Solved

Why Linux DNS and Windows 2003 Active Directory?

Posted on 2007-03-30
10
2,114 Views
Last Modified: 2008-06-01
I know the advantages of using a Linux box running BIND as a DNS and a Windows box running as a DC from back in the days but now i wonder.

Since Windows Server has somewhat evolved for the past few years i was wondering why would you prefer to still used Linux DNS or DDNS and a Windows 2003 Server DC.

I want some real opinions and your thoughts on advantages and disadvantages for this particular type of setup. Also what do you mostly use if Linux (Redhat, SUSE, Debian, Slackware) or FreeBSD.

I would like to hear some opinions and experience. Thanks.
0
Comment
Question by:vaworx
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 2

Expert Comment

by:LeviDaily
ID: 18827768
Personally for a LAN I would prefer using DNS on the DC. The rule of thumb is for every domain controller dns is installed! It all works alot better!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18827845
The thing is DNS is a small portion of Windows AD uses to do its job.  LDAP is actually is main part of what makes up AD.  The only real thing that you can do in AD and not on Linux is the GPOs (technically you can with Samba but as of yet its still a major pain).  DNS is slightly easier to maintain in Windows IMHO.  However to remotely do mgmt, I've always preferred Linux as you can actually accomplish stuff via the command line.   Of course that's going to slowly change now that MS released the PowerShell (still researching that one though).

To come back to the original question though.  If you are looking purely at DNS functionality, I like BIND better.  The logging is easier to read and break up in easier to parse files.  I've never been a fan of the event viewer just so you know.  Windows is easier to setup and maintain for most trivial tasks.  However, after its setup its maintenance you're going to spend your time on.  And I've always preferred Linux logging myself as to me it gives more information to troubleshoot issue.

But remember Windows AD depends on DNS, but not vice versa.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 18828150
Absolutley no reason not to use Windows based DNS, I'd go for an AD integrated solution everytime. In fact there are many advantages such as secured dynamic updates, secured replication (replication by Active Directory Replication rather than zone XFER), Multi-master topology and integration with DHCP to name but a few.
0
 

Author Comment

by:vaworx
ID: 18828231
Ok so far nothing new, but let's sum up:

* LeviDaily - I am speaking enterprise wise - 800+ clients

* Cyclops3590 - Yep I know the constant answer to the questions what is AD and how come it does not work on Linux/*BSD. Yep DNS is the blood of Active Directory and that is why I’m still concerned on why in best practices it is still separated in a Linux box. I wonder what happens if BIND goes down. Would the machines still function using their SIDs.What if you want to update the DDNS but not allow internal computers to be visible to the public

Ex. you run a domain mydomain.com, you have the Linux BOX control mydomain.com then you hook up a windows forest controlling windowsdomain.mydomain.com say up to 3 DCs that replicate each other. What happens with the host names of the machines under windowsdomain.mydomain.com. After all you don't want to expose workstation.windowsdomain.mydomain.com to the public but yet want to control its NETBIOS and perform DDNS since you don't necessarily want to create reservations for all computers.

* KCTS - I believe you can do secure updates when configuring BIND especially ver.9 but there are a few things that I am concrete about and that is DDNS

I hope I make sense with all these examples and concerns.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18828625
From my understanding,  BIND v9 can do pretty much anything Windows DNS can do. But like I said, its just easier to accomplish in Windows due to the nice GUI interfaces. Just need to find where the tab and appropriate check boxs are is all.

When you create and AD, you can have MS auto-create the entire DNS structure needed.  However, everything you need CAN be done on BIND, you just need to know the structure and the entries (time intensive process).

SIDs have nothing to do with DNS so nothing to worry about there.  If the client can't contact the Global Catalog server, then it just uses the locally cached username/passwords to verify the user (MS just uses DNS to find the GC servers)

As for protecting subdomains.  I'm 99% positive I've BIND has the capability to create views.  Meaning you essentially have two zones covering the same domain space.  However one zone can be seen by one set of users, and the second....you get the point.      You can also easily state who has authority to update, query, etc. zones in BIND.  Windows I have to believe has this capability as well (just don't know where its at).  As of Windows 2003, you can finally do domain specific forwarding, which has been in BIND for quite sometime.

Also, Netbios is a per segment type of technology.  Think WINS.  So you don't have to worry about that going out to the public.

As for DDNS the way you are thinking, BIND can do this.  I've been doing it for a long time.  You just need to ensure that the DHCP service is allowed to modify the DNS zone is all.  Now MS does things their own way (when don't they :)  So mixing Linux with MS in DDNS can be tricky and I believe in situations even impossible.  

Personally I'd go with the Windows DNS for the internal network.  The logging isn't as good, but if you know how to use the DNS tools MS has then you should be able to quell any problems that arise.

My question now is I'm getting confused as to where the BIND server is coming in.  Is this a DNS server that houses your public zone?  If so, I'd recommend to keep it that way; separate from AD.  Have it setup to make the AD authoritative over the windowsdomain.mydomain.com zone so that it forwards all requests to the Windows DNS.  Then lock it down so BIND only does that for internal workstations.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 18830818
You should have a private zone for your LAN, like mycompany.local or mycompany.lan, and use mycompany.com only on your public DNS.

Leave the local DNS to AD/Windoze and keep the public DNS on BIND.

NetBIOS names supposedly aren't needed if you go with "pure" <ahem> 2003-mode AD.  The SRV records in AD's DNS should cover that aspect.

You shouldn't even need NetBT, and should be able to forget about WINS... in theory ;)
0
 

Author Comment

by:vaworx
ID: 18849135
Cyclopse3590: Thank you for the through answer. Yes BIND is my public zone. DHCP is pointed to the NS server IPs NS1 and NS2. And of course I get the DNSAPI error due to BIND not allowing DDNS on WinXP and Win2k machine since they try to update it every 30min to 1h. How can i make sure that it makes the Windows DC authoritative over the windowsdomain.mydomain.com. What would be the appropriate DNS suffixes: mydomain.com, windowsdomain.mydomain.com ? What will happen if I have IIS machines on the Windows DC that have to be available from both sides? I think I’m getting lost myself :D
ShineON: I wanted to explore that option but i am a little scared to migrate all data from the existing setup to the new Win2k3 representation .local. (I have 3 DC replicating each other) In other words due to the high volume of machines, users and groups I’m not too sure how painful that could be. So for now I try not to think about it too much.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18849803
actually, i'd have to re-look that up to make sure.  I've never actually worked with a setup exactly like yours.
However, what I'd check at this time is the following.
You have an A record in the parent domain for the child domain.  Then create an NS record for that domain as well.  That should tell BIND that the windows DNS is the authoritative DNS for that child domain.  However, I have to double check on that to make sure exactly what the best way is to create that child domain and delegate the authority for it.
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 500 total points
ID: 18851595
http://support.microsoft.com/kb/255913

says to delegate the following to a Windows 2003 DC running the DNS service:

_udp.DNSDomainName
_tcp.DNSDomainName
_sites.DNSDomainName
_msdcs.DNSDomainName
ForestDnsZones.ForestDNSName
DomainDnsZones.DNSDomainName

where DNSDomainName is the parent domain - using your examples, mydomain.com.  I'd assume the forest domain is the subdomain windowsdomain.mydomain.com, which also is the domain you'd be delegating...

All this is to redirect the AD dynamic updates to the AD DNS.

There are probably security measures to take as well, as regards what addresses can do what on which DNS.  
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now