dalva
asked on
Error message when setting up ddns on BIND to interact with Windows 2003 AD
We are in the process of setting up Windows 2003 AD on a network which uses BIND 9.2 for all DNS services.
We want to continue using BIND and therefore have decided to setup ddns on BIND. There is lots of literature which claims to show how to do this but no one article spells it out plain and simple.
I created 6 new subzones based on one article I came across, where DomainName.org is a substitute for our true domain name.
_msdcs.DomainName.org
_tcp.DomainName.org
_udp.DomainName.org
_sites.DomainName.org
DomainDnsZones.DomainName.
ForestDnsZones.DomainName.
I get the error message from Windows 2003 during DNS registration:
The SOA query for _ldap._tcp.dc._msdcs.Domai
DNS server failure.
(error code 0x0000232A “RCODE_SERVER_FAILURE”)
Would appreciate any assistance to solve this problem.
We want to continue using BIND and therefore have decided to setup ddns on BIND. There is lots of literature which claims to show how to do this but no one article spells it out plain and simple.
I created 6 new subzones based on one article I came across, where DomainName.org is a substitute for our true domain name.
_msdcs.DomainName.org
_tcp.DomainName.org
_udp.DomainName.org
_sites.DomainName.org
DomainDnsZones.DomainName.
ForestDnsZones.DomainName.
I get the error message from Windows 2003 during DNS registration:
The SOA query for _ldap._tcp.dc._msdcs.Domai
DNS server failure.
(error code 0x0000232A “RCODE_SERVER_FAILURE”)
Would appreciate any assistance to solve this problem.
This paper explains what is necessary.
http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true
Pay attention to the NAMED.CONF configuration.
http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true
Pay attention to the NAMED.CONF configuration.
ASKER
Netman66,
Your first suggestion is not the path I want to follow. I have an existing BIND 9.2 dns server and now I just want to add an Active Directory domain controller which will send dynamic updates to the BIND server.
On the second suggestion, I previously read it and it just did not give me the little details I need to make this work. I did review it again and I think I'm very close to making it work.
The error message seems to refer to an SOA query for a server which does not have an A record. I am confused about the A record for this AD domain controller.
Before this project the A record was
dc1 IN A 10.10.120.100 which was located in the DomainName.org.zone file
and the PTR record was
100.120 IN PTR dc1.DomainName.org. 10.10.zone file.
I have not altered these records but am wondering do I need to make some type of "A" record entry in the subzone files
_msdcs.DomainName.org
_tcp.DomainName.org
_udp.DomainName.org
_sites.DomainName.org
or perhaps remove from the original files DomainName.org.zone and 10.10.zone ?
Your first suggestion is not the path I want to follow. I have an existing BIND 9.2 dns server and now I just want to add an Active Directory domain controller which will send dynamic updates to the BIND server.
On the second suggestion, I previously read it and it just did not give me the little details I need to make this work. I did review it again and I think I'm very close to making it work.
The error message seems to refer to an SOA query for a server which does not have an A record. I am confused about the A record for this AD domain controller.
Before this project the A record was
dc1 IN A 10.10.120.100 which was located in the DomainName.org.zone file
and the PTR record was
100.120 IN PTR dc1.DomainName.org. 10.10.zone file.
I have not altered these records but am wondering do I need to make some type of "A" record entry in the subzone files
_msdcs.DomainName.org
_tcp.DomainName.org
_udp.DomainName.org
_sites.DomainName.org
or perhaps remove from the original files DomainName.org.zone and 10.10.zone ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My original approach to create the 6 new subzones was totally incorrect. I located the answer to my question at the link below which I have also cut and pasted into this question for future users. The real problem was the user PC's could not locate the Active Directory server. All that was needed was to place the four SRV records as detailed below. Substitue your domain name as needed.
http://www.linuxquestions.org/questions/showthread.php?t=379377
HOWTO: MS Active Directory with BIND on Linux
--------------------------
I ran into a situation where I needed to support Active Directory DNS queries with BIND running on Linux. The particular issue was that workstations on one lan couldn't access their shares or even authenticate on a Domain Controller on another lan. After several responses of "sure you can do that and it's easy" but nobody wanting to hand me the step-by-step solution I finally found the answer. Thought I would post it here for the next guy that needs it.
What I needed was SRV records to tell the workstations where the Domain Controller was on the other lan. If you have your BIND DNS already setup, all you need to add are 4 SRV entries to the same file your A records are in. Obviously you need an A record entry for the DC as well. All punctuation is required and CAPS in my example signify that it is LAN dependent, eg, you should know how to fill this in!!! In this example DCHOSTNAME.DOMAIN.COM is your Domain Controllers fully qualified domain name.
_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.DOMAIN.COM.
_ldap._tcp.dc._msdcs.DOMAI
_kerberos._tcp.dc._msdcs.D
That's it! Now your Domain Controllers can be found via you DNS servers running on Linux. Look up a little tutorial on DNS SRV records if you need to know what this all means.
--------------------------
Last edited by ghight : 11-02-2005 at 09:54 PM.
http://www.linuxquestions.org/questions/showthread.php?t=379377
HOWTO: MS Active Directory with BIND on Linux
--------------------------
I ran into a situation where I needed to support Active Directory DNS queries with BIND running on Linux. The particular issue was that workstations on one lan couldn't access their shares or even authenticate on a Domain Controller on another lan. After several responses of "sure you can do that and it's easy" but nobody wanting to hand me the step-by-step solution I finally found the answer. Thought I would post it here for the next guy that needs it.
What I needed was SRV records to tell the workstations where the Domain Controller was on the other lan. If you have your BIND DNS already setup, all you need to add are 4 SRV entries to the same file your A records are in. Obviously you need an A record entry for the DC as well. All punctuation is required and CAPS in my example signify that it is LAN dependent, eg, you should know how to fill this in!!! In this example DCHOSTNAME.DOMAIN.COM is your Domain Controllers fully qualified domain name.
_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.DOMAIN.COM.
_ldap._tcp.dc._msdcs.DOMAI
_kerberos._tcp.dc._msdcs.D
That's it! Now your Domain Controllers can be found via you DNS servers running on Linux. Look up a little tutorial on DNS SRV records if you need to know what this all means.
--------------------------
Last edited by ghight : 11-02-2005 at 09:54 PM.
ASKER
I have assigned netman66 the points based on his several responses which tended to point in the general direction with lots of relevant information. Between netman66's answeres and my final solution, future readers should be able to get a good handle on what is happening and how to fix it.
You'll save a world of hurt if you let the OS do the work for you.
You can ALWAYS set the zones on the 2003 server to Primary and create a Secondary on the BIND server that does zone transfers.
The structure you need to create is extremely time consuming. I can send a screen capture to you of mine, and it needs to be exact.