We are looking to convert our DNS servers from Active Directory to BIND running on Linux. What is the best method for converting between the two?

Thanks..

should be fine just doing a direct zone transfer and once it's running on bind, just change the server type to be an authoritative master.

i will try this.. thanks you.

Hi Guys,

This is exactly what I want. But I don't have idea about the steps. Can you please give me the steps for the same?

--Dipu
----------------------------
Windows? reboot. Linux! be root!!

http://www.smartdipu.info

Here is the procedure I used and documented:





MS1 = Current Windows Primary Internal DNS Server
MS2 = Current Windows Slave Internal DNS Server
MS1-IP = MS1 IP Address
MS2-IP= MS2 IP Address
LN1 = New Linux Primary Internal DNS Server
LN2 = New Linux Slave Internal DNS Server
LN1-IP1 = LN1 Primary IP Address
LN1-IP2 = LN1 Secondary IP Address
LN2-IP1 = LN2 Primary IP address
LN2-IP2 = LN2 Secondary IP Address


Pre-Work
-Obtain IP addresses for LN1-IP1 and LN2-IP1 on the 10.x network

-Obtain IP addresses for LN1-IP2 and LN2-IP2 on the 172.x network

-Create a DNS record for LN1 and LN2

-Schedule the appropriate change window via the Change Management Process and obtain approval


Prepare MS1
-Go into DNS Systems Management on MS1

-Right click on the zone (domain) you are going to be migrating and click Properties

-Click on the Name Servers tab

-Click the Add button

-Browse and select the name of LN1 then click OK

-Browse and select the name of LN2 then click OK


Prepare LN1
We will first configure LN1 to act as a slave to MS1

-SSH into LN1

-Open YAST and install the following packages:
bind
bind-chrootenv
bind-libs
bind-utils
bind-devel
yast2-pkg-bindings
yast2-perl-bindings
bind-doc

-In the file /etc/sysconfig/named.conf, change the setting NAMED_RUN_CHROOTED="yes" to NAMED_RUN_CHROOTED="no". We choose to not run BIND in a chroot jail.

-Type chkconfig named 35 to set BIND to run at runlevels 3 and 5

Configure /etc/named.conf
-In the options section add:
recursion no;

-Uncomment the logging section as follows:
logging {
# # Log queries to a file limited to a size of 100 MB.
# channel query_logging {
# file "/var/log/named_querylog"
# versions 3 size 100M;
# print-time yes; // timestamp log entries
# };
# category queries {
# query_logging;
# };
#
# Or log this kind alternatively to syslog.
channel syslog_queries {
syslog user;
severity info;
};
category queries { syslog_queries; };

# Log general name server errors to syslog.
channel syslog_errors {
syslog user;
severity error;
};
category default { syslog_errors; };

# Don't log lame server messages.
category lame-servers { null; };
};

-Every forward zone should have an entry that follows this format:
zone "domainA.com" in {
masters { MS1-IP1; };
file "slave/domainA.com";
type slave;
};

-Every reverse zone should have an entry that follows this format:
zone "209.248.199.in-addr.arpa" in {
file "slave/209.248.199.in-addr.arpa";
type slave;
};

-Type rcnamed restart to restart BIND

-Verify all zone files have transferred in /var/lib/named/slave/ directory. Every forward and reverse zone listed on the Primary DNS server should have a corresponding file in the /var/lib/named/slave/ directory: This might take up to 15 minutes.

LN1:/var/lib/named/slave # ll
total 60
-rw-r--r-- 1 root root 319 2007-08-28 21:35 0.in-addr.arpa
-rw-r--r-- 1 root root 369 2007-08-28 21:35 127.in-addr.arpa
-rw-r--r-- 1 root root 1403 2007-08-28 21:35 172.205.in-addr.arpa
-rw-r--r-- 1 root root 467 2007-08-28 21:35 209.248.199.in-addr.arpa
-rw-r--r-- 1 root root 320 2007-08-28 21:35 255.in-addr.arpa
-rw-r--r-- 1 root root 958 2007-08-31 14:33 dss.la.gov
-rw-r--r-- 1 root root 1474 2007-08-31 14:42 dss.louisiana.gov
-rw-r--r-- 1 root root 1058 2007-08-28 21:35 dss.louisiana.gov.jnl
-rw-r--r-- 1 root root 1639 2007-08-31 14:11 dss.state.la.us
-rw-r--r-- 1 root root 697 2007-09-02 21:10 familiesla.com
-rw-r--r-- 1 root root 1007 2007-08-28 21:35 familiesla.com.jnl
-rw-r--r-- 1 root root 488 2007-08-31 10:40 fostercare.la.gov
-rw-r--r-- 1 root root 991 2007-08-28 21:35 fostercare.la.gov.jnl
-rw-r--r-- 1 root root 502 2007-08-31 11:24 fostercare.louisiana.gov
-rw-r--r-- 1 root root 1026 2007-08-28 21:35 fostercare.louisiana.gov.jnl
LN1:/var/lib/named/slave #

NOTE: the .jnl files are used for internal BIND processing.

