Migrating from FreeBSD to Microsoft DNS

Which way are you migrating?

First sentence say from FreeBSD to Microsoft:

     "I have to manually migrate our DNS servers from the FreeBSD to Microsoft DNS"

Second sentence says from Microsoft to FreeBSD:

     "We tried the run zone transfers from the Microsoft DNS servers to FreeBSD"

What version of Windows Server are you running?

You need to initiate transfers from windows.
Easiest is to designate microsoft DNS server as NS in the FreeBSD-hosted  zone, then it allows zone transfers automatically (or allow-transfer access list does same)
If that fails DNSCMD can import zone files directly and you just switch clients to microsoft DNS servers.
If you run DNS on AD controllers it already has created records there for AD controllers

Another question - will you keep FreeBSD servers as forwarders after?

yes that is correct. We are migrating from FreeBSD to Microsoft DNS and will be getting rid of FreeBSD. How to best create and import the static entries that are in FreeBSD's zone?  Don't think the powershell script will work on FreeBSD and remember, we tried to run zone transfers to Microsoft DNS and that failed so we have to go with the manual method.

Can you find freebsd named.conf and copy all zone files written down in there to a place where you can run powershell scripts?

Windows DNS is derived from Bind v4, which means it may not understand $ macros in zone files, but at least it will tell which line it does not understand.

Ok, here is the named.config with some contents changed for security reasons but the format should be similar...

So we're thinking of moving all external records (which aren't much) to their ISP to host those records (looks like they may be already) and just migrate any internal zones needed:

server# vi named.conf
/*
 * BIND config for Primary Internal DNS Server
 */

#+ACL Lists

acl "nnxxoad" {
    10.16.2.6;
    10.16.2.4; };

acl "nnxxosjo" {
    10.16.0.0/24;
    10.19.0.0/25; };

acl "nnxxooak" {
   10.1622.0/24; };

acl "nnxxosfo" {
   10.16.5.0/24; };

acl "nnxxosac" {
   10.16.3.0/24; };

acl "bogus" {
    0.0.0.0/8;
    1.0.0.0/8;
    2.0.0.0/8;
    169.254.0.0/16;
    224.0.0.0/3;
    240.0.0.0/4; };

acl "allowableintdns" {
    127/8;
    12.68.1.0/24;
    12.68.2.0/24;
    10.16.0.0/16;
    12.7.0.0/16;
    10.5.1.0/24;
    10.6.1.0/24;
};

acl "secondary-dns" {
    12.6.2.1; };

acl "third-dns" {
    10.1.3.50; };
#-ACL Lists

options {
directory       "/etc/namedb";
pid-file        "/var/run/named.pid";
statistics-file "/var/run/named.stats";
version         "DNS Server";
random-device   "/dev/random";
auth-nxdomain   yes;
listen-on       { 12.6.2.0; 127.0.0.1; };
listen-on-v6    { none; };
blackhole       { bogus; }; };

logging {
channel default_syslog { file "/var/run/named.log"; severity info; };
category lame-servers { null; };
};

# +RNDC Info
key "rndc-key" {
        algorithm hmac-md5;
        secret "ZRetDlY7dTt28O8pFRtUncNkFmF+RNgBtGmUUk2tf9w=";
};

controls {inet 127.0.0.1  port 953 allow {localhost;} keys {rndc-key;} ; };
# -RNDC Info

# +TSIG Keys
key signed_comms. {
        algorithm hmac-md5;
        secret "BiqJEl4mKvkBtQ4RHLxv3g==";
};

server 12.8.2.1 {
        transfer-format many-answers;
        keys { signed_comms.; }; };

server 10.16.3.5 {
        transfer-format many-answers;
        keys { signed_comms.; }; };
# -TSIG Keys

view "inside" {
        match-clients { "allowableintdns"; };
        allow-recursion { "allowableintdns"; };

zone "." in {
        type hint;
        file "root.hints.db";
};

zone "0.0.127.in-addr.arpa" {
        type           master;
        notify         no;
        file           "pz/127.0.0.db";
        allow-query    { any; };
        allow-update   { none; };
};

zone "2.8.92.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "12.18.2-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "20.6.12.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.16.20-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosjo; };
};

zone "20.7.12.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "12.1.20-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "20.1.172.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "172.18.20-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "20.1.12.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.1.20-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "2.1.72.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.6.22-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxooak; nnxxoad; };
};

zone "2.1.12.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.1.23-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosac; nnxxoad; };
};

zone "23.7.2.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "72.7.23-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "23.8.2.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "2.8.3-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "23.1.2.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "0.9.23-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "25.1.2.in-addr.arpa." {
        type           master;
        notify         yes;
        file           "10.1.4-in.addr.db";
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosfo; nnxxoad; };
};

