I would like to remove the DNS feature of Windows Domain Controllers and point the DNS servers to our BIND9 servers.
I know it's possible to setup coexistence but this requires a number of extra Windows DNS Servers equals to the number of Domain Controllers in the network.
Active Directory expects the _msdcs zone and other things like _tcp, _udp; etc.
The main question is: how to make BIND9 takes care of all this AD specific data? And with dynamic updating to make AD even more happier.
Thanks,
PS: Making BIND9 points to the Windows DNS Servers to resolve the Active Directory specific zones isn't an option. We already do this...
EDIT: As today, I'm running without Windows DNS. I'm writing up a guide on how to do this, and I'll update this topic.
"I would like to remove the DNS feature of Windows Domain Controllers" - This is incorrect. The DC role and the DNS role are two separate roles. They're very often installed on the same machine but this isn't a requirement.
"I know it's possible to setup coexistence but this requires a number of extra Windows DNS Servers equals to the number of Domain Controllers in the network." - This is alos incorrect. You do not require a matching number of DNS servers to Domain Controllers.
You can use a non Microsoft DNS server as long as it meets the requirements of DNS in support of AD. If Bind9 meets those requirements then you're more than welcome to use it.
Yes. As joeqwerty pointed out as long as a DNS server meets the requirements of DNS in support of Active Directory you may use it as your AD DNS.
(BIND does, Microsoft even provides guidance that Joe linked to, and you can find a bunch of articles on Google.
That's not the question you should be asking though, The question you should be asking is:
In my personal opinion the answer is ABSOLUTELY NOT unless you like pain.
AD and Windows DNS are intertwined - You can certainly pry them apart, but doing so is not going to be pleasant, and may create problems later.
If your goal is to not expose your Windows DNS servers (for some security reason, to minimize server load, etc.) a better option is to make your BIND DNS servers slaves, replicating the AD DNS zone(s).
This hides the Windows servers from prying eyes (and excessive load), but still lets Active Directory talk to the Windows DNS servers that it knows and loves.
You can even minimize the number of Windows DNS servers if you go this route, since the only things talking to it should be Active Directory/DCs (making updates) and the BIND servers fetching those updates to serve to other systems).