?
Solved

Using Linux DNS Server With Active Directory

Posted on 2008-09-29
11
Medium Priority
?
756 Views
Last Modified: 2012-05-05
Setup Details :

In our environment there are two domains namely "a.com" & "b.com", both have tree root trust relationship established. there are about 8 domain controllers in total (a.com =2, b.com =6).

All the domain controllers are DNS servers and active directory is integrated into DNS.

Our primary DNS servers are BIND 9 - Linux DNS servers (ie in our client machines the linux dns server is set as the default DNS server)

Problems :

1. Whenever we try to issue nslookup command in our client machines we are able to resolve a.com & b.com but we are not able to resolve the client machines using netbios name.

2. Whenever a new workstation is added into domain, Dynamic DNS entries for the workstation are not being updated regularly in the windows DC/DNS server(ie the workstations are added to active directory users and computers container but the dns entry is not updated properly ,we have more than 2500 computers in domain but only 1500 dns entries are available in the dns servers)




0
Comment
Question by:kumarnirmal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22598030

> (ie in our client machines the linux dns server is set as the default DNS server) & 2.

How does that handle name resolution for the Windows domain?

> 1. ...

Can they when using the FQDN? e.g. host.domain.com?

If so, it is simply that the client is missing a Search List that contains domain.com.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22598097

Heading off home, just a few quick notes before I do:

The BIND \ Linux machines must provide name resolution for the AD Domain name.

Are you using DHCP to update DNS? Or do clients do that themselves? Are you using MS DHCP?

If DHCP is updating, it should primarily refer to a server capable of performing those updates. i.e. a Windows server.

If clients are updating, the Linux machine must handle the AD Domain name using Forwarders. Hosting a slave / secondary copy of the zone will generally result in update failure.

Chris

0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22599996
We are using Linux DNS/DHCP as our primary DNS/DHCP Server.
There are no Windows DHCP Servers in our Network.

Please correct me if I am wrong.
In a Microsoft Active Directory Environment (without Linux DNS Servers), registration of Clients is automatic i.e when a client is added to Domain, respective host entry is added automatically to the Active Directory Integrated DNS Server
and a computer account is created and the host is migrated to Active Directory Users and Computers -> Computers container.

The same process occurs when the Workstation is removed from the Domain too.

In our environment this is not happening.
From a Workstation, if I lookup a.com using nslookup, the Linux DNS Server responds correctly with the IP Address of all Domain Controllers, but if I lookup a Workstation for example, client1.a.com, it says Non-existent Domain.

Is there a URL/Documentation that specifically describes how to Configure Active Directory using BIND ?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 71

Expert Comment

by:Chris Dent
ID: 22600031

> when a client is added to Domain, respective host entry is added automatically to the Active
> Directory Integrated DNS Server

In your case (not using MS DHCP) the client will send an Update request to the DNS server listed in TCP/IP settings. Whether or not that accepts the update is entirely aside from the account in AD.

> The same process occurs when the Workstation is removed from the Domain too.

Removing a workstation from the domain does not remove the entry in DNS. That is part of the reason Aging and Scavenging exist on MS DNS.

You mention using AD Integrated zones on the Windows servers. For that to be true they must be Primary zones. That means the Linux server either has a Secondary or a Forwarder. Or do you have something different configured?

> Is there a URL/Documentation that specifically describes how to Configure Active Directory using BIND ?

Not that I've seen, but I can tell you how to do it off the top of my head if it comes down to that. We must start with what, exactly, do you have configured on the Linux Server to service the AD domain (is that a.com)?

Chris
0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22600154
We have configured Service Locator Records for a.com and b.com in the Linux DNS Server as recommended in this Microsoft Article : http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx?mfr=true.

Other than this, nothing else is configured.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22600189

Do you permit Dynamic Updates on the zone?

If the Linux server is preferred in TCP/IP configuration, what is there as a backup?

The only thing I can't tell you is how to clean stale records out of your BIND server and secure it to prevent unwanted updates.

Chris
0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22600436
The Linux DNS Servers have backup. Multiple DNS Servers are provided in the DHCP configuration in order to provide Redundancy.
The Windows DNS Servers only allow Secure Updates.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22600975

I really need to know how your current environment fits together if I'm to advise you. At the moment all I have is a picture of many separate systems which don't or can't communicate at all.

1. Which zones are hosted on the Linux / BIND DNS Servers?
 - Are the zones Primary or Secondary?
 - Are Conditional Forwarders configured?
 - If this is Primary, and a zone for AD; Are Dynamic Updates allowed?
 - How does the BIND DNS system communicate with the Windows DNS system?

2. Which zones are hosted on the Windows DNS Servers?
 - Are the zones Primary or Secondary?
 - Which systems refer to those DNS servers?
 - If the server hosts Primary zones (as is implied above); What uses the zone?
 - How does the Windows DNS system communicate with the BIND DNS system?

At the moment I'm extremely inclined to say you should be running pure MS DNS for your AD Domain.

With a small amount of configuration you could have a Windows DNS system up and running on your existing Domain Controllers. Once configured it would take nothing to maintain and issues with dynamic registration would vanish.

It would also potentially add a greater degree of fault tolerance, you have 8 servers there, each can host a Primary copy of the zone by utilising AD Integration.

BIND is a great server, but it will have difficulty competing in this one area, if only because it cannot take advantage of the areas MS does. If you were hosting public zones, or static zones I'd be more than happy with the choice.

Chris
0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22602121
None of the a.com or b.com zones are hosted in Linux DNS Servers.
The Windows Domain Controllers of a.com and b.com are Active Directory Integrated DNS Servers which have secure updates enabled.

Only Service Locator Records are configured in Linux DNS Servers in order to point them to Windows Domain Controllers.
Conditional Forwarders are not configured.

Could you please guide me in configuring Conditional Forwarding in Linux DNS Servers ?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 22603549

> Could you please guide me in configuring Conditional Forwarding in Linux DNS Servers ?

Open /etc/named.conf, then conditional forwarders are defined as follows:

zone "a.com" {
        type forward;
        forwarders { Address-List; };
};

Simply add in the address list, pointing to the servers hosting the zone.

Chris
0
 
LVL 7

Author Comment

by:kumarnirmal
ID: 22606588
This  worked like a charm.Thank you for the quick response.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question