| Author |
Message |
Joshua C. Clark
Guest
|
 Posted:
Mon Oct 10, 2005 8:50 pm Post subject:
Moving AD Integrated DNS to BIND |
|
|
My company would like to research doing this, does anyone have any pros and
cons about moving from our Active Directory Integrated DNS to a Unix/Linux
BIND environment?
Thanks in advance and sorry if it is not the right newsgroup to post this
in.. |
|
| Back to top |
|
 |
Herb Martin
Guest
|
| Posted:
Mon Oct 10, 2005 8:50 pm Post subject:
Re: Moving AD Integrated DNS to BIND |
|
|
"Joshua C. Clark" <Josh@NetworkMedics.Com> wrote in message
news:udzo7SczFHA.3540@TK2MSFTNGP10.phx.gbl...
| Quote: | My company would like to research doing this, does anyone have any pros
and
cons about moving from our Active Directory Integrated DNS to a Unix/Linux
BIND environment?
Thanks in advance and sorry if it is not the right newsgroup to post this
in..
|
If you are running DNS in support of an AD Domain (likely since
it is in AD) then don't do this. For AD domains there really is no
technical justification for switching to BIND and no political
pseudo-reasons are compelling.
If you are being pushed, require POSITIVE and COMPELLING
technical reasons.
AD has primarily much better dynamic updates and secure dynamic
updates for domain machines -- which are required for AD support.
It also has better replication and more secure replication. For giant
systems (or heavily distributed environments) the multi-mastered
replication might even be a reason for a NON-AD network to switch
FROM BIND.
BIND has a few features that AD does not, but these don't offer much
help for supporting an AD domain (they are more useful public DNS
servers.)
I run one BIND server (so have no particular prejudice) by choice;
but wouldn't think of switching my AD domain servers over to BIND.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
|
|
| Back to top |
|
|
Kevin D. Goodknecht Sr. [
Guest
|
| Posted:
Mon Oct 10, 2005 8:50 pm Post subject:
Re: Moving AD Integrated DNS to BIND |
|
|
Joshua C. Clark <Josh@NetworkMedics.Com> wrote:
| Quote: | My company would like to research doing this, does anyone have any
pros and cons about moving from our Active Directory Integrated DNS
to a Unix/Linux BIND environment?
|
Active Directory integrated is much more secure if set to secure updates
only.
Windows DNS works hand in hand with Windows DHCP for registering clients
that do not support dynamic DNS updates.
IMO, Windows DNS is easier to manage, especially if you use zones stored in
Active Directory, because the zones will replicate to all DCs in the domain
without any further action from you.
Just create the zones and the records on one DC and you're done. Depending
on the replication cycle, the zone will replicate within minutes to all DCs
in the domain. AD integrated zones are all masters, so you can delegate the
addition of records to admins at different sites and have the record
replicate throughout the domain.
Win2k3 added replication options to replicate the zone to all DNS server in
the Active Directory forest. So if you have a multi-domain forest, so you
can create the zone on one DC and have it replicate to all DNS servers in
the forest running Win2k3.
BIND zones like Standard Primary zones in Windows stores zone data in a text
file. They do not support integration into Active Directory. You would just
add another machine or machines to manage. You have to manually add all
zones to all DNS servers, first the primary then the secondary zones.
So, you can see that if your company is spread out at multiple sites, using
AD integrated zones can be of great benefit and is more secure.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
=================================== |
|
| Back to top |
|
|
Joshua C. Clark
Guest
|
| Posted:
Mon Oct 10, 2005 8:50 pm Post subject:
Re: Moving AD Integrated DNS to BIND |
|
|
Thank you both for your replies, I am not in favor of moving to BIND I just
need to get all of the facts for my boss, again thank you!
"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:OpvQS6czFHA.2540@TK2MSFTNGP09.phx.gbl...
| Quote: | Joshua C. Clark <Josh@NetworkMedics.Com> wrote:
My company would like to research doing this, does anyone have any
pros and cons about moving from our Active Directory Integrated DNS
to a Unix/Linux BIND environment?
