In our last installment, we looked at some of the concerns of an enterprise administrator who needed to allow Linux...
workstations to exist in an Active Directory domain.
Another common interoperability issue is how to allow your Windows and Unix- or Linux-based domain name server (DNS) to work and play well together. Much of the documentation you'll find on Active Directory assumes that you're working in a pure Windows 2000/2003 DNS environment, but, of course, not everyone is in that situation.
In larger environments, often you'll need to integrate Active Directory DNS with third-party DNS implementations like Unix BIND servers -- as well as integrate its coexistence with legacy Windows NT4 DNS servers. What makes this easier than you might think is that most of the DNS features needed to support Active Directory installations are available with all modern DNS implementations. As long as you're running a recent version of the BIND DNS software, it will be relatively simple to integrate your Linux DNS with 2000 or 2003 Active Directory.
At a bare minimum, Active Directory requires support for Service Locator (SRV) DNS resource records to be able to function. These records enable Active Directory to advertise resources like domain controllers and global catalog servers and allow your clients to locate those services. SRV records are supported by the following versions of BIND DNS:
- BIND 9.x
- BIND 8.2.2
- BIND 8.2
- BIND 8.1.2
- BIND 4.9.7
Ideally, you'll also want any non-200x DNS servers to support dynamic updates and incremental zone transfers in addition to SRV records. Support for dynamic updates will take quite a bit of administrative burden off your hands by allowing your client computers to update their own DNS records automatically. Incremental zone transfers will reduce the impact of DNS replication on your overall network bandwidth, since zone transfers will only transmit records that have changed since the last zone transfer rather than uploading the entire zone at each replication. The BIND versions that support these optional features are:
- BIND 9.x
- BIND 8.2.2
- BIND 8.2
At an absolute minimum, your DNS infrastructure must support SRV records in order to support Active Directory: Your AD clients and servers simply won't be able to function without it. If you are using a DNS build like Windows NT 4.0 or an early version of BIND that doesn't support SRV records, you must upgrade or migrate your DNS servers to a version that offers support for SRV records. At the very least, you'll need to migrate any DNS zones that will be supporting Active Directory to an SRV-capable server. As an alternative, you can also delegate a separate DNS domain to be used by your AD infrastructure and install 2000 or 2003 DNS servers in that domain. This will allow any existing DNS servers that maintain the parent domain to stay in place.
When planning your Active Directory DNS support, though, keep in mind that there are certain features that are only available in Windows 2000 and 2003 DNS; and these features won't be recognized or supported by any other DNS implementation. The features include Active Directory-integrated zones, secure dynamic updates and WINS (Windows Internet name service) integration.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valued Professional" award in the area of Windows Server-Networking. She is the author of the "Active Directory Field Guide" (APress Publishing).