-Create a dummy DNS record on MS1 and make sure it gets pushed down to LN1.

-Use dig to query the DNS server and verify it responds to DNS queries:
LN1:/var/lib/named/slave # dig @LN1-IP1 eguide.dss.state.la.us

; <<>> DiG 9.2.3 <<>> @LN1-IP1 eguide.dss.state.la.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;eguide.dss.state.la.us. IN A

;; ANSWER SECTION:
eguide.dss.state.la.us. 3600 IN CNAME dss-sa9928699.dss.state.la.us.
dss-sa9928699.dss.state.la.us. 3600 IN A 10.120.10.22

;; Query time: 0 msec
;; SERVER: LN1-IP1#53(172.20.11.237)
;; WHEN: Thu Sep 6 11:49:07 2007
;; MSG SIZE rcvd: 84
LN1:/var/lib/named/slave #

-Verify in /var/log/messages that DNS queries are hitting LN1. It should look similar to this:
named[2157]: client 216.101.40.251#32795: query: www.dss.louisiana.gov IN A -
named[2157]: client 65.69.81.2#53305: query: www.dss.louisiana.gov IN A -
named[2157]: client 204.196.244.253#47627: query: dss.state.la.us IN A -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#40073: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E

-If you see these messages, the DNS server is up and functioning

Prepare LN2
We will configure LN2 to act as a slave to LN1

-SSH into LN1

-Open YAST and install the following packages:
bind
bind-chrootenv
bind-libs
bind-utils
bind-devel
yast2-pkg-bindings
yast2-perl-bindings
bind-doc

-In the file /etc/sysconfig/named.conf, change the setting NAMED_RUN_CHROOTED="yes" to NAMED_RUN_CHROOTED="no". We choose to not run BIND in a chroot jail.

-Type chkconfig named 35 to set BIND to run at runlevels 3 and 5

Configure /etc/named.conf
-In the options section add:
recursion no;

-Uncomment the logging section as follows:
logging {
# # Log queries to a file limited to a size of 100 MB.
# channel query_logging {
# file "/var/log/named_querylog"
# versions 3 size 100M;
# print-time yes; // timestamp log entries
# };
# category queries {
# query_logging;
# };
#
# Or log this kind alternatively to syslog.
channel syslog_queries {
syslog user;
severity info;
};
category queries { syslog_queries; };

# Log general name server errors to syslog.
channel syslog_errors {
syslog user;
severity error;
};
category default { syslog_errors; };

# Don't log lame server messages.
category lame-servers { null; };
};

-Every forward zone should have an entry that follows this format:
zone "domainA.com" in {
masters { LN1-IP1; };
file "slave/domainA.com";
type slave;
};

-Every reverse zone should have an entry that follows this format:
zone "209.248.199.in-addr.arpa" in {
file "slave/209.248.199.in-addr.arpa";
type slave;
};

-Type rcnamed restart to restart BIND

-Verify all zone files have transferred in /var/lib/named/slave/ directory. Every forward and reverse zone listed on the Primary DNS server should have a corresponding file in the /var/lib/named/slave/ directory: This might take up to 15 minutes.

LN1:/var/lib/named/slave # ll
total 60
-rw-r--r-- 1 root root 319 2007-08-28 21:35 0.in-addr.arpa
-rw-r--r-- 1 root root 369 2007-08-28 21:35 127.in-addr.arpa
-rw-r--r-- 1 root root 1403 2007-08-28 21:35 172.205.in-addr.arpa
-rw-r--r-- 1 root root 467 2007-08-28 21:35 209.248.199.in-addr.arpa
-rw-r--r-- 1 root root 320 2007-08-28 21:35 255.in-addr.arpa
-rw-r--r-- 1 root root 958 2007-08-31 14:33 dss.la.gov
-rw-r--r-- 1 root root 1474 2007-08-31 14:42 dss.louisiana.gov
-rw-r--r-- 1 root root 1058 2007-08-28 21:35 dss.louisiana.gov.jnl
-rw-r--r-- 1 root root 1639 2007-08-31 14:11 dss.state.la.us
-rw-r--r-- 1 root root 697 2007-09-02 21:10 familiesla.com
-rw-r--r-- 1 root root 1007 2007-08-28 21:35 familiesla.com.jnl
-rw-r--r-- 1 root root 488 2007-08-31 10:40 fostercare.la.gov
-rw-r--r-- 1 root root 991 2007-08-28 21:35 fostercare.la.gov.jnl
-rw-r--r-- 1 root root 502 2007-08-31 11:24 fostercare.louisiana.gov
-rw-r--r-- 1 root root 1026 2007-08-28 21:35 fostercare.louisiana.gov.jnl
LN1:/var/lib/named/slave #

NOTE: the .jnl files are used for internal BIND processing.