Active Directory integrated is much more secure if set to secure updates
only.
Windows DNS works hand in hand with Windows DHCP for registering clients
that do not support dynamic DNS updates.
IMO, Windows DNS is easier to manage, especially if you use zones stored
in
Active Directory, because the zones will replicate to all DCs in the
domain
without any further action from you.
Just create the zones and the records on one DC and you're done. Depending
on the replication cycle, the zone will replicate within minutes to all
DCs
in the domain. AD integrated zones are all masters, so you can delegate
the
addition of records to admins at different sites and have the record
replicate throughout the domain.
Win2k3 added replication options to replicate the zone to all DNS server
in
the Active Directory forest. So if you have a multi-domain forest, so you
can create the zone on one DC and have it replicate to all DNS servers in
the forest running Win2k3.
BIND zones like Standard Primary zones in Windows stores zone data in a
text
file. They do not support integration into Active Directory. You would
just
add another machine or machines to manage. You have to manually add all
zones to all DNS servers, first the primary then the secondary zones.
So, you can see that if your company is spread out at multiple sites,
using
AD integrated zones can be of great benefit and is more secure.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
|
|
|
| Back to top |
|
|
Joshua C. Clark
Guest
|
| Posted:
Mon Oct 10, 2005 8:50 pm Post subject:
Re: Moving AD Integrated DNS to BIND |
|
|
Thank you both for your replies, I am not in favor of moving to BIND I just
need to get all of the facts for my boss, again thank you!
"Herb Martin" <news@LearnQuick.com> wrote in message
news:O7DTlIdzFHA.2884@TK2MSFTNGP09.phx.gbl...
| Quote: | "Joshua C. Clark" <Josh@NetworkMedics.Com> wrote in message
news:udzo7SczFHA.3540@TK2MSFTNGP10.phx.gbl...
My company would like to research doing this, does anyone have any pros
and
cons about moving from our Active Directory Integrated DNS to a
Unix/Linux
BIND environment?
Thanks in advance and sorry if it is not the right newsgroup to post
this
in..
If you are running DNS in support of an AD Domain (likely since
it is in AD) then don't do this. For AD domains there really is no
technical justification for switching to BIND and no political
pseudo-reasons are compelling.
If you are being pushed, require POSITIVE and COMPELLING
technical reasons.
AD has primarily much better dynamic updates and secure dynamic
updates for domain machines -- which are required for AD support.
It also has better replication and more secure replication. For giant
systems (or heavily distributed environments) the multi-mastered
replication might even be a reason for a NON-AD network to switch
FROM BIND.
BIND has a few features that AD does not, but these don't offer much
help for supporting an AD domain (they are more useful public DNS
servers.)
I run one BIND server (so have no particular prejudice) by choice;
but wouldn't think of switching my AD domain servers over to BIND.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
|
|
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Tue Oct 11, 2005 12:50 am Post subject:
Re: Moving AD Integrated DNS to BIND |
|
|
"Joshua C. Clark" <Josh@NetworkMedics.Com> wrote in message
news:eH2TZZdzFHA.3188@TK2MSFTNGP14.phx.gbl...
| Quote: | Thank you both for your replies, I am not in favor of moving to BIND I
just
need to get all of the facts for my boss, again thank you!
|
Then the question to ask "them" is, "What specific benefits do you
expect to derive from such a change?"
And, "Are you willing to give up the secure updates to get those
features?" (But don't ask this until they enumerate something
explicit and lock into a "wish" list. <grin>)
It's basically a stupid idea for 'them' to want to do.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Joshua C. Clark" <Josh@NetworkMedics.Com> wrote in message
news:eH2TZZdzFHA.3188@TK2MSFTNGP14.phx.gbl...
| Quote: | Thank you both for your replies, I am not in favor of moving to BIND I
just
need to get all of the facts for my boss, again thank you!
