Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I ran into a situation where I needed to support Active Directory DNS queries with BIND running on Linux. The particular issue was that workstations on one lan couldn't access their shares or even authenticate on a Domain Controller on another lan. After several responses of "sure you can do that and it's easy" but nobody wanting to hand me the step-by-step solution I finally found the answer. Thought I would post it here for the next guy that needs it.
What I needed was SRV records to tell the workstations where the Domain Controller was on the other lan. If you have your BIND DNS already setup, all you need to add are 4 SRV entries to the same file your A records are in. Obviously you need an A record entry for the DC as well. All punctuation is required and CAPS in my example signify that it is LAN dependent, eg, you should know how to fill this in!!! In this example DCHOSTNAME.DOMAIN.COM is your Domain Controllers fully qualified domain name.
That's it! Now your Domain Controllers can be found via you DNS servers running on Linux. Look up a little tutorial on DNS SRV records if you need to know what this all means.
Ok, it's been over a week now. Peter_robb can I safely assume that my 2 hours of composition time on this LA was a waste? Not knowing the status of a submission or even knowing what was wrong with it is down right silly. That "policy" needs to be changed.
Ok, it's been over a week now. Peter_robb can I safely assume that my 2 hours of composition time on this LA was a waste? Not knowing the status of a submission or even knowing what was wrong with it is down right silly. That "policy" needs to be changed.
hi ,
i had done the same on myDNS server but i am getting error
no srv record found _ldap._tcp.dc._msdcs.mydomain.com
no DNS record found for this dc registered.
here is my /etc/named.conf
zone "mydomain.com" {
type master;
file "mydomain.zone" ;
allow-query {any;};
};
my zone file is as follows
$TTL 84600
mydomain.com. IN SOA one.mydomain. com. root.mydomain. com. (
20070219 ; serial
3H ; refresh interval
15M ; retry interval
1W ; zone expires in
1D ; minimum TTL
)
NS one.mydomain. com.
$ORIGIN mydomain.com.
A 10.10.10.1 (gw)
mydomain A 10.10.10.2 ( Bind DNS)
win-2k3srv01 A 10.10.10.3 ( Ad Server )
_msdcs NS win-2k3srv01
A 10.10.10.4
_sites NS win-2k3srv01
A 10.10.10.4
_tcp NS win-2k3srv01
A 10.10.10.4
_udp NS win-2k3srv01
A 10.10.10.4
DomainDnsZones NS win-2k3srv01
A 10.10.10.4
ForestDnsZones NS win-2k3srv01
A 10.10.10.4
i am getting following error
The erro was: "DNS name does not exist."
(error cdoe 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc_ msdcs.mydomain. com
Common causes of this error include the following:
- The DNS SRV record is not registered in DNS.
- One or more of the following zones do not include delegation to its child
zone:
First there is probably the _underscope problem. Add this to your zone:
Code:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
check-names ignore;
allow-update { 192.168.0.0/24; };
};
The standard (I think it's in the DNS RFC...) says, that no _underscope can be in a DNS name. "check-names ignore;" tells DNS to ignore the standard. This is the Microsoft standard :-)
Before and after adding this line, try checking if your DNS resolves your hosts.
Code:
dig @ns.example.com something
"something" is something from your zone file, like www.example.com if you have a A record for www.
The second problem is, that you are using "NS" records, where "SRV" records should be. The guide tells us to use in our zone file:
So if you break the zone file down, you get:
1. things about zone, admin mail, and who is the NS (nameserver).
2. one A record for the NS
3. one A record for the DCHOSTNAME <- this is your win-2k3srv01
4. _ldap and _kerberos entries pointing to services on your domain controller
Hope it will be helpfull, and I hope that I didn't write too much :-)
Several years late, but in case anyone else finds this thread, here's my setup. This was based on using BIND 9 running on Ubuntu Maverick, supporting a Windows 2008 R2 AD server. I initially used the first post in this thread to set things up, but at least regarding Win 2008, there are some other SRV records missing.
Here's the relevant section of my zone file db.corp.com. The AD server is ad.corp.com:
Of course you need an A record for ad.corp.com, and also an A record for the machine's GUID, which is used for RPC lookups:
Code:
ad A 192.168.1.10
<GUID>._msdcs CNAME ad.corp.com.
I don't recall how to pull the GUID, but it can be caught by doing a wireshark capture from the DNS server. Wireshark can also be used to find out which AD lookups can't be resolved.
Actually Microsoft has made it even easier with Server 2008 R2 and Windows Server 2012.
How i got bind as primary DNS server for domain (.home) running alongside Windows ADDS Domain running on 2008 R2 (homedomain.home) running on same network:
in bind on linux (ubuntu):
in /etc/bind/named.conf.local add:
zone "homedomain.home" {
type slave;
masters { $IPv4_addr_of_DC ;};
notify yes;
allow-transfer {any; };
allow-query {any;};
};
zone "_msdcs.homedomain.home" {
type slave;
masters { $IPv4_addr_of_DC };
notify yes;
allow-transfer {any; };
allow-query {any;};
};
then on your DC and load the DNS mmc snap-in:
for both Forward Lookup Zones
_msdcs.homedomain.home
homedomain.home
select Properties and on the Zone Transfer tab select "Only to the following servers".
click edit and add ipv4 address of your linux bind server.
reload configuration in bind
Your Windows Vista, 7, 8 and Server 2008 R2 and 2012 workstations and servers will now identify the SOA for the Active Directory Directory Services.
This works from installer and from change computer name dialogs.
I found that as soon as i added the _msdcs forward zone domain was found immediately.
As stated in the thread, _ldap._tcp.dc._msdcs.DOMAIN.COM is the really important SRV pointer for adding machine to domain bootstrapping, but hardcoding it into a subzone in bind is a silly idea.
by setting up the _msdcs forward zone as a slave you will have full AD functionality being served from your bind while AD DS maintains state of your domain in its structure
hope this helps someone
EDIT:
From "Pro DNS and Bind" by Zytrax:
---
check-names
The check-names statement will cause any host name for the zone to be checked for compliance with RFC 952 and RFC 1123 and take the defined action. Care should be taken when using this statement because many modern RRs e.g. SRV use names which do not meet these standards (they contain underscore) but which are permitted by RFC 2181 which greatly liberalized the rules for names (see labels and names). The default is not to perform host name checks. check-names may also appear in a view or options clause where it has a different syntax.
---
you may need the check-names ignore directive in your slave definitions as lots of AD DS style queries use underscores if you are enforcing RFC 952 style hostnames.
Last edited by MiWLinuxQuestions; 10-27-2012 at 05:18 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
HOWTO: MS Active Directory with BIND on Linux
