Integrating Bind and Win2K AD

  • Thread starter Thread starter William Flavin
  • Start date Start date
W

William Flavin

My company has an existing Windows 2000 domain with several domain
controllers. In the past year or so we have deployed many Linux
servers, including 2 registered BIND 9.2.0 DNS servers to host our
internet domains. One of the internet domains uses the same name as
our internal Win2K domain. We have been discussing integrating the 2
systems. I've read a lot about bringing a new Win2K domain into an
existing internal Bind environment, but I haven't seen much
documentation about how it would work in an existing Win2K environment
like we have.

My main concern is that since the Bind DNS servers allow public access
to resolve the internet address, I don't want our internal DNS
information exposed. Is is possible to allow public access to the
public addresses while protecting the internal information? What are
the benefits of integrating these systems? What are the drawbacks?
I've seen in some other posts that the systems should be kept seperate
and forwarders should be used on the Win2K side to resolve the
internet addresses. I'm just looking for some suggestions on how to
procede.
 
WF> Is is possible to allow public access to the
WF> public addresses while protecting the internal
WF> information?

With Microsoft's DNS server: no. With ISC's BIND, yes (assuming a
loose definition of "protecting").

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html>

WF> I've seen in some other posts that the systems should be
WF> kept seperate [...]

Right now, you've set up "split horizon" DNS service with separate
content DNS servers. The only way to do things differently, given
your choice of softwares (you could do other things if you employed
some of the other DNS server softwares available for Linux), would be
to change to having "split horizon" DNS service with multiple
databases, which would involve your switching to using only BIND.
This would have knock-on effects in the areas of DHCP and database
replication; and, given that you have "split horizon" DNS service
already set up, you'd need some reason for doing it.
 
In
William Flavin said:
My company has an existing Windows 2000 domain with several domain
controllers. In the past year or so we have deployed many Linux
servers, including 2 registered BIND 9.2.0 DNS servers to host our
internet domains. One of the internet domains uses the same name as
our internal Win2K domain. We have been discussing integrating the 2
systems. I've read a lot about bringing a new Win2K domain into an
existing internal Bind environment, but I haven't seen much
documentation about how it would work in an existing Win2K environment
like we have.

My main concern is that since the Bind DNS servers allow public access
to resolve the internet address, I don't want our internal DNS
information exposed.

This is a valid concern you should keep you internal DNS serarate from the
public DNS. Use your Win2k DNS for your internal records it is more secure.
All internal clients should use Win2k exclusively.

Is is possible to allow public access to the
public addresses while protecting the internal information?
Possible? maybe, easy? no

What are
the benefits of integrating these systems?
No real benefits

What are the drawbacks?

There could be many drawbacks keep your current setup don't let your
external users access your internal DNS and vice-versa.
 
Back
Top