Can I completely remove the Windows DNS in favour of BIND9 in an AD network?

windows linux domain-name-system active-directory bind

Can I completely remove the Windows DNS in favour of BIND9 in an AD network?

Yes. As joeqwerty pointed out as long as a DNS server meets the requirements of DNS in support of Active Directory you may use it as your AD DNS.
(BIND does, Microsoft even provides guidance that Joe linked to, and you can find a bunch of articles on Google.

That's not the question you should be asking though, The question you should be asking is:

SHOULD I completely remove the Windows DNS in favour of BIND9 in an AD network?

In my personal opinion the answer is ABSOLUTELY NOT unless you like pain.
AD and Windows DNS are intertwined - You can certainly pry them apart, but doing so is not going to be pleasant, and may create problems later.

If your goal is to not expose your Windows DNS servers (for some security reason, to minimize server load, etc.) a better option is to make your BIND DNS servers slaves, replicating the AD DNS zone(s).
This hides the Windows servers from prying eyes (and excessive load), but still lets Active Directory talk to the Windows DNS servers that it knows and loves.
You can even minimize the number of Windows DNS servers if you go this route, since the only things talking to it should be Active Directory/DCs (making updates) and the BIND servers fetching those updates to serve to other systems).


  1. "I would like to remove the DNS feature of Windows Domain Controllers" - This is incorrect. The DC role and the DNS role are two separate roles. They're very often installed on the same machine but this isn't a requirement.

  2. "I know it's possible to setup coexistence but this requires a number of extra Windows DNS Servers equals to the number of Domain Controllers in the network." - This is alos incorrect. You do not require a matching number of DNS servers to Domain Controllers.

  3. You can use a non Microsoft DNS server as long as it meets the requirements of DNS in support of AD. If Bind9 meets those requirements then you're more than welcome to use it.

Related

php-fpm returning empty response to nginx
How to add custom header containing the absolute address of the originally requested resource
Disk Usage Analyzer on Synology
Access already mapped network drive in PowerShell
Change systemd unit tag send to journalctl/syslog
PowerShell pipe into find.exe command
If public IPs are pinned to a single AS, how does BGP anycast work?
hsts on main port 80, not on other ports
Windows Storage Spaces - a useful replacement for RAID6?
Workaround for when windows scheduled tasks fails when user changes their password
\Program Files vs. \Program Files (x86) in 64-Bit Windows
How stable is Cherokee Web Server? [closed]