Solved

Windows AD and DHCP with Linux DNS

Posted on 2011-03-07
12
927 Views
Last Modified: 2012-05-11
I'm reconstructing our company's network/domain and am a little stuck.  Any suggestions or help would be greatly appreciated!  This is our current setup:
2 Linux servers running BIND for internal and external domains
1 Windows server running AD for our desktops mainly, and a couple Windows server.  This Windows machine is also running DNS, but this server and the 2 linux servers don't communicate.  The Windows server does not have all the updates that the Linux servers do.

Therefore, his is what I'm looking for: I'd like to have 1 Windows server running AD and DHCP without DNS, and have 2 Linux servers running BIND. I want my Windows server to use the Linux servers for DNS.  I don't want the zone files where the servers live to be dynamically updated.  But I do want DHCP to update the zone file.

Since I was unsuccessful with not running DNS on the Windows server, I was thinking the following: running DNS on Windows with company.com for my forest and AD.company.com as a subdomain for the desktops (can I run two domains on the same AD?).  That way AD and DHCP live happily with the Windows DNS running on it as well.  I could then setup that Windows server to be the master of ad.company.com so it can do dynamic updates happily all day long, and forward all other requests to the two Linux servers.  Will this all work? Was there a way to do it as I initially thought of?  Will there be an issue with this setup?

Thank you in advance for ANY suggestions.

0
Comment
Question by:Arche_J
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 3

Expert Comment

by:dtrance
ID: 35058220
Windows DNS is a requirement for AD, so its not possible to run without it.  However you can forward queries that can not be answered by AD to your bind servers.

Queries for hosts in your AD domain should be answered by the AD server, everything else - forward to bind.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 35058369
Look this: http://support.microsoft.com/kb/255913/en-us

I think better solution is user Windows DNS service.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 35059677
As was pointed out in the post above, DNS is a requirement for AD but you don't need to use Windows' DNS server.

How many computers do you have internally? If you already have Active Directory configured then changing the domain name would not be easy. If you want to setup a new AD installation then you can make the AD namespace a subdomain of company.com. You can then delegate ad.company.com on the BIND servers to the Windows server.
0
 
LVL 3

Expert Comment

by:dtrance
ID: 35060921
Your whole scenario is a bit confusing, and I think you are making it out to be more complicated than it needs to be.  What reason do you have to create the child domain in your forest?  If its just to isolate your BIND servers, than it is for the wrong reason.

If this is the case.  Create one AD domain.  Clients belonging to the AD domain will auto updated DNS records via DHCP.  All local lookups will be resolved by AD DNS, all others it will forward to your BIND servers.  Its simply configured in the forwarder section of the windows DNS configuration.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 35060972
@dtrance If both DNS servers think they are authoritative for the same domain then there will be trouble. Also, I wasn't proposing a child domain. You can create the root of the forest using any DNS name you want. If the OP uses ad.domain.com as the namespace for the forest root then DNS delegation can be setup correctly and the BIND and Windows DNS servers can co-exist without issue.
0
 
LVL 3

Expert Comment

by:dtrance
ID: 35061315
I am forgetful that some organizations use real domains in their AD setup as opposed to something.local
Therefor I didn't think about the conflicting authoritative NS issues.  The OP did mention he uses internal/external domains so I assume that wouldn't be an issue.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 35061515
No worries. Just wanted to make myself clear. Sometime (often) I read too fast and miss things.  :)
0
 

Author Comment

by:Arche_J
ID: 35061643
Apologies for the confusion.  I am looking to keep our servers (Not just the Linux DNS or the Windows DNS, but multiple servers) in a static zone.  I do not want the dynamic updates to be in the same zone.  Therefore I was thinking if I kept all my servers in the company.com zone, making the Linux DNSes authorative (master and slave of course), then I could manual change the records as needed.  Then I can create a new domain AD.company.com. Have Windows AD, DHCP running, and DNS authorative for only AD.company.com. This would allow DHCP and AD to interact freely with the DNS zone ad.company.com.  I could then forward all other requests to the Linux DNS servers, for the other zones. My question here was will this work correctly or are there any issues/flags that anyone can see?

My original thought was having Windows AD and DHCP work with BIND, rather than having 3 total DNS servers on my network.  However, in all the posts online and books I've read, I can't find an answer to get it working correctly.  It somewhat worked but my outside connection doesn't work, and the 'Best Practice Analyzer' in Windows 2008 R2 gives me lots of errors when scanning the AD and DHCP roles.  One of them was telling me I hadn't created a forward lookup zone for the domain, when I had it setup in the BIND server already. That's when I gave up on the Windows AD, DHCP, and Linux DNS mix.

Thanks for all the comments everyone!
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
ID: 35061935
I'm still unclear whether this is a new AD setup or not.

For all domain computers, including servers, they should be in the same DNS domain. Unless you have a large environment where you could separate the server into another domain. But even if you had a large domain I wouldn't recommend separating things unless there's a compelling reason.

Which brings me to the question I have; why don't you want clients to dynamically update their records in then same zone as the servers? What benefit are you looking for or what are you trying to avoid?
0
 

Author Comment

by:Arche_J
ID: 35062752
New AD setup.

I think the issue was in the beginning when I was trying to keep the Linux DNS as authorative for the domain. I was trying to avoid having an unmanageable zone file.  We manually enter the information in for the servers.  The zone file that Windows was sending to Linux were unreadable/unorganized.  I'm not sure if I can manually add to a zone file if it's setup to be dynamic as well?
0
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 500 total points
ID: 35062836
If it's a new AD setup then just put all AD domain computers in a subdomain called ad.company.com. When you setup AD specify ad.company.com for the DNS namespace (aka FQDN). Then in BIND you'll want to delegate ad.company.com domain to the Windows DNS server and on the Windows DNS server you'll want to use the BIND servers as forwarders. This link looks like it should give you instructions on how to do this.http://www.zytrax.com/books/dns/ch9/delegate.html
0
 

Author Closing Comment

by:Arche_J
ID: 35063328
Great! Thanks!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

#Citrix #POC #XenDesktop #vCenter #VMware #ESX
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now