Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 May 2015 12:06:15 -0700
From:      Kurt Buff <>
To:        "" <>
Subject:   Re: AD with FreeBSD DNS & DHCP server
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, May 27, 2015 at 11:53 AM, Mel Pilgrim
<> wrote:
> On 2015-05-08 19:52, Jaime Kikpole wrote:
>> I'm going to be setting up an Active Directory system soon(ish) in a mixed
>> environment.  I've got a lot of non-Windows workstations and servers running
>> FreeBSD and MacOS.  So I was wondering what I needed to do to have internal
>> DNS resolution and DHCP leases running from a FreeBSD virtual server while
>> running Active Directory from another virtual server.
>> Any advice or places to start reading?
> If it's at all possible, use your DCs as your network's DNS servers. Windows
> domains need bidirectional DNS:
> - ADS uses DNS to provide locators for directory services and the DCs.
> - Replication services require working A/AAAA for the DCs so they can find
> each other without DS.
> - Windows Domain computers send authenticated DNS updates to update the
> A/AAAA records for the machine names.
> You can work around the first two by having unbound use stub-zones pointed
> at the Windows DNS servers, but unbound will not forward zone updates.  You
> can go a bit further and mostly get the third point as well using BIND
> configured to receive the zone updates, but your Windows event logs will
> have errors about DNS authentication because BIND can't do AD-authenticated
> DNS updates.  Worse, those updates won't make it back to Windows DNS, so
> your AD DNS zones will get stale.  This will be a problem.
> On my networks, the Windows DNS servers are resolvers for the whole network,
> including extra-domain hosts.  The isc-dhcpd, rtadvd, and wide-dhcp6s
> instances running on my FreeBSD routers hand out the DCs' IP addresses as
> the DNS servers.  The Windows DNS servers have the public domain above the
> AD FQDN added as a primary zone so that the few extra-domain hostnames work
> for everyone as well.

What he said, x100.

AD is intimately bound up in DNS, with lots of dynamic updates of
service records, etc. Let your Windows AD DCs do both DNS and DHCP.
Just make sure that the DHCP service is running as an unprivileged AD

See, among many others, this article:

Want to link to this message? Use this URL: <>