"Herb Martin" <news@LearnQuick.com> wrote in message
news:O7DTlIdzFHA.2884@TK2MSFTNGP09.phx.gbl...
"Joshua C. Clark" <Josh@NetworkMedics.Com> wrote in message
news:udzo7SczFHA.3540@TK2MSFTNGP10.phx.gbl...
My company would like to research doing this, does anyone have any pros
and
cons about moving from our Active Directory Integrated DNS to a
Unix/Linux
BIND environment?
Thanks in advance and sorry if it is not the right newsgroup to post
this
in..
If you are running DNS in support of an AD Domain (likely since
it is in AD) then don't do this. For AD domains there really is no
technical justification for switching to BIND and no political
pseudo-reasons are compelling.
If you are being pushed, require POSITIVE and COMPELLING
technical reasons.
AD has primarily much better dynamic updates and secure dynamic
updates for domain machines -- which are required for AD support.
It also has better replication and more secure replication. For giant
systems (or heavily distributed environments) the multi-mastered
replication might even be a reason for a NON-AD network to switch
FROM BIND.
BIND has a few features that AD does not, but these don't offer much
help for supporting an AD domain (they are more useful public DNS
servers.)
I run one BIND server (so have no particular prejudice) by choice;
but wouldn't think of switching my AD domain servers over to BIND.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
|
|
|
| Back to top |
|
|
mmccaws2
Guest
|
| Posted:
Fri Nov 04, 2005 5:50 pm Post subject:
Re: Moving AD Integrated DNS to BIND |
|
|
This question may be along that line -
Can you setup one MS DHCP server set that can administer to hosts in
multiple AD forests with the only common domain name is the root, like
ADgroupname.local. Each ADgroupname is different. and still take
advantage of DDNS?
Do you know of a application note that says how to do this?
Thanks
Mike
Herb Martin wrote:
| Quote: | "Joshua C. Clark" <Josh@NetworkMedics.Com> wrote in message
news:eH2TZZdzFHA.3188@TK2MSFTNGP14.phx.gbl...
Thank you both for your replies, I am not in favor of moving to BIND I
just
need to get all of the facts for my boss, again thank you!
Then the question to ask "them" is, "What specific benefits do you
expect to derive from such a change?"
And, "Are you willing to give up the secure updates to get those
features?" (But don't ask this until they enumerate something
explicit and lock into a "wish" list. <grin>)
It's basically a stupid idea for 'them' to want to do.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Joshua C. Clark" <Josh@NetworkMedics.Com> wrote in message
news:eH2TZZdzFHA.3188@TK2MSFTNGP14.phx.gbl...
Thank you both for your replies, I am not in favor of moving to BIND I
just
need to get all of the facts for my boss, again thank you!
"Herb Martin" <news@LearnQuick.com> wrote in message
news:O7DTlIdzFHA.2884@TK2MSFTNGP09.phx.gbl...
"Joshua C. Clark" <Josh@NetworkMedics.Com> wrote in message
news:udzo7SczFHA.3540@TK2MSFTNGP10.phx.gbl...
My company would like to research doing this, does anyone have any pros
and
cons about moving from our Active Directory Integrated DNS to a
Unix/Linux
BIND environment?
Thanks in advance and sorry if it is not the right newsgroup to post
this
in..
If you are running DNS in support of an AD Domain (likely since
it is in AD) then don't do this. For AD domains there really is no
technical justification for switching to BIND and no political
pseudo-reasons are compelling.
If you are being pushed, require POSITIVE and COMPELLING
technical reasons.
AD has primarily much better dynamic updates and secure dynamic
updates for domain machines -- which are required for AD support.
It also has better replication and more secure replication. For giant
systems (or heavily distributed environments) the multi-mastered
replication might even be a reason for a NON-AD network to switch
FROM BIND.
BIND has a few features that AD does not, but these don't offer much
help for supporting an AD domain (they are more useful public DNS
servers.)
I run one BIND server (so have no particular prejudice) by choice;
but wouldn't think of switching my AD domain servers over to BIND.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in