Home > Articles

  • Print
  • + Share This
This chapter is from the book

Integrating with Third-Party DNS Solutions

It's a fact of life that many organizations already have existing DNS solutions in place, such as Unix BIND. In some cases, these existing BIND servers might not meet the DNS requirements of Active Directory. Table 3.4 outlines the features of some of the more common versions of BIND in use.

Table 3.4 Features of Various BIND Versions

BIND Version

Features

4.9.4

Support for fast zone transfers

4.9.6

Support for SRV resource records

8.1.2

Support for dynamic DNS (DDNS)

8.2.1

Support for incremental zone transfers (IXFR) between DNS Servers

8.2.2

Full support for all Active Directory features


If you are faced with a situation in which you are dealing with other DNS systems, you have two basic choices of implementation:

  • Upgrade existing DNS systems to meet the DNS requirements of Active Directory. For BIND, version 8.1.2 and later will be sufficient.

  • Migrate existing DNS zones to Windows Server 2003 DNS.

Although it is recommended that you use only Windows Server 2003 DNS servers to ensure full support for Active Directory, you can use any DNS system that meets the following specifications:

  • Support for SRV (Service) resource records

  • Dynamic updates per RFC 2136

Although support for dynamic updates is highly recommended, it is not mandatory. Support for SRV resource records is mandatory, however, because they are required to provide DNS support to Active Directory.

If you have Unix BIND servers in you DNS infrastructure, you should consider placing them as secondaries instead of primaries. By default, Windows Server 2003 DNS servers use a fast zone transfer format whereby compression is used and multiple records can be sent in a single TCP message. BIND versions 4.9.4 and later support fast zone transfers. If you are using an earlier version of BIND or another third-party DNS system that does not support fast zone transfers, you must disable fast zone transfers. When you select the BIND Secondaries option (see Figure 3.9), fast zone transfers are disabled for that server.

In the TCP/IP network of today's connected world, DNS is no longer a nicety; it's a requirement. Originally created to replace the antiquated and difficult-to-maintain HOSTS.TXT file, the domain name system (DNS) has quickly seen its popularity rise as TCP/IP has become the king of all networking protocols. Microsoft had led the charge to make TCP/IP and DNS the defector standards for all networks, small and large.

DNS is so critical to a Windows Server 2003 network that it is important that you prepare adequately before implementing your DNS solution. Only through proper planning can you be reasonably well assured of not having any problems down the road. The first decision you must make is what your DNS namespace will look like. You need to choose between an existing, a delegated, or unique namespace.

Figure 3.9Figure 3.9 The BIND Secondaries option prevents fast zone transfers from occurring.

After choosing your namespace, you can determine what type of zones you will require, as well as how you will configure forwarding to occur. Of course, you also will want to look into securing your DNS infrastructure from attack and compromise. By choosing an Active Directory–integrated zone, you can ease administrative burden and increase DNS security.

Finally, if you have other DNS systems in use on your network, you need to decide on the roles that each DNS server will play in your Windows 2003 network. Will you upgrade these servers to a newer version that is compatible with and that supports the DNS requirements of Windows Server 2003? If not, you should consider migrating their DNS zones to your Windows Server 2003 DNS servers, and then retiring these legacy DNS servers or making them secondaries for improved redundancy.

  • + Share This
  • 🔖 Save To Your Account