BIND 9 integration with Server 2003 Active Directory DNS

I am attempting to get 2003 DNS to dynamically update BIND 9 zone files in a mixed DNS environment.  I have created the four AD _ zones and manually inserted the netlogon.dns records which allows me to use BIND as the primary DNS and have Active Directory functionality such as login and adding computers to the domain.  

I’ve spent the last two days researching and cannot get Windows to issue updates to BIND.  The BIND debug log and tcpdump show no signs of Windows attempting to send updates.  I tried changing the SOA record on the AD zones to the BIND server under Windows DNS but Windows changes them back to itself after a reboot and never attempts to send updates to BIND.  I’ve also tried the netdiag /fix “fix” found here on this site with no luck.

I have the BIND server added as a name server for each of the zones under Windows and have Allow Zone Transfers and Automatically Notify selected for Servers Listed in the Name Servers Tab.

I created the _ zones manually on the AD server after doing a dcpromo and choosing not to install DNS during the promotion.  They appear to have populated correctly after creation and a reboot.

## named.conf AD entries

acl dc { 192.168.1.1; };

zone "test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.ad.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};
zone "_udp.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.udp.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};
zone "_tcp.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.tcp.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};
zone "_sites.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.sites.test.mydomain.com";
        allow-update { dc; } ;
        allow-transfer { dc; };
};

zone "_msdcs.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.msdcs.test.mydomain.com";
        allow-update { dc; } ;
        allow-transfer { dc; };
};
zone "DomainDnsZones.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.DomainDnsZones.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};
zone "ForestDnsZones.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.ForestDnsZones.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};

Your help is greatly appreciated,

Thank you,

Joel Golden
moregtiAsked:
Who is Participating?
 
jar3817Commented:
In order to use bind for active directly you have to set the dns server addresses (for the nics on the workstations AND domain controllers) to the servers running bind. Keep in mind not only DC's, but workstations will be updating their dns too, so add the subnets of your clients to the ACL.
0
 
arvindCommented:
phewww.....Slave zone getting update from AD now I am wokring on bind master zone... Give me 2-3 hour, I'll let you know
0
 
arvindCommented:
Here it goes:

AD server side
[1] Open AD zone A properties --> IN Zone transfersTAB --> Check Allow zone transfer --> check Only to the following servers --> add your bind server IP here
--> Click on Notiry button --> check Atuomaticly Notify:--> check The following servers --> Add bind IP here and click OK --> click apply

Bind server side
[2] add following on all the zone

allow-update {
                bind IP;
                };
        allow-transfer {
                bind IP;
                };
[3] Restart the Bind
[4] run rndc reload bindzonename




0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
moregtiAuthor Commented:
Arvind,

Thank you for the quick response.  I change the AD settings from Allow zone transfers --> Only to servers listed on the nameservers tab, to Only to the following servers, and added the static IP of the bind server.  My current named.conf is configured to allow-updates and allow-transfers from the AD server.  I ran the rndc reload bindzonename and the debug log states it's receiving notifies.  However, I have BIND as the master for these zones.  I'm a little confused by your first statement of "Slave zone getting update from AD."  Should I be running these zones as slaves on BIND?

My goal is for AD to be able to dynamically update these zones on BIND.  Primarily for the SRV records if services are added to the domain they are dynmaically updated in BIND without a zone transfer.  It would be nice for the host A records to update when computers are added to the domain but it is not a necessity.

Thank you,

Joel
0
 
moregtiAuthor Commented:
It may be important to note that the AD server is not the DHCP server.

Joel
0
 
arvindCommented:
Joel,

I have started my AD-BIND testing on slaves zone frist -- this is the reason I'd puted slave zone in friest test result.  Second test I'd did with master zone -- meaning are both the Master and slave are updated with AD.


Let me explain your question again -- You want following:

[1] What ever changes will happen on AD master zone -- that needs to be updated on BIND master zone also ---right?

I have not tested the reverse case -- could you please test the reverse case




0
 
moregtiAuthor Commented:
Arvind,

Answer to question 1 is yes.

I am testing with BIND as the master for the zones.  By reverse, do you want me to test BIND as the slave for the zones?

Joel
0
 
arvindCommented:
I think no need to test Reverse --- as slave will 100% work with above test case.


My only worry is if we deleted anything on AD(by mistake) that will replicate to BIND -- is this OK for you?
0
 
moregtiAuthor Commented:
I'm running in a test environment right now so we're free to delete anything.  What exactly would you like for me to try?

Joel
0
 
moregtiAuthor Commented:
Success!  I had two problems to solve.  One, Windows forces itself to use the localhost, 127.0.0.1, as the Primary DNS when you install the DNS server.  This was an oversight as I had the BIND server as the primary server.  Two, /etc/bind directory was set to 744 with root.bind ownership.  Bind was unable to write the JNL files once AD started communicating.

Arvind,  Thank you for your repsonse but I believe my original question includes most if not all of the information you provided.  I did go back and test if Zone Transfers and Notifications work with the "Only to servers listed in the name servers tab" versus specifying the IP address and it does work both ways.  

jar3817, Your response made me double check the Primary DNS setting which put me on the right track to have a
"fully" functional AD and BIND mixed environment.  Zones are updating with workstation and server info which is a very nice way to end my week!

Thank you,

Joel Golden




0
 
arvindCommented:
welcome Joel,


Finaly you got the righyt answer -- it is good... by the way I'd invested 4 hour on your problem :)


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.