Why Linux DNS and Windows 2003 Active Directory?

I know the advantages of using a Linux box running BIND as a DNS and a Windows box running as a DC from back in the days but now i wonder.

Since Windows Server has somewhat evolved for the past few years i was wondering why would you prefer to still used Linux DNS or DDNS and a Windows 2003 Server DC.

I want some real opinions and your thoughts on advantages and disadvantages for this particular type of setup. Also what do you mostly use if Linux (Redhat, SUSE, Debian, Slackware) or FreeBSD.

I would like to hear some opinions and experience. Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Personally for a LAN I would prefer using DNS on the DC. The rule of thumb is for every domain controller dns is installed! It all works alot better!
The thing is DNS is a small portion of Windows AD uses to do its job.  LDAP is actually is main part of what makes up AD.  The only real thing that you can do in AD and not on Linux is the GPOs (technically you can with Samba but as of yet its still a major pain).  DNS is slightly easier to maintain in Windows IMHO.  However to remotely do mgmt, I've always preferred Linux as you can actually accomplish stuff via the command line.   Of course that's going to slowly change now that MS released the PowerShell (still researching that one though).

To come back to the original question though.  If you are looking purely at DNS functionality, I like BIND better.  The logging is easier to read and break up in easier to parse files.  I've never been a fan of the event viewer just so you know.  Windows is easier to setup and maintain for most trivial tasks.  However, after its setup its maintenance you're going to spend your time on.  And I've always preferred Linux logging myself as to me it gives more information to troubleshoot issue.

But remember Windows AD depends on DNS, but not vice versa.
Brian PiercePhotographerCommented:
Absolutley no reason not to use Windows based DNS, I'd go for an AD integrated solution everytime. In fact there are many advantages such as secured dynamic updates, secured replication (replication by Active Directory Replication rather than zone XFER), Multi-master topology and integration with DHCP to name but a few.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

vaworxAuthor Commented:
Ok so far nothing new, but let's sum up:

* LeviDaily - I am speaking enterprise wise - 800+ clients

* Cyclops3590 - Yep I know the constant answer to the questions what is AD and how come it does not work on Linux/*BSD. Yep DNS is the blood of Active Directory and that is why I’m still concerned on why in best practices it is still separated in a Linux box. I wonder what happens if BIND goes down. Would the machines still function using their SIDs.What if you want to update the DDNS but not allow internal computers to be visible to the public

Ex. you run a domain mydomain.com, you have the Linux BOX control mydomain.com then you hook up a windows forest controlling windowsdomain.mydomain.com say up to 3 DCs that replicate each other. What happens with the host names of the machines under windowsdomain.mydomain.com. After all you don't want to expose workstation.windowsdomain.mydomain.com to the public but yet want to control its NETBIOS and perform DDNS since you don't necessarily want to create reservations for all computers.

* KCTS - I believe you can do secure updates when configuring BIND especially ver.9 but there are a few things that I am concrete about and that is DDNS

I hope I make sense with all these examples and concerns.
From my understanding,  BIND v9 can do pretty much anything Windows DNS can do. But like I said, its just easier to accomplish in Windows due to the nice GUI interfaces. Just need to find where the tab and appropriate check boxs are is all.

When you create and AD, you can have MS auto-create the entire DNS structure needed.  However, everything you need CAN be done on BIND, you just need to know the structure and the entries (time intensive process).

SIDs have nothing to do with DNS so nothing to worry about there.  If the client can't contact the Global Catalog server, then it just uses the locally cached username/passwords to verify the user (MS just uses DNS to find the GC servers)

As for protecting subdomains.  I'm 99% positive I've BIND has the capability to create views.  Meaning you essentially have two zones covering the same domain space.  However one zone can be seen by one set of users, and the second....you get the point.      You can also easily state who has authority to update, query, etc. zones in BIND.  Windows I have to believe has this capability as well (just don't know where its at).  As of Windows 2003, you can finally do domain specific forwarding, which has been in BIND for quite sometime.

Also, Netbios is a per segment type of technology.  Think WINS.  So you don't have to worry about that going out to the public.

As for DDNS the way you are thinking, BIND can do this.  I've been doing it for a long time.  You just need to ensure that the DHCP service is allowed to modify the DNS zone is all.  Now MS does things their own way (when don't they :)  So mixing Linux with MS in DDNS can be tricky and I believe in situations even impossible.  

Personally I'd go with the Windows DNS for the internal network.  The logging isn't as good, but if you know how to use the DNS tools MS has then you should be able to quell any problems that arise.

My question now is I'm getting confused as to where the BIND server is coming in.  Is this a DNS server that houses your public zone?  If so, I'd recommend to keep it that way; separate from AD.  Have it setup to make the AD authoritative over the windowsdomain.mydomain.com zone so that it forwards all requests to the Windows DNS.  Then lock it down so BIND only does that for internal workstations.
You should have a private zone for your LAN, like mycompany.local or mycompany.lan, and use mycompany.com only on your public DNS.

Leave the local DNS to AD/Windoze and keep the public DNS on BIND.

NetBIOS names supposedly aren't needed if you go with "pure" <ahem> 2003-mode AD.  The SRV records in AD's DNS should cover that aspect.

You shouldn't even need NetBT, and should be able to forget about WINS... in theory ;)
vaworxAuthor Commented:
Cyclopse3590: Thank you for the through answer. Yes BIND is my public zone. DHCP is pointed to the NS server IPs NS1 and NS2. And of course I get the DNSAPI error due to BIND not allowing DDNS on WinXP and Win2k machine since they try to update it every 30min to 1h. How can i make sure that it makes the Windows DC authoritative over the windowsdomain.mydomain.com. What would be the appropriate DNS suffixes: mydomain.com, windowsdomain.mydomain.com ? What will happen if I have IIS machines on the Windows DC that have to be available from both sides? I think I’m getting lost myself :D
ShineON: I wanted to explore that option but i am a little scared to migrate all data from the existing setup to the new Win2k3 representation .local. (I have 3 DC replicating each other) In other words due to the high volume of machines, users and groups I’m not too sure how painful that could be. So for now I try not to think about it too much.
actually, i'd have to re-look that up to make sure.  I've never actually worked with a setup exactly like yours.
However, what I'd check at this time is the following.
You have an A record in the parent domain for the child domain.  Then create an NS record for that domain as well.  That should tell BIND that the windows DNS is the authoritative DNS for that child domain.  However, I have to double check on that to make sure exactly what the best way is to create that child domain and delegate the authority for it.

says to delegate the following to a Windows 2003 DC running the DNS service:


where DNSDomainName is the parent domain - using your examples, mydomain.com.  I'd assume the forest domain is the subdomain windowsdomain.mydomain.com, which also is the domain you'd be delegating...

All this is to redirect the AD dynamic updates to the AD DNS.

There are probably security measures to take as well, as regards what addresses can do what on which DNS.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.