Windows 2003 AD with Linux DNS

livestrong23 · 03-15-2008, 08:38 PM

Hi, this is my first post here.

I am facing an issue which has been bugging me for last 3 days.
I have 3 computers:
Computer1 - linux (one.mydomain.com - 192.168.1.111)
Computer2 - Windows 2003 Enterprise (two.mydomain.com - 192.168.1.112)
Computer3 - Vista

I have set up Linux as my DNS and DHCP server. I want to set up the Active Directory in Windows 2K3 machine and promote it as my domain controller. However, during the dcpromo Active Directory installation, I get a funky error message. I have been trying to troubleshoot that error but without any luck.

The error I get during AD installation on my Windows 2003 is this:
"The SOA query for _ldap._tcp.dc._msdcs.mydomain.com to find the primary DNS server returned:
DNS server failure.
(error code 0x0000232A "RCODE_SERVER_FAILURE")

The /var/named/mydomain.com.zone file has some of the following important contents:

Code:

$TTL 86400
@	IN	SOA	mydomain.com. hostmaster.mydomain.com (
		               .......
				)

		IN 	NS	mydomain.com.

_msdcs		IN	NS	one.mydomain.com.
_tcp		IN	NS	one.mydomain.com.
_udp		IN	NS	one.mydomain.com.
_sites		IN	NS	one.mydomain.com.

_ldap._tcp.mydomain.com. SRV	0	0 389	two.mydomain.com.
_kerberos._tcp.mydomain.com.	SRV 0 0	88	two.mydomain.com.
_ldap._tcp.dc._msdcs.mydomain.com. SRV	0 0 389	two.mydomain.com.
_kerberos._tcp.dc._msdcs.mydomain.com. SRV 0 0 88 two.mydomain.com.

@ 		IN	MX	1	mail.mydomain.com.

@		IN	A	192.168.1.111
ns		IN	A	192.168.1.111
mail		IN	A	192.168.1.111
www		IN	A	192.168.1.111
one		IN	A	192.168.1.111
two		IN	A	192.168.1.112

If you want I can post my named.conf file here as well.

I am running out of ideas where I might be wrong. if any one has any experience regarding setting up Windows 2000/2003 DC/AD with BIND please let me know. Thanks.

Kenarkies · 03-17-2008, 06:09 AM

Not much comfort to offer unfortunately, but we tried this some time ago (mid 2006) and eventually came to the conclusion that Windows simply doesn't play along with anything remotely like international standards. They create "cut down versions with extensions" to make it easier for themselves and too bad about everyone else. You'll find their Kerberos is the same. We found that Windows 2003 is quite stable, crashing only about once per week :-) and so we just used the provided DNS in Windows and made Linux to provide a backup. It was possible to get Windows to recognise BIND as a secondary DNS and transfers work OK. We also split DHCP and use it to provide dynamic updates.

Do you really need to have Linux provide all DNS and DHCP? The system we use works (although DNS freaks out the users when the primary server is missing).

Let me know if you think we can provide any help - we have a working system.

Ken

ledow · 03-17-2008, 07:41 AM

I run a 2003 AD network with a Linux server taking on certain tasks in one of the schools I work in (the Linux part runs the webcache, filter, proxy, filestorage, PXE booting etc.).

After messing about with it for a bit, I quickly decided that it wasn't worth the hassle to try to get Linux to be the DNS server for Windows, in the same way that I wouldn't like Windows to be the DNS server for a Linux network. In the end, I set it up so that DNS and DHCP are provided primarily by the Windows server, although DHCP is easily moved so long as you take account of updating the DNS with the new hostnames etc. That Windows machine handles 90% of the network functions and the non-Windows machines are just manually or DHCP-coded to get their DNS and other settings from the Linux server. Failure of one network doesn't affect the other at all this way.

It's really not worth the hassle trying to integrate them - Windows plays far too much with its DNS when it is a domain controller (and especially if you are using DHCP with the "update DNS" settings switched on) and trying to rip it out and plant it somewhere else just isn't worth the effort when it's built-in to the OS and you're not paying any extra for it.

If you want, you can configure Windows to provide alternate DNS servers for anything that isn't handled by Windows. So if a machine doesn't get a reply from the Windows server, it knows to move onto the next server in the list which could be a Linux server. But trying to get one to serve all is a bit of a nightmare and is going to cause problems further down the road.

