HOWTO: MS Active Directory with BIND on Linux
 

I ran into a situation where I needed to support Active Directory DNS queries with BIND running on Linux. The particular issue was that workstations on one lan couldn't access their shares or even authenticate on a Domain Controller on another lan. After several responses of "sure you can do that and it's easy" but nobody wanting to hand me the step-by-step solution I finally found the answer. Thought I would post it here for the next guy that needs it.

What I needed was SRV records to tell the workstations where the Domain Controller was on the other lan. If you have your BIND DNS already setup, all you need to add are 4 SRV entries to the same file your A records are in. Obviously you need an A record entry for the DC as well. All punctuation is required and CAPS in my example signify that it is LAN dependent, eg, you should know how to fill this in!!! In this example DCHOSTNAME.DOMAIN.COM is your Domain Controllers fully qualified domain name.

_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.
_ldap._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.

That's it! Now your Domain Controllers can be found via you DNS servers running on Linux. Look up a little tutorial on DNS SRV records if you need to know what this all means.

Nicely Done!

How about writing up a piece for our Linux Answers section.. :)

Thanks. If nobody beats me to it, I'll consider typing a little something up.

Done

So how long does it take to have the Linux Answers article posted anyway? I'm hoping I didn't put a significant amount of time on this for nothing.

We need to proof them first.. Just to be sure.. Thanks :)

Ok, it's been over a week now. Peter_robb can I safely assume that my 2 hours of composition time on this LA was a waste? Not knowing the status of a submission or even knowing what was wrong with it is down right silly. That "policy" needs to be changed.

hi ,

i had done the same on myDNS server but i am getting error

no srv record found _ldap._tcp.dc._msdcs.mydomain.com

no DNS record found for this dc registered.

here is my /etc/named.conf

zone "mydomain.com" {
type master;
file "mydomain.zone" ;
allow-query {any;};
};


my zone file is as follows

$TTL 84600

mydomain.com. IN SOA one.mydomain. com. root.mydomain. com. (

20070219 ; serial
3H ; refresh interval
15M ; retry interval
1W ; zone expires in
1D ; minimum TTL

)

NS one.mydomain. com.


$ORIGIN mydomain.com.

A 10.10.10.1 (gw)

mydomain A 10.10.10.2 ( Bind DNS)

win-2k3srv01 A 10.10.10.3 ( Ad Server )

_msdcs NS win-2k3srv01

A 10.10.10.4

_sites NS win-2k3srv01
A 10.10.10.4

_tcp NS win-2k3srv01
A 10.10.10.4

_udp NS win-2k3srv01
A 10.10.10.4

DomainDnsZones NS win-2k3srv01

A 10.10.10.4

ForestDnsZones NS win-2k3srv01
A 10.10.10.4


i am getting following error

The erro was: "DNS name does not exist."
(error cdoe 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc_ msdcs.mydomain. com

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.

- One or more of the following zones do not include delegation to its child
zone:

mydomain.com
. (the root zone)


any urgent help would be appreciate

There are multiple issues...

First there is probably the _underscope problem. Add this to your zone:
The standard (I think it's in the DNS RFC...) says, that no _underscope can be in a DNS name. "check-names ignore;" tells DNS to ignore the standard. This is the Microsoft standard :-)

Before and after adding this line, try checking if your DNS resolves your hosts.
"something" is something from your zone file, like www.example.com if you have a A record for www.

The second problem is, that you are using "NS" records, where "SRV" records should be. The guide tells us to use in our zone file:
You are using:
The SRV record is to tell where services are located. With your record, you are telling that for the zone _msdcs the nameserver is win-2k3srv01.

An example zone file, that I took from our BIND DNS.
So if you break the zone file down, you get:
1. things about zone, admin mail, and who is the NS (nameserver).
2. one A record for the NS
3. one A record for the DCHOSTNAME <- this is your win-2k3srv01
4. _ldap and _kerberos entries pointing to services on your domain controller

Hope it will be helpfull, and I hope that I didn't write too much :-)

HOWTO: MS Active Directory with BIND on Linux
 

I need a step-by-step guide to setup BIND on LINUX to serve as my Windows 2003/2008 Active Directory DNS server. Thanks in advance.

Several years late, but in case anyone else finds this thread, here's my setup. This was based on using BIND 9 running on Ubuntu Maverick, supporting a Windows 2008 R2 AD server. I initially used the first post in this thread to set things up, but at least regarding Win 2008, there are some other SRV records missing.

Here's the relevant section of my zone file db.corp.com. The AD server is ad.corp.com:
Of course you need an A record for ad.corp.com, and also an A record for the machine's GUID, which is used for RPC lookups:
I don't recall how to pull the GUID, but it can be caught by doing a wireshark capture from the DNS server. Wireshark can also be used to find out which AD lookups can't be resolved.

Have not been here is years, but this page is no longer maintained and may no longer be accurate.

In my experience its now HIGHLY recommended to use the MSDNS with AD in a production environment.

**EDIT**
After reading the above comment completely, the needed changes may be listed. I do know the original post will not work with Server 2008.

Actually Microsoft has made it even easier with Server 2008 R2 and Windows Server 2012.

How i got bind as primary DNS server for domain (.home) running alongside Windows ADDS Domain running on 2008 R2 (homedomain.home) running on same network:
in bind on linux (ubuntu):
in /etc/bind/named.conf.local add:

zone "homedomain.home" {
type slave;
masters { $IPv4_addr_of_DC ;};
notify yes;
allow-transfer {any; };
allow-query {any;};
};

zone "_msdcs.homedomain.home" {
type slave;
masters { $IPv4_addr_of_DC };
notify yes;
allow-transfer {any; };
allow-query {any;};
};

then on your DC and load the DNS mmc snap-in:
for both Forward Lookup Zones
_msdcs.homedomain.home
homedomain.home
select Properties and on the Zone Transfer tab select "Only to the following servers".
click edit and add ipv4 address of your linux bind server.

reload configuration in bind
Your Windows Vista, 7, 8 and Server 2008 R2 and 2012 workstations and servers will now identify the SOA for the Active Directory Directory Services.
This works from installer and from change computer name dialogs.
I found that as soon as i added the _msdcs forward zone domain was found immediately.

As stated in the thread, _ldap._tcp.dc._msdcs.DOMAIN.COM is the really important SRV pointer for adding machine to domain bootstrapping, but hardcoding it into a subzone in bind is a silly idea.
by setting up the _msdcs forward zone as a slave you will have full AD functionality being served from your bind while AD DS maintains state of your domain in its structure

hope this helps someone


EDIT:

From "Pro DNS and Bind" by Zytrax:
---
check-names

check-names (warn|fail|ignore) ;
check-names fail;

The check-names statement will cause any host name for the zone to be checked for compliance with RFC 952 and RFC 1123 and take the defined action. Care should be taken when using this statement because many modern RRs e.g. SRV use names which do not meet these standards (they contain underscore) but which are permitted by RFC 2181 which greatly liberalized the rules for names (see labels and names). The default is not to perform host name checks. check-names may also appear in a view or options clause where it has a different syntax.
---

you may need the check-names ignore directive in your slave definitions as lots of AD DS style queries use underscores if you are enforcing RFC 952 style hostnames.