Re: DNS & AD
- From: "Ace Fekay [MCT]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 4 Nov 2009 11:03:31 -0500
"Rich Crandall" <initialAssist@xxxxxxxxxx> wrote in message
news:D8126408-39DF-4F3C-AA8B-77089CDB75C9@xxxxxxxxxxxxxxxx
let me start by saying that BIND is a fine product. in fact, msft's dns
implementation is built off of a BIND implementation (i believe it's 8 but
i
am terrible with numbers).
here is a short list of pros / cons. it is by no means comprehensive but
it
should get you started. one thing that we'd need before we can give you a
better answer is what microsoft os you are looking to run dns on.
pros:
secure dynamic updates provides the strongest level of GSS-TSIG keys
multimaster update ability
simplified replication among dns servers
simplified ipsec integration
cons:
if dns fails, ad will (may) fail and conversely, if ad fails, dns will
fail
(this is typically easily mitigated by proper configuration)
no TSIG support for zone transfers
IP-based configuration not available.
--
hth.
/rich
Just to collaborate on the BIND build, Microsoft DNS is loosely based on
BIND 8.3.
As far as the pros are concerned, Microsoft DNS with sucure updates set,
uses Kerberos for security authentication, and RPC encryption, unlike BIND,
that uses TSIG, which of course the two are incompatible with each other.
This is one of my main reasons, besides the ease of deployment,
configuration and the AD Integration feature (which stores the actual DNS
zone data into the AD database and not a simple text file as with BIND or
standard zones), that I prefer Microsoft DNS for an AD infrastructure.
Also to clarify, one of the key feature using AD Integrated zones (besides
being securely stored in the AD database) is multimaster design because
the zone data in the AD database is replicated to other DCs based on it's
replication scope to either other DCs in the domain or foerst wide. Each
DC/DNS in an AD integrated zone scenario, act as a Primary DNS server, hence
the multi-masterfeature (that some may also refer to as multi-Primary zone
feature). This allows each DC that has DNS installed to become the SOA when
an update is sent to it from a resource that is using that specific DNS
server. The updated or added record, or deletion, is replicated, as well as
the SOA info from the server that updated it. That's why if one were to look
and keep track, you can see the SOA data change based on any refreshed zone
data that was received from another DC during replication.
Implementing BIND will work, too, but with the above features, my
preferences are for Microsoft DNS.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
.
- References:
- RE: DNS & AD
- From: Rich Crandall
- RE: DNS & AD
- Prev by Date: Re: Pre-authentication events logged, but not lock-out or auth failure
- Next by Date: RE: Active Directory Migration (to Windows Server 2008)
- Previous by thread: RE: DNS & AD
- Next by thread: running "Disk Cleanup" on a Domain Controller
- Index(es):
Relevant Pages
|
