Solved

Using Linux DNS Server With Active Directory

Posted on 2008-09-29
11
744 Views
Last Modified: 2012-05-05
Setup Details :

In our environment there are two domains namely "a.com" & "b.com", both have tree root trust relationship established. there are about 8 domain controllers in total (a.com =2, b.com =6).

All the domain controllers are DNS servers and active directory is integrated into DNS.

Our primary DNS servers are BIND 9 - Linux DNS servers (ie in our client machines the linux dns server is set as the default DNS server)

Problems :

1. Whenever we try to issue nslookup command in our client machines we are able to resolve a.com & b.com but we are not able to resolve the client machines using netbios name.

2. Whenever a new workstation is added into domain, Dynamic DNS entries for the workstation are not being updated regularly in the windows DC/DNS server(ie the workstations are added to active directory users and computers container but the dns entry is not updated properly ,we have more than 2500 computers in domain but only 1500 dns entries are available in the dns servers)




0
Comment
Question by:kumarnirmal
  • 6
  • 5
11 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22598030

> (ie in our client machines the linux dns server is set as the default DNS server) & 2.

How does that handle name resolution for the Windows domain?

> 1. ...

Can they when using the FQDN? e.g. host.domain.com?

If so, it is simply that the client is missing a Search List that contains domain.com.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22598097

Heading off home, just a few quick notes before I do:

The BIND \ Linux machines must provide name resolution for the AD Domain name.

Are you using DHCP to update DNS? Or do clients do that themselves? Are you using MS DHCP?

If DHCP is updating, it should primarily refer to a server capable of performing those updates. i.e. a Windows server.

If clients are updating, the Linux machine must handle the AD Domain name using Forwarders. Hosting a slave / secondary copy of the zone will generally result in update failure.

Chris

0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22599996
We are using Linux DNS/DHCP as our primary DNS/DHCP Server.
There are no Windows DHCP Servers in our Network.

Please correct me if I am wrong.
In a Microsoft Active Directory Environment (without Linux DNS Servers), registration of Clients is automatic i.e when a client is added to Domain, respective host entry is added automatically to the Active Directory Integrated DNS Server
and a computer account is created and the host is migrated to Active Directory Users and Computers -> Computers container.

The same process occurs when the Workstation is removed from the Domain too.

In our environment this is not happening.
From a Workstation, if I lookup a.com using nslookup, the Linux DNS Server responds correctly with the IP Address of all Domain Controllers, but if I lookup a Workstation for example, client1.a.com, it says Non-existent Domain.

Is there a URL/Documentation that specifically describes how to Configure Active Directory using BIND ?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22600031

> when a client is added to Domain, respective host entry is added automatically to the Active
> Directory Integrated DNS Server

In your case (not using MS DHCP) the client will send an Update request to the DNS server listed in TCP/IP settings. Whether or not that accepts the update is entirely aside from the account in AD.

> The same process occurs when the Workstation is removed from the Domain too.

Removing a workstation from the domain does not remove the entry in DNS. That is part of the reason Aging and Scavenging exist on MS DNS.

You mention using AD Integrated zones on the Windows servers. For that to be true they must be Primary zones. That means the Linux server either has a Secondary or a Forwarder. Or do you have something different configured?

> Is there a URL/Documentation that specifically describes how to Configure Active Directory using BIND ?

Not that I've seen, but I can tell you how to do it off the top of my head if it comes down to that. We must start with what, exactly, do you have configured on the Linux Server to service the AD domain (is that a.com)?

Chris
0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22600154
We have configured Service Locator Records for a.com and b.com in the Linux DNS Server as recommended in this Microsoft Article : http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true.

Other than this, nothing else is configured.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22600189

Do you permit Dynamic Updates on the zone?

If the Linux server is preferred in TCP/IP configuration, what is there as a backup?

The only thing I can't tell you is how to clean stale records out of your BIND server and secure it to prevent unwanted updates.

Chris
0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22600436
The Linux DNS Servers have backup. Multiple DNS Servers are provided in the DHCP configuration in order to provide Redundancy.
The Windows DNS Servers only allow Secure Updates.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22600975

I really need to know how your current environment fits together if I'm to advise you. At the moment all I have is a picture of many separate systems which don't or can't communicate at all.

1. Which zones are hosted on the Linux / BIND DNS Servers?
 - Are the zones Primary or Secondary?
 - Are Conditional Forwarders configured?
 - If this is Primary, and a zone for AD; Are Dynamic Updates allowed?
 - How does the BIND DNS system communicate with the Windows DNS system?

2. Which zones are hosted on the Windows DNS Servers?
 - Are the zones Primary or Secondary?
 - Which systems refer to those DNS servers?
 - If the server hosts Primary zones (as is implied above); What uses the zone?
 - How does the Windows DNS system communicate with the BIND DNS system?

At the moment I'm extremely inclined to say you should be running pure MS DNS for your AD Domain.

With a small amount of configuration you could have a Windows DNS system up and running on your existing Domain Controllers. Once configured it would take nothing to maintain and issues with dynamic registration would vanish.

It would also potentially add a greater degree of fault tolerance, you have 8 servers there, each can host a Primary copy of the zone by utilising AD Integration.

BIND is a great server, but it will have difficulty competing in this one area, if only because it cannot take advantage of the areas MS does. If you were hosting public zones, or static zones I'd be more than happy with the choice.

Chris
0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22602121
None of the a.com or b.com zones are hosted in Linux DNS Servers.
The Windows Domain Controllers of a.com and b.com are Active Directory Integrated DNS Servers which have secure updates enabled.

Only Service Locator Records are configured in Linux DNS Servers in order to point them to Windows Domain Controllers.
Conditional Forwarders are not configured.

Could you please guide me in configuring Conditional Forwarding in Linux DNS Servers ?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22603549

> Could you please guide me in configuring Conditional Forwarding in Linux DNS Servers ?

Open /etc/named.conf, then conditional forwarders are defined as follows:

zone "a.com" {
        type forward;
        forwarders { Address-List; };
};

Simply add in the address list, pointing to the servers hosting the zone.

Chris
0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22606588
This  worked like a charm.Thank you for the quick response.
0

Join & Write a Comment

Suggested Solutions

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now