HOWTO: MS Active Directory with BIND on Linux
I ran into a situation where I needed to support Active Directory DNS queries with BIND running on Linux. The particular issue was that workstations on one lan couldn't access their shares or even authenticate on a Domain Controller on another lan. After several responses of "sure you can do that and it's easy" but nobody wanting to hand me the step-by-step solution I finally found the answer. Thought I would post it here for the next guy that needs it.
What I needed was SRV records to tell the workstations where the Domain Controller was on the other lan. If you have your BIND DNS already setup, all you need to add are 4 SRV entries to the same file your A records are in. Obviously you need an A record entry for the DC as well. All punctuation is required and CAPS in my example signify that it is LAN dependent, eg, you should know how to fill this in!!! In this example DCHOSTNAME.DOMAIN.COM is your Domain Controllers fully qualified domain name. _ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM. _kerberos._tcp.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM. _ldap._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM. _kerberos._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM. That's it! Now your Domain Controllers can be found via you DNS servers running on Linux. Look up a little tutorial on DNS SRV records if you need to know what this all means. |
|
Thanks. If nobody beats me to it, I'll consider typing a little something up.
|
Done
|
So how long does it take to have the Linux Answers article posted anyway? I'm hoping I didn't put a significant amount of time on this for nothing.
|
We need to proof them first.. Just to be sure.. Thanks :)
|
Ok, it's been over a week now. Peter_robb can I safely assume that my 2 hours of composition time on this LA was a waste? Not knowing the status of a submission or even knowing what was wrong with it is down right silly. That "policy" needs to be changed.
|
Quote:
i had done the same on myDNS server but i am getting error no srv record found _ldap._tcp.dc._msdcs.mydomain.com no DNS record found for this dc registered. here is my /etc/named.conf zone "mydomain.com" { type master; file "mydomain.zone" ; allow-query {any;}; }; my zone file is as follows $TTL 84600 mydomain.com. IN SOA one.mydomain. com. root.mydomain. com. ( 20070219 ; serial 3H ; refresh interval 15M ; retry interval 1W ; zone expires in 1D ; minimum TTL ) NS one.mydomain. com. $ORIGIN mydomain.com. A 10.10.10.1 (gw) mydomain A 10.10.10.2 ( Bind DNS) win-2k3srv01 A 10.10.10.3 ( Ad Server ) _msdcs NS win-2k3srv01 A 10.10.10.4 _sites NS win-2k3srv01 A 10.10.10.4 _tcp NS win-2k3srv01 A 10.10.10.4 _udp NS win-2k3srv01 A 10.10.10.4 DomainDnsZones NS win-2k3srv01 A 10.10.10.4 ForestDnsZones NS win-2k3srv01 A 10.10.10.4 i am getting following error The erro was: "DNS name does not exist." (error cdoe 0x0000232B RCODE_NAME_ERROR) The query was for the SRV record for _ldap._tcp.dc_ msdcs.mydomain. com Common causes of this error include the following: - The DNS SRV record is not registered in DNS. - One or more of the following zones do not include delegation to its child zone: mydomain.com . (the root zone) any urgent help would be appreciate |
There are multiple issues...
First there is probably the _underscope problem. Add this to your zone: Code:
zone "example.com" { Before and after adding this line, try checking if your DNS resolves your hosts. Code:
dig @ns.example.com something The second problem is, that you are using "NS" records, where "SRV" records should be. The guide tells us to use in our zone file: Code:
_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM. Code:
_msdcs NS win-2k3srv01 An example zone file, that I took from our BIND DNS. Code:
$ORIGIN DOMAIN.COM 1. things about zone, admin mail, and who is the NS (nameserver). 2. one A record for the NS 3. one A record for the DCHOSTNAME <- this is your win-2k3srv01 4. _ldap and _kerberos entries pointing to services on your domain controller Hope it will be helpfull, and I hope that I didn't write too much :-) |
HOWTO: MS Active Directory with BIND on Linux
I need a step-by-step guide to setup BIND on LINUX to serve as my Windows 2003/2008 Active Directory DNS server. Thanks in advance.
|
Several years late, but in case anyone else finds this thread, here's my setup. This was based on using BIND 9 running on Ubuntu Maverick, supporting a Windows 2008 R2 AD server. I initially used the first post in this thread to set things up, but at least regarding Win 2008, there are some other SRV records missing.
Here's the relevant section of my zone file db.corp.com. The AD server is ad.corp.com: Code:
$ORIGIN _tcp.dc._msdcs.corp.com. Code:
ad A 192.168.1.10 |
Have not been here is years, but this page is no longer maintained and may no longer be accurate.
In my experience its now HIGHLY recommended to use the MSDNS with AD in a production environment. **EDIT** After reading the above comment completely, the needed changes may be listed. I do know the original post will not work with Server 2008. |
Actually Microsoft has made it even easier with Server 2008 R2 and Windows Server 2012.
How i got bind as primary DNS server for domain (.home) running alongside Windows ADDS Domain running on 2008 R2 (homedomain.home) running on same network: in bind on linux (ubuntu): in /etc/bind/named.conf.local add: zone "homedomain.home" { type slave; masters { $IPv4_addr_of_DC ;}; notify yes; allow-transfer {any; }; allow-query {any;}; }; zone "_msdcs.homedomain.home" { type slave; masters { $IPv4_addr_of_DC }; notify yes; allow-transfer {any; }; allow-query {any;}; }; then on your DC and load the DNS mmc snap-in: for both Forward Lookup Zones _msdcs.homedomain.home homedomain.home select Properties and on the Zone Transfer tab select "Only to the following servers". click edit and add ipv4 address of your linux bind server. reload configuration in bind Your Windows Vista, 7, 8 and Server 2008 R2 and 2012 workstations and servers will now identify the SOA for the Active Directory Directory Services. This works from installer and from change computer name dialogs. I found that as soon as i added the _msdcs forward zone domain was found immediately. As stated in the thread, _ldap._tcp.dc._msdcs.DOMAIN.COM is the really important SRV pointer for adding machine to domain bootstrapping, but hardcoding it into a subzone in bind is a silly idea. by setting up the _msdcs forward zone as a slave you will have full AD functionality being served from your bind while AD DS maintains state of your domain in its structure hope this helps someone EDIT: From "Pro DNS and Bind" by Zytrax: --- check-names check-names (warn|fail|ignore) ; check-names fail; The check-names statement will cause any host name for the zone to be checked for compliance with RFC 952 and RFC 1123 and take the defined action. Care should be taken when using this statement because many modern RRs e.g. SRV use names which do not meet these standards (they contain underscore) but which are permitted by RFC 2181 which greatly liberalized the rules for names (see labels and names). The default is not to perform host name checks. check-names may also appear in a view or options clause where it has a different syntax. --- you may need the check-names ignore directive in your slave definitions as lots of AD DS style queries use underscores if you are enforcing RFC 952 style hostnames. |
All times are GMT -5. The time now is 04:30 AM. |