I am running bind-9.2.1-16, and I never could get it to properly support
Microsoft Active Directory dynamic updates.  I added the funny zones and
permissions, it just never worked correctly for me.  Instead, I run MS
DNS on the internal LAN - actually on the AD server itself.  Since MS
likes to break their products so they only work well with other MS
products, this works automatically.  I then point the MS DNS at a linux
bind server upstream for cached resolution.