD zone). You're just creating problems for yourself trying to cobble this together. – voretaq7 May 21 '13 at 16:57
  • "and I answered that it can if it meets the requirements for supporting AD" is not an answer. – LVLAaron May 23 '13 at 21:29
  • Well LVLAaron, "and I answered that it can if it meets the requirements for supporting AD" was my comment to a comment to my answer... it wasn't my answer. – joeqwerty May 23 '13 at 21:52
9

Can I completely remove the Windows DNS in favour of BIND9 in an AD network?

Yes. As joeqwerty pointed out as long as a DNS server meets the requirements of DNS in support of Active Directory you may use it as your AD DNS.
(BIND does, Microsoft even provides guidance that Joe linked to, and you can find a bunch of articles on Google.

That's not the question you should be asking though, The question you should be asking is:

SHOULD I completely remove the Windows DNS in favour of BIND9 in an AD network?

In my personal opinion the answer is ABSOLUTELY NOT unless you like pain.
AD and Windows DNS are intertwined - You can certainly pry them apart, but doing so is not going to be pleasant, and may create problems later.

If your goal is to not expose your Windows DNS servers (for some security reason, to minimize server load, etc.) a better option is to make your BIND DNS servers slaves, replicating the AD DNS zone(s).
This hides the Windows servers from prying eyes (and excessive load), but still lets Active Directory talk to the Windows DNS servers that it knows and loves.
You can even minimize the number of Windows DNS servers if you go this route, since the only things talking to it should be Active Directory/DCs (making updates) and the BIND servers fetching those updates to serve to other systems).

Community
  • 1
voretaq7
  • 79,879
  • 17
  • 130
  • 214