Active Directory in BIND based network

[zpetersen]

Ok, here's the situation. I need to introduce a new MS Active Directory infrastructure into an existing network which uses BIND 9.x for DNS. The current namespace is "company.net" and I want to create set up AD in the "corp.company.net" namespace.

I would also like to have MS DNS (Active Directory Integrated) be the primary DNS for the "corp.company.net" namespace and have BIND remain the primary DNS server for the "company.net" namespace. All Windows based clients and servers will moved to the "corp.company.net" namespace.

It seems fairly simple in my head but I have never tackled a unix+windows install so I have to ask questions. Im sure I will need to provide more information but I start with this. A huge thanks to anyone who can point me in the right direction.

(I double posted this in the DNS forum but the last reply there was about 5 days ago.. so.. yeah)

 

[LWComputingMVP]

Best practices recommends naming the domain company.local (or Company.lcl to accomodate Mac OS X 10.2 and earlier clients), not company.net.

There's no need to use a sub domain and involve bind. MS should handle DNS for Windows the Windows domain "company.local" and all other DNS requests can be handled by bind.

 

[zpetersen]

Thanks for your reply. Assuming that the company already has company.net for thier internal namespace could I simply add AD running on company.lcl (or .local) using AD DNS and have them set up to forward any requests for clients/servers on company.net out to the BIND DNS servers?

 

[LWComputingMVP]

Microsoft recommends as part of best practices that you DO NOT name the domain after a routable namespace. For security and because should you ever want to make that name space public and hosted elsewhere, it could create problems.

Just because you use a non-routable namespace doesn't mean your systems will be severely hindered in some way. You can add routable domains to Exchange, IIS, and any other area you need them.

Microsoft DNS, by default, will forward requests for domains it doesn't have out to the root servers. You can also setup forwarders and have it go straight to your Bind servers.

 

[zpetersen]

Thanks again for replying.

http://zemanfortrustee.com/img/Drawing1.jpg

The above link is a diagram that shows a general overview of what is happening here. Basically I have been asked to move the Windows infrastructure from NT4 to 2003 AD. They currently use BIND for all DNS and WINS for any Windows Client name resolution. The company also uses some kind of third party DHCP solution to hand out DHCP for the entire company.

Right away I hit a political barrier when the Unix folks were brought into the mix and they threw a fit regarding DNS etc. So, the idea is to set up AD in a new namespace such as "company.lcl" and have the BIND folks create that zone in the existing DNS setup. AD would basically be there for user management and security on the Windows boxes.

Has anyone had any experience with this type of situation? Also, I know that MS recommends not using .net style domain names internally, however, that is something I will not be able to change. The new AD domain will NOT be a routable domain name.

Note: AD will be 2003 (maybe R2) and BIND servers are running BIND 9.x.