# Master entries
zone "nnxxopods.com." {
        type           master;
        notify         yes;
        file           "nnxxopods.db";
        allow-transfer { secondary-dns; third-dns; };
};

zone "nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "so.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/sjo.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosjo; };
};

zone "ok.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/oak.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxooak; };
};

zone "so.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/sfo.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosfo; };
};

zone "sc.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/sac.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxosac; };
};

zone "_msdcs.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/_msdcs.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "_sites.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/_sites.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "_tcp.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/_tcp.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "_udp.nnxxopods.net." {
        type           master;
        notify         yes;
        file           "ad/_udp.nnxxopods.net.db";
        check-names    ignore;
        allow-transfer { secondary-dns; third-dns; };
        allow-update   { nnxxoad; };
};

zone "nnxxopods.org." {
        type           master;
        notify         yes;
        file           "nnxxopods.db";
        allow-transfer { secondary-dns; third-dns; };
};

# Blocking of IM Services Zones


# ICQ BLOCK

zone "login.icq.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

zone "cb.icq.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};



# YAHOO! BLOCK

zone "msg.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-fooa.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-foob.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-fooc.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-food.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-fooe.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

zone "scs-foof.yahoo.com." {
       type           master;
       notify         no;
       file           "BlockIM/msg.yahoo.com";
       allow-query    { allowableintdns; };
};

# BLOCK MSN

zone "messenger.hotmail.com." {
       type           master;
       notify         no;
       file            "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

# BLOCK AIM

zone "login.oscar.aol.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

zone "kdc.gkdc.uas.aol.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

zone "ats.byoa.aol.com." {
       type           master;
       notify         no;
       file           "BlockIM/defaultblockzone";
       allow-query    { allowableintdns; };
};

};

view "outside" {
        match-clients { any; };
        recursion no;
};

---

so let me know which ones are needed and how to best migrate them?  This would only be for the internal zones.

thanks!

You have a mix of ones where you are blacklisting .......

You have a bunch of reverse zones

ls -d in nslookup might not always be available a simpler option
to generate these files is using the dig command locally on the freebsd box

dig @localhost AXFR zonename > file

dnscmd windows_adDC_server /zoneadd zonename /DSPrimary /load zonename.db
 
if you do not want to have the non-AD zones as ad integrated, use /primary and /file ...........



Here is a link to the DNSCMD that giltjr referenced as well in a prior comment
https://technet.microsoft.com/en-us/library/cc756116%28v=ws.10%29.aspx#BKMK_22

Ok, I get this:


; <<>> DiG 9.3.2 <<>> @localhost AXFR xxx.com
; (1 server found)
;; global options:  printcmd
; Transfer failed.
~

So at this stage, the Bind servers are current active DNS servers and we are trying to migrate those contents over to the AD servers and tried several time via the zone tranfers method and that didn't work, even after update the allow-transfer section has been updated with the new AD domain.  The capture seems to show no TCP/53 traffic and I tried disabling the fw altogether and that didnt work.  Also now we're trying to manually transfer the zones over.

ok, i tried it again on the other server where there is an allow-transfer IP permitted and did a dig against the other server for a zone, that command worked.  now just need to manually add for allow-transfer for the zones that do not have it.

you can add the allow-transfer within the options section at the top of the named.conf the zone defined are more specific.
usually as you have defined acls those would be used in the allow-transfer and also-notify locations.

Adding a allow-transfer {localhost;primary_server;}; at the top of your named conf should allow the local to query the zones where allow-transfer is not defined.
rndc reconfig after that should fixed the localhost access to ........

you can retrieve from the secondary dig @primary axfr zone > zone.txt
and then use that to load it into the windows AD.

.....

The reason I suggested running nslookup ls -d from Windows is I figured it would create a zone file that would be more compatible with the Windows zone file import.

When you tried to  run the zone transfers from the Windows server, was the Windows server allowed to do a zone transfer?

Ok, I was able to export a zone to a file and I tried to run the dnscmd to load it and it wouldn't work on Windows 2012.  Couldn't find a compatible version for PowerShell.  Also tried the DNS Manager tool but when I try to browse to it via the browse command, there is no way to browse to a folder directory.  

We tried several times to add the AD servers to the allow-transfer section but wouldn't work and also, ran a capture and didn't see any TCP/53 attempts at all from the AD servere.   The AD is on a different subnet so think there is something that is blocking it. We're going to see if we manually export the each zone file to a file and then import if we can import the first zone successfully.

Other option is to move that AD server to the same subnet as the FreeBSD temporarily to see if that would work.

Chek firewall, vlan rules to see whether port 53 udp and TCP are allowed through in each direction....

Can you post what command you are running and what response if any do you get.....

Please fix your firewalls. It is absolutely impossible that BIND starts zone transfer without any requst from secondary server.
Please stop wasting your own time and start reading DNSCMD.EXE help text (i.e import raw zone files)

So no, dnscmd.exe doesn't work on Windows 2012 and powershell and you can't import Linux db files into Microsoft.

What error did you get trying to run dnscmd?

Dont be such a fatalist.
Windows 2012(and R2 and 2000) claims to be able to import and export RFC1035 zone files using DNSCMD command line utility.
Install full DNS server role on the windows server and tadaa - you have management console and command line tools...
It is not so hard really.

So we manually migrated our DNS server to the Microsoft DNS server and shut the bind server.