Link to home
Create AccountLog in
Avatar of dalva
dalva

asked on

Error message when setting up ddns on BIND to interact with Windows 2003 AD

We are in the process of setting up Windows 2003 AD on a network which uses BIND 9.2 for all DNS services.

We want to continue using BIND and therefore have decided to setup ddns on BIND.  There is lots of literature which claims to show how to do this but no one article spells it out plain and simple.

I created 6 new subzones based on one article I came across, where DomainName.org is a substitute for our true domain name.

_msdcs.DomainName.org
_tcp.DomainName.org
_udp.DomainName.org
_sites.DomainName.org
DomainDnsZones.DomainName.org
ForestDnsZones.DomainName.org
 
I get the error message from Windows 2003 during DNS registration:

The SOA query for _ldap._tcp.dc._msdcs.DomainName.org to find the primary DNS server returned:
DNS server failure.
(error code 0x0000232A “RCODE_SERVER_FAILURE”)

Would appreciate any assistance to solve this problem.
Avatar of Netman66
Netman66
Flag of Canada image

Install DNS during DCPROMO on the 2003 server - use that for AD.  Set the Forwarder to your BIND servers.

You'll save a world of hurt if you let the OS do the work for you.

You can ALWAYS set the zones on the 2003 server to Primary and create a Secondary on the BIND server that does zone transfers.

The structure you need to create is extremely time consuming.  I can send a screen capture to you of mine, and it needs to be exact.



This paper explains what is necessary.

http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true

Pay attention to the NAMED.CONF configuration.

Avatar of dalva
dalva

ASKER

Netman66,

Your first suggestion is not the path I want to follow.  I have an existing BIND 9.2 dns server and now I just want to add an Active Directory domain controller which will send dynamic updates to the BIND server.

On the second suggestion, I previously read it and it just did not give me the little details I need to make this work.  I did review it again and I think I'm very close to making it work.

The error message seems to refer to an SOA query for a server which does not have an A record.  I am confused about the A record for this AD domain controller.

Before this project the A record was

dc1  IN  A  10.10.120.100 which was located in the DomainName.org.zone file

and the PTR record was
100.120  IN  PTR dc1.DomainName.org. 10.10.zone file.

I have not altered these records but am wondering do I need to make some type of "A" record entry in the subzone files

_msdcs.DomainName.org
_tcp.DomainName.org
_udp.DomainName.org
_sites.DomainName.org

or perhaps remove from the original files DomainName.org.zone and 10.10.zone ?
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of dalva

ASKER

My original approach to create the 6 new subzones was totally incorrect.  I located the answer to my question at the link below which I have also cut and pasted into this question for future users.  The real problem was the user PC's could not locate the Active Directory server.  All that was needed was to place the four SRV records as detailed below.  Substitue your domain name as needed.


http://www.linuxquestions.org/questions/showthread.php?t=379377

HOWTO: MS Active Directory with BIND on Linux

--------------------------------------------------------------------------------

I ran into a situation where I needed to support Active Directory DNS queries with BIND running on Linux. The particular issue was that workstations on one lan couldn't access their shares or even authenticate on a Domain Controller on another lan. After several responses of "sure you can do that and it's easy" but nobody wanting to hand me the step-by-step solution I finally found the answer. Thought I would post it here for the next guy that needs it.

What I needed was SRV records to tell the workstations where the Domain Controller was on the other lan. If you have your BIND DNS already setup, all you need to add are 4 SRV entries to the same file your A records are in. Obviously you need an A record entry for the DC as well. All punctuation is required and CAPS in my example signify that it is LAN dependent, eg, you should know how to fill this in!!! In this example DCHOSTNAME.DOMAIN.COM is your Domain Controllers fully qualified domain name.

_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.
_ldap._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.

That's it! Now your Domain Controllers can be found via you DNS servers running on Linux. Look up a little tutorial on DNS SRV records if you need to know what this all means.

--------------------------------------------------------------------------------
Last edited by ghight : 11-02-2005 at 09:54 PM.
Avatar of dalva

ASKER

I have assigned netman66 the points based on his several responses which tended to point in the general direction with lots of relevant information.  Between netman66's answeres and my final solution, future readers should be able to get a good handle on what is happening and how to fix it.