Migrating from FreeBSD to Microsoft DNS

LateNaite
LateNaite used Ask the Experts™
on
I have to manually migrate our DNS servers from the FreeBSD to Microsoft DNS.  We tried the run zone transfers from the Microsoft DNS servers to FreeBSD but had no luck so the next best option is to manually create all the entries.  Just curious if anyone has any suggestions on what we need to do to successfully migrate all those entries over.  What all are those records that we need to copy over to the Microsoft Active Directory servers (A records..NS records)?  The reverse  zone files and records should be created automatically on the new servers when clients start joining and accessing the networks?

thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
Which way are you migrating?

First sentence say from FreeBSD to Microsoft:

     "I have to manually migrate our DNS servers from the FreeBSD to Microsoft DNS"

Second sentence says from Microsoft to FreeBSD:

     "We tried the run zone transfers from the Microsoft DNS servers to FreeBSD"

What version of Windows Server are you running?
Top Expert 2015

Commented:
You need to initiate transfers from windows.
Easiest is to designate microsoft DNS server as NS in the FreeBSD-hosted  zone, then it allows zone transfers automatically (or allow-transfer access list does same)
If that fails DNSCMD can import zone files directly and you just switch clients to microsoft DNS servers.
If you run DNS on AD controllers it already has created records there for AD controllers
Distinguished Expert 2017
Commented:
Giltjr had .....
It seems after reading, rereading, the direction is to Windows.
Here is a script reference from NS technet gallery of scripts.

https://gallery.technet.microsoft.com/scriptcenter/Update-DNS-records-with-da10910d
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Top Expert 2015

Commented:
Another question - will you keep FreeBSD servers as forwarders after?
LateNaiteCEO and Founder

Author

Commented:
yes that is correct. We are migrating from FreeBSD to Microsoft DNS and will be getting rid of FreeBSD. How to best create and import the static entries that are in FreeBSD's zone?  Don't think the powershell script will work on FreeBSD and remember, we tried to run zone transfers to Microsoft DNS and that failed so we have to go with the manual method.
Top Expert 2015

Commented:
Can you find freebsd named.conf and copy all zone files written down in there to a place where you can run powershell scripts?

Windows DNS is derived from Bind v4, which means it may not understand $ macros in zone files, but at least it will tell which line it does not understand.
Distinguished Expert 2017
Commented:
The powershell can be used after you export the name type ip from the current set.
The example is not what to run in one to compete the other.

In your case if the domain hosted on FreeBSD, is the same as your AD,  a secondary AD integrated zone is not a viable option.

Since you want to retire the fr ends, secondary to primary transition might not be as seamless ...

Get the data from the zone on FreeBSD, and use the powershell example to parse it and add it into your AD DNS.

How familiar are you with perl? It can be used on both as a script to format/transfer .....
Top Expert 2014
Commented:
How many zones are you talking about?

You may want to try running nslookup on the Windows box and then issuing the command:

    ls -d a.com > file1.txt

Where a.com is the domain name.  Repeat this for each domain using a different output file.  This should produce a zone file that is compatible with the Windows DNSCMD.
LateNaiteCEO and Founder

Author

Commented:
Ok, here is the named.config with some contents changed for security reasons but the format should be similar...

So we're thinking of moving all external records (which aren't much) to their ISP to host those records (looks like they may be already) and just migrate any internal zones needed:

server# vi named.conf
/*
 * BIND config for Primary Internal DNS Server
 */

#+ACL Lists

acl "nnxxoad" {
    10.16.2.6;
    10.16.2.4; };

acl "nnxxosjo" {
    10.16.0.0/24;
    10.19.0.0/25; };

acl "nnxxooak" {
   10.1622.0/24; };

acl "nnxxosfo" {
   10.16.5.0/24; };

acl "nnxxosac" {
   10.16.3.0/24; };

acl "bogus" {
    0.0.0.0/8;
    1.0.0.0/8;
    2.0.0.0/8;
    169.254.0.0/16;
    224.0.0.0/3;
    240.0.0.0/4; };

acl "allowableintdns" {
    127/8;
    12.68.1.0/24;
    12.68.2.0/24;
    10.16.0.0/16;
    12.7.0.0/16;
    10.5.1.0/24;
    10.6.1.0/24;
};

