Why Linux DNS and Windows 2003 Active Directory?

Posted on 2007-03-30
Last Modified: 2008-06-01
I know the advantages of using a Linux box running BIND as a DNS and a Windows box running as a DC from back in the days but now i wonder.

Since Windows Server has somewhat evolved for the past few years i was wondering why would you prefer to still used Linux DNS or DDNS and a Windows 2003 Server DC.

I want some real opinions and your thoughts on advantages and disadvantages for this particular type of setup. Also what do you mostly use if Linux (Redhat, SUSE, Debian, Slackware) or FreeBSD.

I would like to hear some opinions and experience. Thanks.
Question by:vaworx
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 18827768
Personally for a LAN I would prefer using DNS on the DC. The rule of thumb is for every domain controller dns is installed! It all works alot better!
LVL 25

Expert Comment

ID: 18827845
The thing is DNS is a small portion of Windows AD uses to do its job.  LDAP is actually is main part of what makes up AD.  The only real thing that you can do in AD and not on Linux is the GPOs (technically you can with Samba but as of yet its still a major pain).  DNS is slightly easier to maintain in Windows IMHO.  However to remotely do mgmt, I've always preferred Linux as you can actually accomplish stuff via the command line.   Of course that's going to slowly change now that MS released the PowerShell (still researching that one though).

To come back to the original question though.  If you are looking purely at DNS functionality, I like BIND better.  The logging is easier to read and break up in easier to parse files.  I've never been a fan of the event viewer just so you know.  Windows is easier to setup and maintain for most trivial tasks.  However, after its setup its maintenance you're going to spend your time on.  And I've always preferred Linux logging myself as to me it gives more information to troubleshoot issue.

But remember Windows AD depends on DNS, but not vice versa.
LVL 70

Expert Comment

ID: 18828150
Absolutley no reason not to use Windows based DNS, I'd go for an AD integrated solution everytime. In fact there are many advantages such as secured dynamic updates, secured replication (replication by Active Directory Replication rather than zone XFER), Multi-master topology and integration with DHCP to name but a few.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Author Comment

ID: 18828231
Ok so far nothing new, but let's sum up:

* LeviDaily - I am speaking enterprise wise - 800+ clients

* Cyclops3590 - Yep I know the constant answer to the questions what is AD and how come it does not work on Linux/*BSD. Yep DNS is the blood of Active Directory and that is why I’m still concerned on why in best practices it is still separated in a Linux box. I wonder what happens if BIND goes down. Would the machines still function using their SIDs.What if you want to update the DDNS but not allow internal computers to be visible to the public

Ex. you run a domain, you have the Linux BOX control then you hook up a windows forest controlling say up to 3 DCs that replicate each other. What happens with the host names of the machines under After all you don't want to expose to the public but yet want to control its NETBIOS and perform DDNS since you don't necessarily want to create reservations for all computers.

* KCTS - I believe you can do secure updates when configuring BIND especially ver.9 but there are a few things that I am concrete about and that is DDNS

I hope I make sense with all these examples and concerns.
LVL 25

Expert Comment

ID: 18828625
From my understanding,  BIND v9 can do pretty much anything Windows DNS can do. But like I said, its just easier to accomplish in Windows due to the nice GUI interfaces. Just need to find where the tab and appropriate check boxs are is all.

When you create and AD, you can have MS auto-create the entire DNS structure needed.  However, everything you need CAN be done on BIND, you just need to know the structure and the entries (time intensive process).

SIDs have nothing to do with DNS so nothing to worry about there.  If the client can't contact the Global Catalog server, then it just uses the locally cached username/passwords to verify the user (MS just uses DNS to find the GC servers)

As for protecting subdomains.  I'm 99% positive I've BIND has the capability to create views.  Meaning you essentially have two zones covering the same domain space.  However one zone can be seen by one set of users, and the get the point.      You can also easily state who has authority to update, query, etc. zones in BIND.  Windows I have to believe has this capability as well (just don't know where its at).  As of Windows 2003, you can finally do domain specific forwarding, which has been in BIND for quite sometime.

Also, Netbios is a per segment type of technology.  Think WINS.  So you don't have to worry about that going out to the public.

As for DDNS the way you are thinking, BIND can do this.  I've been doing it for a long time.  You just need to ensure that the DHCP service is allowed to modify the DNS zone is all.  Now MS does things their own way (when don't they :)  So mixing Linux with MS in DDNS can be tricky and I believe in situations even impossible.  

Personally I'd go with the Windows DNS for the internal network.  The logging isn't as good, but if you know how to use the DNS tools MS has then you should be able to quell any problems that arise.

My question now is I'm getting confused as to where the BIND server is coming in.  Is this a DNS server that houses your public zone?  If so, I'd recommend to keep it that way; separate from AD.  Have it setup to make the AD authoritative over the zone so that it forwards all requests to the Windows DNS.  Then lock it down so BIND only does that for internal workstations.
LVL 35

Expert Comment

ID: 18830818
You should have a private zone for your LAN, like mycompany.local or mycompany.lan, and use only on your public DNS.

Leave the local DNS to AD/Windoze and keep the public DNS on BIND.

NetBIOS names supposedly aren't needed if you go with "pure" <ahem> 2003-mode AD.  The SRV records in AD's DNS should cover that aspect.

You shouldn't even need NetBT, and should be able to forget about WINS... in theory ;)

Author Comment

ID: 18849135
Cyclopse3590: Thank you for the through answer. Yes BIND is my public zone. DHCP is pointed to the NS server IPs NS1 and NS2. And of course I get the DNSAPI error due to BIND not allowing DDNS on WinXP and Win2k machine since they try to update it every 30min to 1h. How can i make sure that it makes the Windows DC authoritative over the What would be the appropriate DNS suffixes:, ? What will happen if I have IIS machines on the Windows DC that have to be available from both sides? I think I’m getting lost myself :D
ShineON: I wanted to explore that option but i am a little scared to migrate all data from the existing setup to the new Win2k3 representation .local. (I have 3 DC replicating each other) In other words due to the high volume of machines, users and groups I’m not too sure how painful that could be. So for now I try not to think about it too much.
LVL 25

Expert Comment

ID: 18849803
actually, i'd have to re-look that up to make sure.  I've never actually worked with a setup exactly like yours.
However, what I'd check at this time is the following.
You have an A record in the parent domain for the child domain.  Then create an NS record for that domain as well.  That should tell BIND that the windows DNS is the authoritative DNS for that child domain.  However, I have to double check on that to make sure exactly what the best way is to create that child domain and delegate the authority for it.
LVL 35

Accepted Solution

ShineOn earned 500 total points
ID: 18851595

says to delegate the following to a Windows 2003 DC running the DNS service:


where DNSDomainName is the parent domain - using your examples,  I'd assume the forest domain is the subdomain, which also is the domain you'd be delegating...

All this is to redirect the AD dynamic updates to the AD DNS.

There are probably security measures to take as well, as regards what addresses can do what on which DNS.  

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” ( provided 218 attendees with a step-by-step guide for…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question