-Create a dummy DNS record on MS1 and make sure it gets pushed down to LN1.

-Use dig to query the DNS server and verify it responds to DNS queries:
LN1:/var/lib/named/slave # dig @LN2-IP1 eguide.dss.state.la.us

; <<>> DiG 9.2.3 <<>> @LN2-IP1 eguide.dss.state.la.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;eguide.dss.state.la.us. IN A

;; ANSWER SECTION:
eguide.dss.state.la.us. 3600 IN CNAME dss-sa9928699.dss.state.la.us.
dss-sa9928699.dss.state.la.us. 3600 IN A 10.120.10.22

;; Query time: 0 msec
;; SERVER: LN2-IP1#53(172.20.11.237)
;; WHEN: Thu Sep 6 11:49:07 2007
;; MSG SIZE rcvd: 84
LN1:/var/lib/named/slave #

-Verify in /var/log/messages that DNS queries are hitting LN2. It should look similar to this:
named[2157]: client 216.101.40.251#32795: query: www.dss.louisiana.gov IN A -
named[2157]: client 65.69.81.2#53305: query: www.dss.louisiana.gov IN A -
named[2157]: client 204.196.244.253#47627: query: dss.state.la.us IN A -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#40073: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E

-If you see these messages, the DNS server is up and functioning

Decommissioning MS1 and MS2
-Shutdown DNS services on MS1 and MS2 but keep everything installed for a couple weeks in case we run into problems with BIND or Linux.

Migrate LN1 to act as the master DNS server rather than as a slave
Right now LN1 and LN2 are both slave servers which doesn't hamper DNS from functioning properly, however, without one acting as the master you can't make any updates to the DNS tables.

-SSH into LN1

-Currently /etc/named.conf lists every zone as a slave.

-Every forward zone should be modified to look like this:
zone "domainA.com" in {
file "master/domainA.com";
type master;
};

-Every reverse zone should be modified to look like this:
zone "209.248.199.in-addr.arpa" in {
file "master/209.248.199.in-addr.arpa";
type master;
};

-Type rcnamed stop to stop BIND

-Move all zone files from /var/lib/named/slave/ to /var/lib/named/master/

-Type rcnamed start to restart BIND

-Use dig to query the DNS server and verify it responds to DNS queries:
LN1:/var/lib/named/slave # dig @LN1-IP1 eguide.dss.state.la.us

; <<>> DiG 9.2.3 <<>> @LN1-IP1 eguide.dss.state.la.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;eguide.dss.state.la.us. IN A

;; ANSWER SECTION:
eguide.dss.state.la.us. 3600 IN CNAME dss-sa9928699.dss.state.la.us.
dss-sa9928699.dss.state.la.us. 3600 IN A 10.120.10.22

;; Query time: 0 msec
;; SERVER: LN1-IP1#53(172.20.11.237)
;; WHEN: Thu Sep 6 11:49:07 2007
;; MSG SIZE rcvd: 84
LN1:/var/lib/named/slave #

-Verify in /var/log/messages that DNS queries are hitting LN1. It should look similar to this:
named[2157]: client 216.101.40.251#32795: query: www.dss.louisiana.gov IN A -
named[2157]: client 65.69.81.2#53305: query: www.dss.louisiana.gov IN A -
named[2157]: client 204.196.244.253#47627: query: dss.state.la.us IN A -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#40073: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E

-If you see these messages, the DNS server is up and functioning

-Open YAST and create LN1-IP2 using the IP address of MS1-IP

-Type rcnamed restart to restart BIND

-Use dig to query the DNS server and verify it responds to DNS queries:
LN1:/var/lib/named/slave # dig @LN1-IP2 eguide.dss.state.la.us

; <<>> DiG 9.2.3 <<>> @LN1-IP2 eguide..dss.state.la.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;eguide.dss.state.la.us. IN A

;; ANSWER SECTION:
eguide.dss.state.la.us. 3600 IN CNAME dss-sa9928699.dss.state.la.us.
dss-sa9928699.dss.state.la.us. 3600 IN A 10.120.10.22

;; Query time: 0 msec
;; SERVER: LN1-IP1#53(172.20.11.237)
;; WHEN: Thu Sep 6 11:49:07 2007
;; MSG SIZE rcvd: 84
LN1:/var/lib/named/slave #