acl "secondary-dns" {
    12.6.2.1; };

acl "third-dns" {
    10.1.3.50; };
#-ACL Lists

options {
directory       "/etc/namedb";
pid-file        "/var/run/named.pid";
statistics-file "/var/run/named.stats";
version         "DNS Server";
random-device   "/dev/random";
auth-nxdomain   yes;
listen-on       { 12.6.2.0; 127.0.0.1; };
listen-on-v6    { none; };
blackhole       { bogus; }; };

logging {
channel default_syslog { file "/var/run/named.log"; severity info; };
category lame-servers { null; };
};

# +RNDC Info
key "rndc-key" {
        algorithm hmac-md5;
        secret "ZRetDlY7dTt28O8pFRtUncNkFmF+RNgBtGmUUk2tf9w=";
};

controls {inet 127.0.0.1  port 953 allow {localhost;} keys {rndc-key;} ; };
# -RNDC Info

# +TSIG Keys
key signed_comms. {
        algorithm hmac-md5;
        secret "BiqJEl4mKvkBtQ4RHLxv3g==";
};

server 12.8.2.1 {
        transfer-format many-answers;
        keys { signed_comms.; }; };

server 10.16.3.5 {
        transfer-format many-answers;
        keys { signed_comms.; }; };
# -TSIG Keys

view "inside" {
        match-clients { "allowableintdns"; };
        allow-recursion { "allowableintdns"; };

zone "." in {
        type hint;
        file "root.hints.db";
};

zone "0.0.127.in-addr.arpa" {
        type           master;
        notify         no;
        file           "pz/127.0.0.db";
        allow-query    { any; };
        allow-update   { none; };
};

zone "2.8.92.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "12.18.2-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "20.6.12.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.16.20-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosjo; };
};

zone "20.7.12.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "12.1.20-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "20.1.172.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "172.18.20-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "20.1.12.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.1.20-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "2.1.72.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.6.22-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxooak; nnxxoad; };
};

zone "2.1.12.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.1.23-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosac; nnxxoad; };
};

zone "23.7.2.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "72.7.23-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "23.8.2.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "2.8.3-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "23.1.2.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "0.9.23-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "25.1.2.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.1.4-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosfo; nnxxoad; };
};

# Master entries
zone "nnxxopods.com." {
        type           master;
        notify         yes;
        file           "nnxxopods.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "so.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/sjo.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosjo; };
};

zone "ok.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/oak.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxooak; };
};

zone "so.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/sfo.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosfo; };
};

zone "sc.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/sac.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosac; };
};

zone "_msdcs.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/_msdcs.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "_sites.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/_sites.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "_tcp.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/_tcp.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "_udp.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/_udp.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "nnxxopods.org." {
        type           master;
        notify         yes;
        file           "nnxxopods.db";
        allow-transfer { secondary-dns; third-dns; };
};

# Blocking of IM Services Zones


# ICQ BLOCK

zone "login.icq.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

zone "cb.icq.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};



# YAHOO! BLOCK

zone "msg.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-fooa.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-foob.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-fooc.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-food.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-fooe.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-foof.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

# BLOCK MSN

zone "messenger.hotmail.com." {
       type           master;
       notify         no;
       file            "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

# BLOCK AIM

zone "login.oscar.aol.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

zone "kdc.gkdc.uas.aol.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

zone "ats.byoa.aol.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

};

view "outside" {
        match-clients { any; };
        recursion no;
};

---

so let me know which ones are needed and how to best migrate them?  This would only be for the internal zones.

thanks!
Distinguished Expert 2017

Commented:
You have a mix of ones where you are blacklisting .......

You have a bunch of reverse zones

ls -d in nslookup might not always be available a simpler option
to generate these files is using the dig command locally on the freebsd box

dig @localhost AXFR zonename > file

dnscmd windows_adDC_server /zoneadd zonename /DSPrimary /load zonename.db
 
if you do not want to have the non-AD zones as ad integrated, use /primary and /file ...........