Microsoft won't play ball nicely with other software. So don't try to play ball at all. Give them the settings they want and your life becomes much easier. If you're using BIND as your main Windows DNS, you're going to run into all sorts of problems when it tries to update hostnames, do anything fancy etc. - ten times more if we're talking about a Windows domain controller which only expects to talk to Windows. If you're using Windows as your main Linux DNS, it's going to complain, you'll lose a lot of functionality and be running on absolute bare-basics of DNS, you'll have problems when you want to do anything interesting, you might even have Windows stomp over some of your Linux settings unless you're careful.

If you're trying to move a Windows-controlled domain to be all-Linux, you won't be able to do it step-by-step like this, it's all or nothing. I speak as someone who would love for their school to be all-Linux but it's just not possible given the software needed, but if I could safely migrate my systems I would. In the end, it's easier to just run two seperate networks entirely and stop them stomping over each other everywhere you can.

I'd set it up so that Windows handles Windows clients, Linux handles Linux clients and you choose one or the other (it doesn't matter which) to kickstart the decision making process with DHCP. This probably means setting Windows up to use itself as its own DNS server, the same for Linux, and then having some glue to let the two DNS's see such changes (such as having Linux feed from an upstream Windows DNS or vice-versa, or with transfers as mentioned above). But trying to get Windows to run of BIND? That's just sadistic.

TheDirtyScreech · 03-17-2008, 02:15 PM

Have you tried creating a Start of Authority (SOA) record for "_ldap._tcp.dc._msdcs.mydomain.com" pointing to the Windows domain controller? It seems like that might move you further along.

-MRE-

livestrong23 · 03-18-2008, 06:29 PM

Thanks for helping me out with this.

I finally managed to get my first domain controller recognize the DNS server. I did that in this following manner:

I added the following records into my zone file pointing to the DNS server:
_msdcs
_sites
_tcp
_udp

I also created separate zone files for each of those above pointing to my Primary DNS.

When the AD wanted to update the records, it got bunch of permission denied stuff while creating the Journal files (.jnl) for the above zones. So I touched and manually created the .jnl files for the AD and I changed the ownership to named (chown named *.jnl), along with changing the permission to 755 for those files.

Then I when I restarted the net logon service on the AD, it magically works and all the updates take place and it recognizes the BIND as the primary DNS server.

However, I am facing another weird situation.

I created another domain controller - a secondary domain controller. The Secondary Domain Controller fails to see the first domain controller completely. Although I have manually added it to the domain, it still can't see the first or primary domain controller. It throws the error:

Code:

The error was: "DNS server failure."
(error code 0x0000232A RCODE_SERVER_FAILURE)
The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomain.com

The thing is, I manually created the SRV record for the above (_ldap._tcp.dc._msdcs.mydomain.com) pointing to my first domain controller, but that doesn't work.

But here is a bigger issue that I am facing right now.

My nslookup doesn't work properly any more. Ever since I have updated the AD and make it synchronize and work with the BIND, it doesn't resolve the names any more. nslookup for the IP address works great, but nslookup for the fqdn doesn't work. I get the following error message:

Code:

;; Got SERVFAIL reply from 192.168.1.111

192.168.1.111 is my BIND DNS server.

I have no idea what to do. At least the nslookup was working fine until few minutes ago when I fixed the AD thing. Any ideas what might be wrong?

Thanks in advance for your ideas.

Kenarkies · 03-19-2008, 12:03 PM

Sounds like a good start. Interesting to see if you can get it to work.

When the AD wanted to update the records, it got bunch of permission denied stuff while creating the Journal files (.jnl) for the above zones. So I touched and manually created the .jnl files for the AD and I changed the ownership to named (chown named *.jnl), along with changing the permission to 755 for those files.

Have you worked out why you are getting these errors? BIND should be running under its own user, and all directories used by it should be writable for that user. It should make no difference where the requests come from. Has BIND been setup correctly for updating and zone transfers?

I created another domain controller - a secondary domain controller. The Secondary Domain Controller fails to see the first domain controller completely. Although I have manually added it to the domain, it still can't see the first or primary domain controller. It throws the error:

SERVFAIL means that the domain does exist but the authoritative name servers are not answering queries for the domain. It all may hinge around problems with BIND. Try working within Linux and use dig or nslookup and other tools to get this going first. You can bump up the logging level to see how BIND is responding to the requests.

Ken