BIND DNS "v" Microsoft DNS or both??

[Paul]

Hi

Hears the rundown. We currently have a Windows 2000 AD
Domain running in mixed mode with 4 DC running Active
Directory Integrated DNS. The authoritative DNS is running
BIND version 4.9.7.

The way it is setup is the 4 DC have the IP addresses of
the Microsoft DNS so it can do the dynamic updates for all
the AD stuff.

And all the other query's are sent via the forwarder tab
in the MS DNS to the IP address of the BIND DNS which dose
not accept Dynamic updates so all the host records are
added manually.

All I need is some advice as this is something I am due to
take over or help in the planning and in my opinion it's a
right mess! Bellow is what I need advice on?

1) My most concerning problem is that because the
BIND DNS is the authoritative DNS and it holds all the
manually entered host records for all the workstations ect
I don't know how easy I will be able to make a switch to
the Microsoft DNS.

2) Is a Microsoft DNS possible without two much
downtime as all the clients have static addresses and
there is about 1000 workstations with varying OSs.

3) We could update BIND to version 8.2.1 that accepts
Dynamic updates and incremental zone transfers. This would
be possible I know, but personally I wanted to get rid of
the BIND DNS. Unless you think I shouldn't???

The way I have thought of doing it is to implement DHCP at
the same time and a Microsoft DNS and setting the DHCP to
register the legacy OS DNS entry's and then going round
each department to change there computer setting from a
manual static IP to DHCP and then finally when all the
hosts have registered I can then just keep that setup.

This is doing my brain in at the moment and I am not a top
man on DNS setup so if you could suggest anything or have
good advice on the migration you will be doing me a big
big favour.

Sorry if this makes no sense

Thanks

Paul

 

[Herb Martin]

Hears the rundown. We currently have a Windows 2000 AD

Domain running in mixed mode with 4 DC running Active
Directory Integrated DNS. The authoritative DNS is running
BIND version 4.9.7.

If the 4-DCs hold the zone they then are definitely AUTHORITATIVE.
In fact they are the Masters and you should have no "BIND Primary"
unless it is a shadow zone.

Even secondaries (of a zone) are authoritative.

The way it is setup is the 4 DC have the IP addresses of
the Microsoft DNS so it can do the dynamic updates for all
the AD stuff.

And all the other query's are sent via the forwarder tab
in the MS DNS to the IP address of the BIND DNS which dose
not accept Dynamic updates so all the host records are
added manually.

You are confusing an authoritative server (dynamic updates) with
a caching/recursion service (forwarding lookups).

Although they are frequently handled on the "same" physical server
it is best to think of these roles separately and many DNS gurus
argue for SPLITING them to different process or different servers.

All I need is some advice as this is something I am due to
take over or help in the planning and in my opinion it's a
right mess! Bellow is what I need advice on?

1) My most concerning problem is that because the
BIND DNS is the authoritative DNS and it holds all the
manually entered host records for all the workstations ect
I don't know how easy I will be able to make a switch to
the Microsoft DNS.

Every time you say "authoritative" do you really mean the Primary
Master?

You should only be using 2-Primaries or 1-Primary with 1 AD Integrated
set if the external Primary is being used for external access of (limited)
public records (not needing "dynamic" updates usually either.)

The Primary is really a SEPARATE zone that has the same name and
shares (a few) records: external resources only.

When an external resource record is changed or added you add it manually
to both internal and external, but you keep internal resources registered
ONLY internally (either manually or dynamically but usually with a mix.)

2) Is a Microsoft DNS possible without two much
downtime as all the clients have static addresses and
there is about 1000 workstations with varying OSs.

You probably aren't doing it correctly. What are you trying to
accomplish? Don't mix dynamic AD-set directly with another
primary of the same zone.

3) We could update BIND to version 8.2.1 that accepts
Dynamic updates and incremental zone transfers. This would
be possible I know, but personally I wanted to get rid of
the BIND DNS. Unless you think I shouldn't???

Stop using BIND for internal Win2000 support. Use BIND
for external (shadow) zone and for perhaps forwarding internal
requests to resolve names in the Internet namespace.

 

[Michael Johnston [MSFT]]

Well, the first issue is that if the zone is AD integrated on the Windows 2000 DNS server, then these servers think that they are authoritative for this zone. Since
the BIND box also thinks it's authoritative, this is basically a split horizon DNS setup and can be very problematic. Our suggestion would be to point everyone
to the Windows 2000 DNS servers only. Clients that support dynamic updates, will register their records in DNS even though they are statically configured if
the option to register is enabled. DHCP can also be imployed and would certainly ease the administration of your IP addresses. DHCP can also be used to
dynamically register clients that do not support dynamic registration. The only thing to worry about then would be machines that will remain as static IP clients
but do not support dynamic updates. You will have to manually add their host records to DNS. You may want to keep the BIND DNS around to host your
external name space if you have one. You'd certainly want to keep the externally access resources seperate from your internal name space.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.

