To support Active Directory in your bind DNS server you need a couple of extra entries. Below there is a little overview of what Active Directory expects, this overview only deals with the _ldap services but the same holds true for the other services.

.<DNSDomainName>

Resolves the DNS domain

_ldap._tcp

Locates the W2K domain controller.

.<SiteName>._sites.<DNSDomainName>

Resolves the site specific domain records (e.g. newyork._sites.forest.example.com).

_ldap._tcp

Locates the W2K domain controller for a site

_ldap._tcp.dc._msdcs.<DNSDomainName>

The DNS name configured for use with the Active Directory domain and any of its associated domain controllers (used for finding a DC in a particular domain).

_ldap._tcp.pdc._msdcs.<DNSDomainName>

Resolves to the PDC flexible single master object (FSMO) role holder of a mixed-mode domain.

_ldap._tcp.gc._msdcs.<DNSDomainName>

Resolves the Global Catalog (GC) server.

_ldap._tcp._sites.gc._msdcs.<DNSDomainName>

Resolves the site specific Global Catalog server.

_ldap._tcp.<DomainGUID>.domains._msdcs.<DNSDomainName>

Resolves to the domain controller in a domain, based on the domain controller's globally unique ID.

An example list of entries generated by Microsoft Windows 2003 when doing an Active Directory installation looks like this:

_ldap._tcp.forest.example.com.                                    600 IN SRV 0 100 389  adf.forest.example.com.
_gc._tcp.forest.example.com.                                      600 IN SRV 0 100 3268 adf.forest.example.com.
_kerberos._udp.forest.example.com.                                600 IN SRV 0 100 88   adf.forest.example.com.
_kerberos._tcp.forest.example.com.                                600 IN SRV 0 100 88   adf.forest.example.com.
_kpasswd._tcp.forest.example.com.                                 600 IN SRV 0 100 464  adf.forest.example.com.
_kpasswd._udp.forest.example.com.                                 600 IN SRV 0 100 464  adf.forest.example.com.

_ldap._tcp.gc._msdcs.forest.example.com.                          600 IN SRV 0 100 3268 adf.forest.example.com.
_ldap._tcp.dc._msdcs.forest.example.com.                          600 IN SRV 0 100 389  adf.forest.example.com.
_kerberos._tcp.dc._msdcs.forest.example.com.                      600 IN SRV 0 100 88   adf.forest.example.com.

_ldap._tcp.pdc._msdcs.forest.example.com.                         600 IN SRV 0 100 389  adf.forest.example.com.
34356b88-8d9f-457b-87ae-dd660c028489._msdcs.forest.example.com.   600 IN CNAME          adf.forest.example.com.
_ldap._tcp.f3d8bf35-d00a-48fd-aaf9-c7d1999227f3.domains._msdcs.forest.example.com. 600 IN SRV 0 100 389 adf.forest.example.com.

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.forest.example.com. 600 IN SRV 0 100 389 adf.forest.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.forest.example.com. 600 IN SRV 0 100 88 adf.forest.example.com.

_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.forest.example.com. 600 IN SRV 0 100 3268 adf.forest.example.com.

_ldap._tcp.Default-First-Site-Name._sites.forest.example.com.     600 IN SRV 0 100 389  adf.forest.example.com.
_gc._tcp.Default-First-Site-Name._sites.forest.example.com.       600 IN SRV 0 100 3268 adf.forest.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.forest.example.com. 600 IN SRV 0 100 88   adf.forest.example.com.

To make sure that our AD server also has this zone file we allow AD to transfer this file so our named.conf has the following setup:

zone krb5.example.com {
        type master;
        file internal/com.example.krb5.zone;
        check-names ignore;
        allow-transfer {
            // ad server
            192.168.1.2;
        };

        allow-update {
            // test client
            192.168.1.3;
        };

        notify no;
};

You will note that we have an entry for a client to do updates, this is so that the client can put its IP address in the zone file, AD relies on the ability to resolve client host names to IP addresses, and since we use DHCP to supply IP addresses to our clients, we need a way to do automatic DNS updates (RFC2136). The reverse is not needed, at least not that we have found.