Avatar of dalva
dalva
 asked on

Error message when setting up ddns on BIND to interact with Windows 2003 AD

We are in the process of setting up Windows 2003 AD on a network which uses BIND 9.2 for all DNS services.

We want to continue using BIND and therefore have decided to setup ddns on BIND.  There is lots of literature which claims to show how to do this but no one article spells it out plain and simple.

I created 6 new subzones based on one article I came across, where DomainName.org is a substitute for our true domain name.

_msdcs.DomainName.org
_tcp.DomainName.org
_udp.DomainName.org
_sites.DomainName.org
DomainDnsZones.DomainName.org
ForestDnsZones.DomainName.org
 
I get the error message from Windows 2003 during DNS registration:

The SOA query for _ldap._tcp.dc._msdcs.DomainName.org to find the primary DNS server returned:
DNS server failure.
(error code 0x0000232A “RCODE_SERVER_FAILURE”)

Would appreciate any assistance to solve this problem.
Windows Server 2003

Avatar of undefined
Last Comment
dalva

8/22/2022 - Mon
Netman66

Install DNS during DCPROMO on the 2003 server - use that for AD.  Set the Forwarder to your BIND servers.

You'll save a world of hurt if you let the OS do the work for you.

You can ALWAYS set the zones on the 2003 server to Primary and create a Secondary on the BIND server that does zone transfers.

The structure you need to create is extremely time consuming.  I can send a screen capture to you of mine, and it needs to be exact.



Netman66

This paper explains what is necessary.

http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true

Pay attention to the NAMED.CONF configuration.

dalva

ASKER
Netman66,

Your first suggestion is not the path I want to follow.  I have an existing BIND 9.2 dns server and now I just want to add an Active Directory domain controller which will send dynamic updates to the BIND server.

On the second suggestion, I previously read it and it just did not give me the little details I need to make this work.  I did review it again and I think I'm very close to making it work.

The error message seems to refer to an SOA query for a server which does not have an A record.  I am confused about the A record for this AD domain controller.

Before this project the A record was

dc1  IN  A  10.10.120.100 which was located in the DomainName.org.zone file

and the PTR record was
100.120  IN  PTR dc1.DomainName.org. 10.10.zone file.

I have not altered these records but am wondering do I need to make some type of "A" record entry in the subzone files

_msdcs.DomainName.org
_tcp.DomainName.org
_udp.DomainName.org
_sites.DomainName.org

or perhaps remove from the original files DomainName.org.zone and 10.10.zone ?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
Netman66

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
dalva

ASKER
My original approach to create the 6 new subzones was totally incorrect.  I located the answer to my question at the link below which I have also cut and pasted into this question for future users.  The real problem was the user PC's could not locate the Active Directory server.  All that was needed was to place the four SRV records as detailed below.  Substitue your domain name as needed.


http://www.linuxquestions.org/questions/showthread.php?t=379377

HOWTO: MS Active Directory with BIND on Linux

--------------------------------------------------------------------------------

I ran into a situation where I needed to support Active Directory DNS queries with BIND running on Linux. The particular issue was that workstations on one lan couldn't access their shares or even authenticate on a Domain Controller on another lan. After several responses of "sure you can do that and it's easy" but nobody wanting to hand me the step-by-step solution I finally found the answer. Thought I would post it here for the next guy that needs it.

What I needed was SRV records to tell the workstations where the Domain Controller was on the other lan. If you have your BIND DNS already setup, all you need to add are 4 SRV entries to the same file your A records are in. Obviously you need an A record entry for the DC as well. All punctuation is required and CAPS in my example signify that it is LAN dependent, eg, you should know how to fill this in!!! In this example DCHOSTNAME.DOMAIN.COM is your Domain Controllers fully qualified domain name.

_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.
_ldap._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.

That's it! Now your Domain Controllers can be found via you DNS servers running on Linux. Look up a little tutorial on DNS SRV records if you need to know what this all means.

--------------------------------------------------------------------------------
Last edited by ghight : 11-02-2005 at 09:54 PM.
dalva

ASKER
I have assigned netman66 the points based on his several responses which tended to point in the general direction with lots of relevant information.  Between netman66's answeres and my final solution, future readers should be able to get a good handle on what is happening and how to fix it.