Installing AD with BSD DNS Server

[LuckyTaxi]

Tired of Microsoft's DNS and I read somewhere in a book that AD and DNS must be installed on the same server. However, after reading other posts from various websites, this doesn't seem to be the case. Other users have
installed dns running on linux/bsd and incorporated them into AD.

Has anyone done this? I haven't found a tutorial so to speak that will help me make the transition.
I take it I need to install DNS first. Which DNS software? I hear BIND is full of holes.

Preferrebly running on BSd

 

[Saltin]

BIND is generally a little more reliable than Win2k DNS, not that WIN2k DNS is so terrible though.

I've been reading your posts both here and on ARS, and I think your issues are more related to the OS/Diskspace/Configuration than they are to DNS itself, but I digress.

I'm not so up to date on the BIND versions, but I know you will need one that supports Dynamic Updates at the very least. There are also issues with zone transfers between 2k DNS and BIND versions right up to 8.x (due to the maximum packet size one of the versions will accept, or something like that).

Dynamic Update support has been included with BIND versions for some time now. My recommendation would be to install the latest version. You can't go too wrong really.

DNS doesnt need to be installed on a DC in a WIN2k domain, but most people run it this way b/c AD integrated zones are just, well, better than standard primary zones, from both a replaication and security standpoint.

 

[LuckyTaxi]

Yea ... I fixed the problem. But now I just wanna do away with Windows DNS, but it makes more sense and it;s easier to configure than bind and djbdns. I might just stick with it.

I will fix the disk space issue next month once school is done.

The other thing is we are thinking of bringing our website in-house. Right now we have it hosted by a company and they run the external DNS. We have other servers (mail, portal) running in-house and we would have to call our hosting company to update the DNS entries, which is a pain in the butt. So, we thought we may just bring it all in-house.
Do you think the load we be ok? Running DNS on the PDC to serve request for not just in-house but also external requests?

 

[Saltin]

Don't let your DC host external zones. You don't want external hosts/DNS servers contacting your Domain Controllers.

Best thing to do is bring up a small box with Red Hat or something like that and install BIND. Let it handle resolving your external namespace and let the Win2k handle internal DNS.

 

[Barnaby W. Füi]

Bind actually isn't that bad once you get used to it.

 

[LuckyTaxi]

yea ... ppl complained sendmail is bad, but i used it for a couple of months. Of course my server died and i ended up
installing postfix just for the hell of it. as long as i stay on top of the bugs.

That's like Windows ... ppl say it's not stable and secure, but it all depends on the administrator.

 

[Soybomb]

Bind doesn't have the worlds best track record for security, but alot of that is due to people not keeping it patched, much like sendmail. Although bind's configuration is 1000x better than sendmails to me Another popular option is djbdns but I'm not particularly a fan of his software. Anyway freebsd 4.x comes with bind 8, I like bind 9. You can install it from ports easily by following this walkthrough http://ezine.daemonnews.org/200303/bind9.html

Read around a bit and you can set bind up to work quite nicely. For instance to limit zone transfers (always a good idea if you ask me)
zone "10.10.10.IN-ADDR.ARPA" {
type master;
file "10.10.10.IN-ADDR.ARPA";
allow-transfer {
10.10.10.219;
};
};


note: Following the walk through is quick and easy, although many people also choose to jail bind because of security concerns. You can always do that too if you're feeling ambitious.

 

[LuckyTaxi]

thx for the link

 

[stash]

I'm not so up to date on the BIND versions, but I know you will need one that supports Dynamic Updates at the very least

I posted this in Ars, but its worthwhile to post it here. Dynamic updates are NOT a requirement for Active Directory. They make things easier, but are not necessary for AD to function.

The ONLY thing your DNS server must have is support for SRV records (RFC 2782). SRV records let members of an AD domain find both domain controllers and global catalogs, both critical to logons. It also is used for other services such as the PDC emulator.

So, the three major things that were new to Windows 2000 DNS from NT 4.0 are SRV records, incremental updates, and dynamic updates. The last two are nice to have, but are not a requirement of Active Directory.

 

[Barnaby W. Füi]

I would recommend setting up BIND 9 in a chroot jail. AFAIK BIND 9 has not had any big exploits, it is designed in such a way that if something like a buffer overflow happens, BIND will simply quit, and not execute a shell. It was redesigned with security in mind, unlike the older BINDs. Keeping it in a chroot is not too difficult and it gives you another layer of protection. I've been using this setup for quite some time and it works flawlessly.

 

[stash]

Just a small correction to my post: NT4.0 DNS also supports SRV records, but not incremental or dynamic updates.