?
Solved

BIND 9 integration with Server 2003 Active Directory DNS

Posted on 2006-05-25
11
Medium Priority
?
434 Views
Last Modified: 2010-03-18
I am attempting to get 2003 DNS to dynamically update BIND 9 zone files in a mixed DNS environment.  I have created the four AD _ zones and manually inserted the netlogon.dns records which allows me to use BIND as the primary DNS and have Active Directory functionality such as login and adding computers to the domain.  

I’ve spent the last two days researching and cannot get Windows to issue updates to BIND.  The BIND debug log and tcpdump show no signs of Windows attempting to send updates.  I tried changing the SOA record on the AD zones to the BIND server under Windows DNS but Windows changes them back to itself after a reboot and never attempts to send updates to BIND.  I’ve also tried the netdiag /fix “fix” found here on this site with no luck.

I have the BIND server added as a name server for each of the zones under Windows and have Allow Zone Transfers and Automatically Notify selected for Servers Listed in the Name Servers Tab.

I created the _ zones manually on the AD server after doing a dcpromo and choosing not to install DNS during the promotion.  They appear to have populated correctly after creation and a reboot.

## named.conf AD entries

acl dc { 192.168.1.1; };

zone "test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.ad.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};
zone "_udp.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.udp.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};
zone "_tcp.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.tcp.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};
zone "_sites.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.sites.test.mydomain.com";
        allow-update { dc; } ;
        allow-transfer { dc; };
};

zone "_msdcs.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.msdcs.test.mydomain.com";
        allow-update { dc; } ;
        allow-transfer { dc; };
};
zone "DomainDnsZones.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.DomainDnsZones.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};
zone "ForestDnsZones.test.mydomain.com" IN {
        type master;
        file "/etc/bind/db.ForestDnsZones.test.mydomain.com";
        allow-update { dc; };
        allow-transfer { dc; };
};

Your help is greatly appreciated,

Thank you,

Joel Golden
0
Comment
Question by:moregti
  • 5
  • 5
11 Comments
 
LVL 5

Expert Comment

by:arvind
ID: 16767346
phewww.....Slave zone getting update from AD now I am wokring on bind master zone... Give me 2-3 hour, I'll let you know
0
 
LVL 5

Expert Comment

by:arvind
ID: 16767500
Here it goes:

AD server side
[1] Open AD zone A properties --> IN Zone transfersTAB --> Check Allow zone transfer --> check Only to the following servers --> add your bind server IP here
--> Click on Notiry button --> check Atuomaticly Notify:--> check The following servers --> Add bind IP here and click OK --> click apply

Bind server side
[2] add following on all the zone

allow-update {
                bind IP;
                };
        allow-transfer {
                bind IP;
                };
[3] Restart the Bind
[4] run rndc reload bindzonename




0
 

Author Comment

by:moregti
ID: 16769048
Arvind,

Thank you for the quick response.  I change the AD settings from Allow zone transfers --> Only to servers listed on the nameservers tab, to Only to the following servers, and added the static IP of the bind server.  My current named.conf is configured to allow-updates and allow-transfers from the AD server.  I ran the rndc reload bindzonename and the debug log states it's receiving notifies.  However, I have BIND as the master for these zones.  I'm a little confused by your first statement of "Slave zone getting update from AD."  Should I be running these zones as slaves on BIND?

My goal is for AD to be able to dynamically update these zones on BIND.  Primarily for the SRV records if services are added to the domain they are dynmaically updated in BIND without a zone transfer.  It would be nice for the host A records to update when computers are added to the domain but it is not a necessity.

Thank you,

Joel
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 

Author Comment

by:moregti
ID: 16769180
It may be important to note that the AD server is not the DHCP server.

Joel
0
 
LVL 5

Expert Comment

by:arvind
ID: 16769790
Joel,

I have started my AD-BIND testing on slaves zone frist -- this is the reason I'd puted slave zone in friest test result.  Second test I'd did with master zone -- meaning are both the Master and slave are updated with AD.


Let me explain your question again -- You want following:

[1] What ever changes will happen on AD master zone -- that needs to be updated on BIND master zone also ---right?

I have not tested the reverse case -- could you please test the reverse case




0
 

Author Comment

by:moregti
ID: 16769847
Arvind,

Answer to question 1 is yes.

I am testing with BIND as the master for the zones.  By reverse, do you want me to test BIND as the slave for the zones?

Joel
0
 
LVL 5

Expert Comment

by:arvind
ID: 16769951
I think no need to test Reverse --- as slave will 100% work with above test case.


My only worry is if we deleted anything on AD(by mistake) that will replicate to BIND -- is this OK for you?
0
 

Author Comment

by:moregti
ID: 16770567
I'm running in a test environment right now so we're free to delete anything.  What exactly would you like for me to try?

Joel
0
 
LVL 26

Accepted Solution

by:
jar3817 earned 1500 total points
ID: 16771309
In order to use bind for active directly you have to set the dns server addresses (for the nics on the workstations AND domain controllers) to the servers running bind. Keep in mind not only DC's, but workstations will be updating their dns too, so add the subnets of your clients to the ACL.
0
 

Author Comment

by:moregti
ID: 16772786
Success!  I had two problems to solve.  One, Windows forces itself to use the localhost, 127.0.0.1, as the Primary DNS when you install the DNS server.  This was an oversight as I had the BIND server as the primary server.  Two, /etc/bind directory was set to 744 with root.bind ownership.  Bind was unable to write the JNL files once AD started communicating.

Arvind,  Thank you for your repsonse but I believe my original question includes most if not all of the information you provided.  I did go back and test if Zone Transfers and Notifications work with the "Only to servers listed in the name servers tab" versus specifying the IP address and it does work both ways.  

jar3817, Your response made me double check the Primary DNS setting which put me on the right track to have a
"fully" functional AD and BIND mixed environment.  Zones are updating with workstation and server info which is a very nice way to end my week!

Thank you,

Joel Golden




0
 
LVL 5

Expert Comment

by:arvind
ID: 16774235
welcome Joel,


Finaly you got the righyt answer -- it is good... by the way I'd invested 4 hour on your problem :)


0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question