HOWTO: MS Active Directory with BIND on Linux

ghight · 11-02-2005, 04:27 PM

I ran into a situation where I needed to support Active Directory DNS queries with BIND running on Linux. The particular issue was that workstations on one lan couldn't access their shares or even authenticate on a Domain Controller on another lan. After several responses of "sure you can do that and it's easy" but nobody wanting to hand me the step-by-step solution I finally found the answer. Thought I would post it here for the next guy that needs it.

What I needed was SRV records to tell the workstations where the Domain Controller was on the other lan. If you have your BIND DNS already setup, all you need to add are 4 SRV entries to the same file your A records are in. Obviously you need an A record entry for the DC as well. All punctuation is required and CAPS in my example signify that it is LAN dependent, eg, you should know how to fill this in!!! In this example DCHOSTNAME.DOMAIN.COM is your Domain Controllers fully qualified domain name.

_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.
_ldap._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.

That's it! Now your Domain Controllers can be found via you DNS servers running on Linux. Look up a little tutorial on DNS SRV records if you need to know what this all means.

peter_robb · 11-02-2005, 04:53 PM

Nicely Done!

How about writing up a piece for our Linux Answers section..

ghight · 11-02-2005, 09:53 PM

Thanks. If nobody beats me to it, I'll consider typing a little something up.

ghight · 11-03-2005, 11:43 AM

ghight · 11-06-2005, 09:43 AM

So how long does it take to have the Linux Answers article posted anyway? I'm hoping I didn't put a significant amount of time on this for nothing.

peter_robb · 11-06-2005, 11:34 AM

We need to proof them first.. Just to be sure.. Thanks

ghight · 11-11-2005, 12:17 PM

Ok, it's been over a week now. Peter_robb can I safely assume that my 2 hours of composition time on this LA was a waste? Not knowing the status of a submission or even knowing what was wrong with it is down right silly. That "policy" needs to be changed.

shamshadalam · 07-30-2008, 01:25 PM

Quote:

Originally Posted by ghight

Ok, it's been over a week now. Peter_robb can I safely assume that my 2 hours of composition time on this LA was a waste? Not knowing the status of a submission or even knowing what was wrong with it is down right silly. That "policy" needs to be changed.

hi ,

i had done the same on myDNS server but i am getting error

no srv record found _ldap._tcp.dc._msdcs.mydomain.com

no DNS record found for this dc registered.

here is my /etc/named.conf

zone "mydomain.com" {
type master;
file "mydomain.zone" ;
allow-query {any;};
};

my zone file is as follows

$TTL 84600

mydomain.com. IN SOA one.mydomain. com. root.mydomain. com. (

20070219 ; serial
3H ; refresh interval
15M ; retry interval
1W ; zone expires in
1D ; minimum TTL

)

NS one.mydomain. com.

$ORIGIN mydomain.com.

A 10.10.10.1 (gw)

mydomain A 10.10.10.2 ( Bind DNS)

win-2k3srv01 A 10.10.10.3 ( Ad Server )

_msdcs NS win-2k3srv01

A 10.10.10.4

_sites NS win-2k3srv01
A 10.10.10.4

_tcp NS win-2k3srv01
A 10.10.10.4

_udp NS win-2k3srv01
A 10.10.10.4

DomainDnsZones NS win-2k3srv01

A 10.10.10.4

ForestDnsZones NS win-2k3srv01
A 10.10.10.4

i am getting following error

The erro was: "DNS name does not exist."
(error cdoe 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc_ msdcs.mydomain. com

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.

- One or more of the following zones do not include delegation to its child
zone:

mydomain.com
. (the root zone)

any urgent help would be appreciate

San-Raal · 08-06-2008, 04:16 AM

There are multiple issues...

First there is probably the _underscope problem. Add this to your zone:

Code:

        zone "example.com" {
                type master;
                file "/etc/bind/db.example.com";
                check-names ignore;
                allow-update { 192.168.0.0/24; };
        };

The standard (I think it's in the DNS RFC...) says, that no _underscope can be in a DNS name. "check-names ignore;" tells DNS to ignore the standard. This is the Microsoft standard :-)

Before and after adding this line, try checking if your DNS resolves your hosts.

Code:

dig @ns.example.com something

"something" is something from your zone file, like www.example.com if you have a A record for www.

The second problem is, that you are using "NS" records, where "SRV" records should be. The guide tells us to use in our zone file:

Code:

_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.

You are using:

Code:

_msdcs NS win-2k3srv01

The SRV record is to tell where services are located. With your record, you are telling that for the zone _msdcs the nameserver is win-2k3srv01.

