[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Why Linux DNS and Windows 2003 Active Directory?

Posted on 2007-03-30
Medium Priority
Last Modified: 2008-06-01
I know the advantages of using a Linux box running BIND as a DNS and a Windows box running as a DC from back in the days but now i wonder.

Since Windows Server has somewhat evolved for the past few years i was wondering why would you prefer to still used Linux DNS or DDNS and a Windows 2003 Server DC.

I want some real opinions and your thoughts on advantages and disadvantages for this particular type of setup. Also what do you mostly use if Linux (Redhat, SUSE, Debian, Slackware) or FreeBSD.

I would like to hear some opinions and experience. Thanks.
Question by:vaworx
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 18827768
Personally for a LAN I would prefer using DNS on the DC. The rule of thumb is for every domain controller dns is installed! It all works alot better!
LVL 25

Expert Comment

ID: 18827845
The thing is DNS is a small portion of Windows AD uses to do its job.  LDAP is actually is main part of what makes up AD.  The only real thing that you can do in AD and not on Linux is the GPOs (technically you can with Samba but as of yet its still a major pain).  DNS is slightly easier to maintain in Windows IMHO.  However to remotely do mgmt, I've always preferred Linux as you can actually accomplish stuff via the command line.   Of course that's going to slowly change now that MS released the PowerShell (still researching that one though).

To come back to the original question though.  If you are looking purely at DNS functionality, I like BIND better.  The logging is easier to read and break up in easier to parse files.  I've never been a fan of the event viewer just so you know.  Windows is easier to setup and maintain for most trivial tasks.  However, after its setup its maintenance you're going to spend your time on.  And I've always preferred Linux logging myself as to me it gives more information to troubleshoot issue.

But remember Windows AD depends on DNS, but not vice versa.
LVL 70

Expert Comment

ID: 18828150
Absolutley no reason not to use Windows based DNS, I'd go for an AD integrated solution everytime. In fact there are many advantages such as secured dynamic updates, secured replication (replication by Active Directory Replication rather than zone XFER), Multi-master topology and integration with DHCP to name but a few.
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.


Author Comment

ID: 18828231
Ok so far nothing new, but let's sum up:

* LeviDaily - I am speaking enterprise wise - 800+ clients

* Cyclops3590 - Yep I know the constant answer to the questions what is AD and how come it does not work on Linux/*BSD. Yep DNS is the blood of Active Directory and that is why I’m still concerned on why in best practices it is still separated in a Linux box. I wonder what happens if BIND goes down. Would the machines still function using their SIDs.What if you want to update the DDNS but not allow internal computers to be visible to the public

Ex. you run a domain mydomain.com, you have the Linux BOX control mydomain.com then you hook up a windows forest controlling windowsdomain.mydomain.com say up to 3 DCs that replicate each other. What happens with the host names of the machines under windowsdomain.mydomain.com. After all you don't want to expose workstation.windowsdomain.mydomain.com to the public but yet want to control its NETBIOS and perform DDNS since you don't necessarily want to create reservations for all computers.

* KCTS - I believe you can do secure updates when configuring BIND especially ver.9 but there are a few things that I am concrete about and that is DDNS

I hope I make sense with all these examples and concerns.
LVL 25

Expert Comment

ID: 18828625
From my understanding,  BIND v9 can do pretty much anything Windows DNS can do. But like I said, its just easier to accomplish in Windows due to the nice GUI interfaces. Just need to find where the tab and appropriate check boxs are is all.

When you create and AD, you can have MS auto-create the entire DNS structure needed.  However, everything you need CAN be done on BIND, you just need to know the structure and the entries (time intensive process).

SIDs have nothing to do with DNS so nothing to worry about there.  If the client can't contact the Global Catalog server, then it just uses the locally cached username/passwords to verify the user (MS just uses DNS to find the GC servers)

As for protecting subdomains.  I'm 99% positive I've BIND has the capability to create views.  Meaning you essentially have two zones covering the same domain space.  However one zone can be seen by one set of users, and the second....you get the point.      You can also easily state who has authority to update, query, etc. zones in BIND.  Windows I have to believe has this capability as well (just don't know where its at).  As of Windows 2003, you can finally do domain specific forwarding, which has been in BIND for quite sometime.

Also, Netbios is a per segment type of technology.  Think WINS.  So you don't have to worry about that going out to the public.

As for DDNS the way you are thinking, BIND can do this.  I've been doing it for a long time.  You just need to ensure that the DHCP service is allowed to modify the DNS zone is all.  Now MS does things their own way (when don't they :)  So mixing Linux with MS in DDNS can be tricky and I believe in situations even impossible.  

Personally I'd go with the Windows DNS for the internal network.  The logging isn't as good, but if you know how to use the DNS tools MS has then you should be able to quell any problems that arise.

My question now is I'm getting confused as to where the BIND server is coming in.  Is this a DNS server that houses your public zone?  If so, I'd recommend to keep it that way; separate from AD.  Have it setup to make the AD authoritative over the windowsdomain.mydomain.com zone so that it forwards all requests to the Windows DNS.  Then lock it down so BIND only does that for internal workstations.
LVL 35

Expert Comment

ID: 18830818
You should have a private zone for your LAN, like mycompany.local or mycompany.lan, and use mycompany.com only on your public DNS.

Leave the local DNS to AD/Windoze and keep the public DNS on BIND.

NetBIOS names supposedly aren't needed if you go with "pure" <ahem> 2003-mode AD.  The SRV records in AD's DNS should cover that aspect.

You shouldn't even need NetBT, and should be able to forget about WINS... in theory ;)

Author Comment

ID: 18849135
Cyclopse3590: Thank you for the through answer. Yes BIND is my public zone. DHCP is pointed to the NS server IPs NS1 and NS2. And of course I get the DNSAPI error due to BIND not allowing DDNS on WinXP and Win2k machine since they try to update it every 30min to 1h. How can i make sure that it makes the Windows DC authoritative over the windowsdomain.mydomain.com. What would be the appropriate DNS suffixes: mydomain.com, windowsdomain.mydomain.com ? What will happen if I have IIS machines on the Windows DC that have to be available from both sides? I think I’m getting lost myself :D
ShineON: I wanted to explore that option but i am a little scared to migrate all data from the existing setup to the new Win2k3 representation .local. (I have 3 DC replicating each other) In other words due to the high volume of machines, users and groups I’m not too sure how painful that could be. So for now I try not to think about it too much.
LVL 25

Expert Comment

ID: 18849803
actually, i'd have to re-look that up to make sure.  I've never actually worked with a setup exactly like yours.
However, what I'd check at this time is the following.
You have an A record in the parent domain for the child domain.  Then create an NS record for that domain as well.  That should tell BIND that the windows DNS is the authoritative DNS for that child domain.  However, I have to double check on that to make sure exactly what the best way is to create that child domain and delegate the authority for it.
LVL 35

Accepted Solution

ShineOn earned 2000 total points
ID: 18851595

says to delegate the following to a Windows 2003 DC running the DNS service:


where DNSDomainName is the parent domain - using your examples, mydomain.com.  I'd assume the forest domain is the subdomain windowsdomain.mydomain.com, which also is the domain you'd be delegating...

All this is to redirect the AD dynamic updates to the AD DNS.

There are probably security measures to take as well, as regards what addresses can do what on which DNS.  

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question