-Verify in /var/log/messages that DNS queries are hitting LN1. It should look similar to this:
named[2157]: client 216.101.40.251#32795: query: www.dss.louisiana.gov IN A -
named[2157]: client 65.69.81.2#53305: query: www.dss.louisiana.gov IN A -
named[2157]: client 204.196.244.253#47627: query: dss.state.la.us IN A -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#40073: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E

-If you see these messages, the DNS server is up and functioning

Update LN2 to act as slave to the new IP address LN1-IP2
Right now LN2 is a slave pointing to LN1-IP1 as it's master. We need LN2 to point to LN1-IP2 and create the secondary IP address LN2-IP2

-SSH into LN2

-Open YAST and create LN2-IP2 using the IP address of MS2-IP

-Every forward zone should be modified to look like this:
zone "domainA.com" in {
masters { LN1-IP2; };
file "slave/domainA.com";
type slave;
};

-Type rcnamed restart to restart BIND

-Use dig to query the DNS server and verify it responds to DNS queries:
LN1:/var/lib/named/slave # dig @LN2-IP2 eguide.dss.state.la.us

; <<>> DiG 9.2.3 <<>> @LN1-IP1 eguide.dss.state.la.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;eguide.dss.state.la.us. IN A

;; ANSWER SECTION:
eguide.dss.state.la.us. 3600 IN CNAME dss-sa9928699.dss.state.la.us.
dss-sa9928699.dss.state.la.us. 3600 IN A 10.120.10.22

;; Query time: 0 msec
;; SERVER: LN1-IP1#53(172.20.11.237)
;; WHEN: Thu Sep 6 11:49:07 2007
;; MSG SIZE rcvd: 84
LN1:/var/lib/named/slave #

-Verify in /var/log/messages that DNS queries are hitting LN1. It should look similar to this:
named[2157]: client 216.101.40.251#32795: query: www.dss.louisiana.gov IN A -
named[2157]: client 65.69.81.2#53305: query: www.dss.louisiana.gov IN A -
named[2157]: client 204.196.244.253#47627: query: dss.state.la.us IN A -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#40073: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E

-If you see these messages, the DNS server is up and functioning

-Type rcnamed stop to stop BIND

-Create a dummy DNS record on LN2 and make sure it gets pushed down to LN1.

-Type rcnamed start to start BIND

-Use dig to query the DNS server and verify it responds to DNS queries:
LN2:/var/lib/named/slave # dig @LN2-IP2 eguide.dss.state.la.us

; <<>> DiG 9.2.3 <<>> @LN2-IP2 eguide..dss.state.la.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;eguide.dss.state.la.us. IN A

;; ANSWER SECTION:
eguide.dss.state.la.us. 3600 IN CNAME dss-sa9928699.dss.state.la.us.
dss-sa9928699.dss.state.la.us. 3600 IN A 10.120.10.22

;; Query time: 0 msec
;; SERVER: LN1-IP1#53(172.20.11.237)
;; WHEN: Thu Sep 6 11:49:07 2007
;; MSG SIZE rcvd: 84
LN2:/var/lib/named/slave #

-Verify in /var/log/messages that DNS queries are hitting LN1. It should look similar to this:
named[2157]: client 216.101.40.251#32795: query: www.dss.louisiana.gov IN A -
named[2157]: client 65.69.81.2#53305: query: www.dss.louisiana.gov IN A -
named[2157]: client 204.196.244.253#47627: query: dss.state.la.us IN A -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#40073: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -E
named[2157]: client 65.69.81.100#36846: query: www.dss.louisiana.gov IN A -
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E
named[2157]: client 159.54.224.250#33320: query: 137.49.172.205.in-addr.arpa IN PTR -E

-If you see these messages, the DNS server is up and functioning

Sync dss.state.la.us, dss.la.gov and dss.louisiana.gov
Either use the same zone file for all three zones, or put an $INCLUDE directive into each zone pointing to a common file.

Here is an example of using the first method, which requires that the three zones be completely identical other than zone name:
In named.conf (not the whole file):
-----------------------------------
zone "domain1.com" { type master; file "shared.zone"; };
zone "domain2.com" { type master; file "shared.zone"; };
zone "domain3.com" { type master; file "shared.zone"; };
-----------------------------------
In shared.zone:
-----------------------------------
$TTL 1d
@ SOA [... 7 data fields ...]
NS a.ns.maindomain.
NS b.ns.maindomain.
MX 10 a.mx.maindomain.
host1 A 10.0.0.1
host2 A 10.0.0.2
-----------------------------------

The key here is to not reference the domain name itself anywhere. "@" stands in for the zone name, as specified in each zone statement. All
other domain names are carefully written unqualified unless they should not change between zones.

Whenever a change is made to the shared zone file, be sure to issue 'rndc reload <domain>' for each of these domains, or else use 'rndc
reload' without specifying a domain argument.

Backout Plan
Shutoff Linux server and bring the Windows DNS services back up as they were.