Here is a link to the DNSCMD that giltjr referenced as well in a prior comment
https://technet.microsoft.com/en-us/library/cc756116%28v=ws.10%29.aspx#BKMK_22
Top Expert 2015
Commented:
Obfuscating does not help at all.
Bind can handle AD domain as forward-only; forwarders;
What you have there is plain wrong. Are you sure anything works with freebsd set as DNS serve?
LateNaiteCEO and Founder

Author

Commented:
Ok, I get this:


; <<>> DiG 9.3.2 <<>> @localhost AXFR xxx.com
; (1 server found)
;; global options:  printcmd
; Transfer failed.
~

So at this stage, the Bind servers are current active DNS servers and we are trying to migrate those contents over to the AD servers and tried several time via the zone tranfers method and that didn't work, even after update the allow-transfer section has been updated with the new AD domain.  The capture seems to show no TCP/53 traffic and I tried disabling the fw altogether and that didnt work.  Also now we're trying to manually transfer the zones over.
LateNaiteCEO and Founder

Author

Commented:
ok, i tried it again on the other server where there is an allow-transfer IP permitted and did a dig against the other server for a zone, that command worked.  now just need to manually add for allow-transfer for the zones that do not have it.
Distinguished Expert 2017

Commented:
you can add the allow-transfer within the options section at the top of the named.conf the zone defined are more specific.
usually as you have defined acls those would be used in the allow-transfer and also-notify locations.

Adding a allow-transfer {localhost;primary_server;}; at the top of your named conf should allow the local to query the zones where allow-transfer is not defined.
rndc reconfig after that should fixed the localhost access to ........

you can retrieve from the secondary dig @primary axfr zone > zone.txt
and then use that to load it into the windows AD.

.....
Top Expert 2014

Commented:
The reason I suggested running nslookup ls -d from Windows is I figured it would create a zone file that would be more compatible with the Windows zone file import.

When you tried to  run the zone transfers from the Windows server, was the Windows server allowed to do a zone transfer?
LateNaiteCEO and Founder

Author

Commented:
Ok, I was able to export a zone to a file and I tried to run the dnscmd to load it and it wouldn't work on Windows 2012.  Couldn't find a compatible version for PowerShell.  Also tried the DNS Manager tool but when I try to browse to it via the browse command, there is no way to browse to a folder directory.  

We tried several times to add the AD servers to the allow-transfer section but wouldn't work and also, ran a capture and didn't see any TCP/53 attempts at all from the AD servere.   The AD is on a different subnet so think there is something that is blocking it. We're going to see if we manually export the each zone file to a file and then import if we can import the first zone successfully.

Other option is to move that AD server to the same subnet as the FreeBSD temporarily to see if that would work.
Distinguished Expert 2017

Commented:
Chek firewall, vlan rules to see whether port 53 udp and TCP are allowed through in each direction....

Can you post what command you are running and what response if any do you get.....
Top Expert 2015

Commented:
Please fix your firewalls. It is absolutely impossible that BIND starts zone transfer without any requst from secondary server.
Please stop wasting your own time and start reading DNSCMD.EXE help text (i.e import raw zone files)
LateNaiteCEO and Founder

Author

Commented:
So no, dnscmd.exe doesn't work on Windows 2012 and powershell and you can't import Linux db files into Microsoft.
Top Expert 2014

Commented:
What error did you get trying to run dnscmd?
Distinguished Expert 2017
Commented:
Do you need these zones to be AD integrated or they can be file based?

http://krypted.com/windows-server/managing-dns-in-windows-server-2012/

powershell cmdletss.

https://technet.microsoft.com/en-us/library/jj649850%28v=wps.630%29.aspx

there are many ways to achieve the same thing, the basis of the data can be converted to match the command/commands that need to be run on the windows side to create the zone, and add the requisite records..

The file format from dig @localhost axfr domain.net. seems to match what Windows DNS file based zones have....
Top Expert 2015

Commented:
Dont be such a fatalist.
Windows 2012(and R2 and 2000) claims to be able to import and export RFC1035 zone files using DNSCMD command line utility.
Install full DNS server role on the windows server and tadaa - you have management console and command line tools...
It is not so hard really.
LateNaiteCEO and Founder

Author

Commented:
So we manually migrated our DNS server to the Microsoft DNS server and shut the bind server.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial