[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Why Linux DNS and Windows 2003 Active Directory?

Posted on 2007-03-30
Medium Priority
Last Modified: 2008-06-01
I know the advantages of using a Linux box running BIND as a DNS and a Windows box running as a DC from back in the days but now i wonder.

Since Windows Server has somewhat evolved for the past few years i was wondering why would you prefer to still used Linux DNS or DDNS and a Windows 2003 Server DC.

I want some real opinions and your thoughts on advantages and disadvantages for this particular type of setup. Also what do you mostly use if Linux (Redhat, SUSE, Debian, Slackware) or FreeBSD.

I would like to hear some opinions and experience. Thanks.
Question by:vaworx
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Expert Comment

ID: 18827768
Personally for a LAN I would prefer using DNS on the DC. The rule of thumb is for every domain controller dns is installed! It all works alot better!
LVL 25

Expert Comment

ID: 18827845
The thing is DNS is a small portion of Windows AD uses to do its job.  LDAP is actually is main part of what makes up AD.  The only real thing that you can do in AD and not on Linux is the GPOs (technically you can with Samba but as of yet its still a major pain).  DNS is slightly easier to maintain in Windows IMHO.  However to remotely do mgmt, I've always preferred Linux as you can actually accomplish stuff via the command line.   Of course that's going to slowly change now that MS released the PowerShell (still researching that one though).

To come back to the original question though.  If you are looking purely at DNS functionality, I like BIND better.  The logging is easier to read and break up in easier to parse files.  I've never been a fan of the event viewer just so you know.  Windows is easier to setup and maintain for most trivial tasks.  However, after its setup its maintenance you're going to spend your time on.  And I've always preferred Linux logging myself as to me it gives more information to troubleshoot issue.

But remember Windows AD depends on DNS, but not vice versa.
LVL 70

Expert Comment

ID: 18828150
Absolutley no reason not to use Windows based DNS, I'd go for an AD integrated solution everytime. In fact there are many advantages such as secured dynamic updates, secured replication (replication by Active Directory Replication rather than zone XFER), Multi-master topology and integration with DHCP to name but a few.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 18828231
Ok so far nothing new, but let's sum up:

* LeviDaily - I am speaking enterprise wise - 800+ clients

* Cyclops3590 - Yep I know the constant answer to the questions what is AD and how come it does not work on Linux/*BSD. Yep DNS is the blood of Active Directory and that is why I’m still concerned on why in best practices it is still separated in a Linux box. I wonder what happens if BIND goes down. Would the machines still function using their SIDs.What if you want to update the DDNS but not allow internal computers to be visible to the public

Ex. you run a domain mydomain.com, you have the Linux BOX control mydomain.com then you hook up a windows forest controlling windowsdomain.mydomain.com say up to 3 DCs that replicate each other. What happens with the host names of the machines under windowsdomain.mydomain.com. After all you don't want to expose workstation.windowsdomain.mydomain.com to the public but yet want to control its NETBIOS and perform DDNS since you don't necessarily want to create reservations for all computers.

* KCTS - I believe you can do secure updates when configuring BIND especially ver.9 but there are a few things that I am concrete about and that is DDNS

I hope I make sense with all these examples and concerns.
LVL 25

Expert Comment

ID: 18828625
From my understanding,  BIND v9 can do pretty much anything Windows DNS can do. But like I said, its just easier to accomplish in Windows due to the nice GUI interfaces. Just need to find where the tab and appropriate check boxs are is all.

When you create and AD, you can have MS auto-create the entire DNS structure needed.  However, everything you need CAN be done on BIND, you just need to know the structure and the entries (time intensive process).

SIDs have nothing to do with DNS so nothing to worry about there.  If the client can't contact the Global Catalog server, then it just uses the locally cached username/passwords to verify the user (MS just uses DNS to find the GC servers)

As for protecting subdomains.  I'm 99% positive I've BIND has the capability to create views.  Meaning you essentially have two zones covering the same domain space.  However one zone can be seen by one set of users, and the second....you get the point.      You can also easily state who has authority to update, query, etc. zones in BIND.  Windows I have to believe has this capability as well (just don't know where its at).  As of Windows 2003, you can finally do domain specific forwarding, which has been in BIND for quite sometime.

Also, Netbios is a per segment type of technology.  Think WINS.  So you don't have to worry about that going out to the public.

As for DDNS the way you are thinking, BIND can do this.  I've been doing it for a long time.  You just need to ensure that the DHCP service is allowed to modify the DNS zone is all.  Now MS does things their own way (when don't they :)  So mixing Linux with MS in DDNS can be tricky and I believe in situations even impossible.  

Personally I'd go with the Windows DNS for the internal network.  The logging isn't as good, but if you know how to use the DNS tools MS has then you should be able to quell any problems that arise.

My question now is I'm getting confused as to where the BIND server is coming in.  Is this a DNS server that houses your public zone?  If so, I'd recommend to keep it that way; separate from AD.  Have it setup to make the AD authoritative over the windowsdomain.mydomain.com zone so that it forwards all requests to the Windows DNS.  Then lock it down so BIND only does that for internal workstations.
LVL 35

Expert Comment

ID: 18830818
You should have a private zone for your LAN, like mycompany.local or mycompany.lan, and use mycompany.com only on your public DNS.

Leave the local DNS to AD/Windoze and keep the public DNS on BIND.

NetBIOS names supposedly aren't needed if you go with "pure" <ahem> 2003-mode AD.  The SRV records in AD's DNS should cover that aspect.

You shouldn't even need NetBT, and should be able to forget about WINS... in theory ;)

Author Comment

ID: 18849135
Cyclopse3590: Thank you for the through answer. Yes BIND is my public zone. DHCP is pointed to the NS server IPs NS1 and NS2. And of course I get the DNSAPI error due to BIND not allowing DDNS on WinXP and Win2k machine since they try to update it every 30min to 1h. How can i make sure that it makes the Windows DC authoritative over the windowsdomain.mydomain.com. What would be the appropriate DNS suffixes: mydomain.com, windowsdomain.mydomain.com ? What will happen if I have IIS machines on the Windows DC that have to be available from both sides? I think I’m getting lost myself :D
ShineON: I wanted to explore that option but i am a little scared to migrate all data from the existing setup to the new Win2k3 representation .local. (I have 3 DC replicating each other) In other words due to the high volume of machines, users and groups I’m not too sure how painful that could be. So for now I try not to think about it too much.
LVL 25

Expert Comment

ID: 18849803
actually, i'd have to re-look that up to make sure.  I've never actually worked with a setup exactly like yours.
However, what I'd check at this time is the following.
You have an A record in the parent domain for the child domain.  Then create an NS record for that domain as well.  That should tell BIND that the windows DNS is the authoritative DNS for that child domain.  However, I have to double check on that to make sure exactly what the best way is to create that child domain and delegate the authority for it.
LVL 35

Accepted Solution

ShineOn earned 2000 total points
ID: 18851595

says to delegate the following to a Windows 2003 DC running the DNS service:


where DNSDomainName is the parent domain - using your examples, mydomain.com.  I'd assume the forest domain is the subdomain windowsdomain.mydomain.com, which also is the domain you'd be delegating...

All this is to redirect the AD dynamic updates to the AD DNS.

There are probably security measures to take as well, as regards what addresses can do what on which DNS.  

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question