For what it's worth, we moved 100% of all our DNS from MS DNS to BIND.
Doing so solved the problem of the MS DNS servers periodically (randomly)
losing critical glue records. It also eliminated the need for 6 pairs of
DNS servers to support the 6 independent domains, each needing to own the
reverse domains. It also allowed us to significantly boost the DNS
performance and capacity without carrying the weight of domain controller
functionality.
There were also some other significant manageability gains by moving to
BIND.
The most significant down side was that we lost SECURE dynamic updates
because GSS-TSIG was not available in BIND at the time, but I understand it
is available now.
We also found a problem where, on occasion, when the MS servers perform
their daily dynamic delete and re-add of there DNS records (which the do to
prevent aging/scavenging from taking their records away), the ADD part
doesn't stick, and intervention is necessary to manually re-add the record.
I believe this is caused by the fact that both the add and delete are issued
with the same time stamp, and I suspect our version of BIND might be
processing them out of order -- we still don't know for sure. But whatever
this problem turns out to be, I am sure there is or will be a fix for it.
And the only other loss is the multi-master feature of the AD-integrated
DNS, but that feature was not performing adequately anyway, so it wasn't
really much of a loss. If our single BIND master dies, we have the ability
to move it's ip address to another box and reconstruct the master in much
less than an hour.
So, from my experience, I would encourage anyone who is considering it to go
ahead and put 100% of all DNS into BIND, and scrap the MS DNS all together.
It is much easier to manage than having to split the zones all over the
place, and it just works better.
--
Gordon A. Lang
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