 

[Jeff Cochran]

Hi

Hears the rundown. We currently have a Windows 2000 AD
Domain running in mixed mode with 4 DC running Active
Directory Integrated DNS. The authoritative DNS is running
BIND version 4.9.7.

The way it is setup is the 4 DC have the IP addresses of
the Microsoft DNS so it can do the dynamic updates for all
the AD stuff.

And all the other query's are sent via the forwarder tab
in the MS DNS to the IP address of the BIND DNS which dose
not accept Dynamic updates so all the host records are
added manually.

All I need is some advice as this is something I am due to
take over or help in the planning and in my opinion it's a
right mess! Bellow is what I need advice on?

1) My most concerning problem is that because the
BIND DNS is the authoritative DNS and it holds all the
manually entered host records for all the workstations ect
I don't know how easy I will be able to make a switch to
the Microsoft DNS.

It's not hard, but I don't know your level of DNS expertise. You
could just change the authority to one of your DC's and pull the plug
on the Bind server in most cases. Heck, even if you don't change the
authority, you'd still likely be fine for most work.

2) Is a Microsoft DNS possible without two much
downtime as all the clients have static addresses and
there is about 1000 workstations with varying OSs.

Bummer. I detest static addresses on workstations, and they're not
needed, but you already have all the resolution you need with the W2K
DC's and AD Integrated DNS.

3) We could update BIND to version 8.2.1 that accepts
Dynamic updates and incremental zone transfers. This would
be possible I know, but personally I wanted to get rid of
the BIND DNS. Unless you think I shouldn't???

I like Bind. I like Microsoft's DNS. I detest running both together.
Dump Bind since you're an all-Microsoft shop it looks like.

The way I have thought of doing it is to implement DHCP at
the same time and a Microsoft DNS and setting the DHCP to
register the legacy OS DNS entry's and then going round
each department to change there computer setting from a
manual static IP to DHCP and then finally when all the
hosts have registered I can then just keep that setup.

Script it. Plenty of login script samples in your favorite scripting
language to handle the change to DHCP once you have the scopes
defined.

This is doing my brain in at the moment and I am not a top
man on DNS setup so if you could suggest anything or have
good advice on the migration you will be doing me a big
big favour.

If it works, don't fret. test ona select few systems under easy
control, then roll it out before you remove the BIND server. Changing
authority is easy enough, and painless, and probably not an issue even
if you wait.

Sorry if this makes no sense

Makes lots of sense. Most decent DNS admins were at your stage at
lest once in their careers. Heck, this is just normal admin life.

Jeff

 

[Kenneth Porter]

I run both BIND and Win2k DNS, and have a heterogenous network.

1) My most concerning problem is that because the
BIND DNS is the authoritative DNS and it holds all the
manually entered host records for all the workstations ect
I don't know how easy I will be able to make a switch to
the Microsoft DNS.

You should be able to directly import the zone files into MS DNS. Whether
you want to move all records into the MS DNS really depends on your
network topology and your desired namespace layout.

2) Is a Microsoft DNS possible without two much
downtime as all the clients have static addresses and
there is about 1000 workstations with varying OSs.

Since all addresses are static, this just requires importing the zone
files. Check for any "exotic" record types. There are a few that MS DNS
can't handle, like LOC (handy mainly for publically-accessible hosts),
but the common record types are all supported.

3) We could update BIND to version 8.2.1 that accepts
Dynamic updates and incremental zone transfers. This would
be possible I know, but personally I wanted to get rid of
the BIND DNS. Unless you think I shouldn't???

If you keep BIND, update to the latest version from the v9 branch. It's a
complete re-design and BIND 8 is essentially feature-frozen. Or as others
have suggested, use MS DNS for all internal DNS, and retain BIND only for
external queries. (Note that you don't need forwarding, unless you want a
site-wide cache, and that can be on a single MS server. Root hints works
quite well and eliminates dependence on forwarders.)

The way I have thought of doing it is to implement DHCP at
the same time and a Microsoft DNS and setting the DHCP to
register the legacy OS DNS entry's and then going round
each department to change there computer setting from a
manual static IP to DHCP and then finally when all the
hosts have registered I can then just keep that setup.

I strongly recommend using DHCP, esp. when managing more than a few
clients. If something needs a static address, use a DHCP reservation, not
local configuration. Only the main servers need locally-assigned IP
addresses.

You mention non-MS clients. If you have (for instance) Linux clients that
can run the ISC DHCP client, you can run a small Linux box with its own
copy of BIND 9. Delegate a piece of address space and a DNS subdomain to
this server, and have all the non-MS clients register with this DNS
server in their DHCP client script. (This DNS server will also manage the
reverse space for its address block, to eliminate the cross-platform
security issue caused by MS' failure to implement the compatibility
secure update protocol.)