AD and DNS

  • Thread starter Thread starter Gregory Liskey
  • Start date Start date
G

Gregory Liskey

We currently have a Linux based DNS in our
JMU.EDU infrastructure. In setting up our AD we set up an
authorities DNS in our Windows 2003 AD for our JMU.EDU
root domain for MS AD. Any resources that are not in the
MS AD DNS do not resolve. we understand why). So to get
the resources to resolve we entered the Linux DNS as our
second DNS entry on the client machines and the AD DNS as
the primary. Our question is: would it be better to not
run DNS on the AD servers and use our existing Linux DNS
or will there be drawbacks later down the road from not
using MS DNS?

We did set up forwarding on the AD DNS servers
and pointed it to the Linux DNS and that does let reverse
lookups occur but does not seem to forward name lookups
because the AD is authorities and does not forward to the
Linux DNS.
 
Gregory Liskey said:
We currently have a Linux based DNS in our
JMU.EDU infrastructure. In setting up our AD we set up an
authorities DNS in our Windows 2003 AD for our JMU.EDU
root domain for MS AD. Any resources that are not in the
MS AD DNS do not resolve. we understand why). So to get
the resources to resolve we entered the Linux DNS as our
second DNS entry on the client machines and the AD DNS as
the primary. Our question is: would it be better to not
run DNS on the AD servers and use our existing Linux DNS
or will there be drawbacks later down the road from not
using MS DNS?
Click to expand...

Using MS DNS is probably your best bet, if you're thinking long-term. Why
not just move the entries from the Linux-based system to the AD zone?
We did set up forwarding on the AD DNS servers
and pointed it to the Linux DNS and that does let reverse
lookups occur but does not seem to forward name lookups
because the AD is authorities and does not forward to the
Linux DNS.
Click to expand...

Right, this is generally how name servers work. If a query is issued to a
server that has forward lookup zone matching the domain name in question,
then requests that cannot be resolved are not forwarded. However, I do
believe that you *can* force 2003 to do this. You may want to dig (no pun
intended) around in the archives and KB.
 
I would pick one a stick with that.
Couple things.
1) As you know, any DNS server (unix included) will not forward requests for
unknown records in zones it is authoritive for.
2) Your clients are pointing to two different namespaces, which is not good.
They must all point to the w2k or to the unix, but not both (unless they
both contain all the same records.)

So you question is which one to use. Naturally, we are fond of w2k(3) dns.
It integrates nicely with dhcp, client updates, management, etc. BIND can
work however if you really want to go that route. If all your clients will
be windows based an members of the AD then I would look really hard at the
MS DNS. You can keep the public stuff in the dmz on linux boxes if you
want, and that may keep the unix folks happy. If you have static names/IPs
today, you can add them to the MS DNS manually (cut and paste) or pull them
over by creating a secondary zone first and then upgrading it to primary or
ad-integrated. If you have a few public records in the dmz and you don't
want to worry about keeping them in-sync with private zone, then you could
also add delegations for each record in the private zone which point to the
external server. In short, I would really tend to stay with the MS product
unless you can define good reasons not to. HTH

--wjs, DNS MVP
 
Back
Top