An example zone file, that I took from our BIND DNS.

Code:

$ORIGIN DOMAIN.COM
$TTL 3600       ; 1 hour
DOMAIN.COM                  IN SOA  ns.DOMAIN.COM. admin.DOMAIN.COM. (
                                2008080428 ; serial
                                86400      ; refresh (1 day)
                                21600      ; retry (6 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns.DOMAIN.COM.
ns                      A       192.168.0.1
DCHOSTNAME              A       192.168.0.10
_ldap._tcp.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.
_ldap._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 389 DCHOSTNAME.DOMAIN.COM.
_kerberos._tcp.dc._msdcs.DOMAIN.COM. SRV 0 0 88 DCHOSTNAME.DOMAIN.COM.

So if you break the zone file down, you get:
1. things about zone, admin mail, and who is the NS (nameserver).
2. one A record for the NS
3. one A record for the DCHOSTNAME <- this is your win-2k3srv01
4. _ldap and _kerberos entries pointing to services on your domain controller

Hope it will be helpfull, and I hope that I didn't write too much :-)

iyewo · 01-27-2010, 09:49 AM

I need a step-by-step guide to setup BIND on LINUX to serve as my Windows 2003/2008 Active Directory DNS server. Thanks in advance.

jaymzter · 03-21-2012, 08:31 PM

Several years late, but in case anyone else finds this thread, here's my setup. This was based on using BIND 9 running on Ubuntu Maverick, supporting a Windows 2008 R2 AD server. I initially used the first post in this thread to set things up, but at least regarding Win 2008, there are some other SRV records missing.

Here's the relevant section of my zone file db.corp.com. The AD server is ad.corp.com:

Code:

$ORIGIN _tcp.dc._msdcs.corp.com.
_kerberos               SRV     0 0 88 AD.CORP.COM.
_ldap                   SRV     0 0 389 AD.CORP.COM.

$ORIGIN _tcp.corp.com.
_kerberos               SRV     0 0 88 AD.CORP.COM.
_ldap                   SRV     0 0 389 AD.CORP.COM.
_kpasswd                SRV     0 0 464 AD.CORP.COM.
_gc                     SRV     0 0 3268 AD.CORP.COM.

$ORIGIN _udp.corp.com.
_kerberos               SRV     0 0 88 AD.CORP.COM.
_kpasswd                SRV     0 0 464 AD.CORP.COM.

$ORIGIN _tcp.Default-First-Site-Name._sites.corp.com.
_kerberos               SRV     0 0 88 AD.CORP.COM.
_ldap                   SRV     0 0 389 AD.CORP.COM.
_gc                     SRV     0 0 3268 AD.CORP.COM.

$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.corp.com.
_kerberos               SRV     0 0 88 AD.CORP.COM.
_ldap                   SRV     0 0 389 AD.CORP.COM.

$ORIGIN _tcp.Default-First-Site-Name._sites.ad.corp.com.
_ldap                   SRV     0 0 389 AD.CORP.COM.
_gc                     SRV     0 0 3268 AD.CORP.COM.

$ORIGIN _tcp.corp.com.
_ldap                   SRV     0 0 389 AD.CORP.COM.
_gc                     SRV     0 0 3268 AD.CORP.COM.

_ldap._tcp.pdc._msdcs   SRV     0 0 389 AD.CORP.COM.
_ldap._tcp.<GUID>.domains._msdcs  SRV     0 0 389 AD.CORP.COM.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     SRV     0 0 3268 AD.CORP.COM.
_ldap._tcp.gc._msdcs    SRV     0 0 3268 AD.CORP.COM.
_ldap._tcp.Default-First-Site-Name._sites.ad.corp.com      SRV     0 0 389 AD.CORP.COM.
_ldap._tcp.ad.corp.com     SRV     0 0 389 AD.CORP.COM.

Of course you need an A record for ad.corp.com, and also an A record for the machine's GUID, which is used for RPC lookups:

Code:

ad                A       192.168.1.10
<GUID>._msdcs     CNAME ad.corp.com.

I don't recall how to pull the GUID, but it can be caught by doing a wireshark capture from the DNS server. Wireshark can also be used to find out which AD lookups can't be resolved.

ghight · 03-21-2012, 09:13 PM

Have not been here is years, but this page is no longer maintained and may no longer be accurate.

In my experience its now HIGHLY recommended to use the MSDNS with AD in a production environment.

**EDIT**
After reading the above comment completely, the needed changes may be listed. I do know the original post will not work with Server 2008.