BIND and Active Directory
I thought of playing with BIND (debian etch) and Active Directory (Windows 2003) today, so I installed Windows 2003 Enterprise on a VMware, and started setting up an Active Directory role.
So anyway here is my named.conf...
output omitted
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/master-zone.net";
};zone "0.0.10.in-addr.arpa" {
type master;
file "/etc/bind/cisco.lab";
};zone "example.com" {
type master;
file "/etc/bind/example.com";
};zone "win2k3.example.com" {
type master;
file "/etc/bind/db.win2k3.example.com";
check-names ignore;
allow-update { 192.168.0.200; };
};
output omitted
Note...
"check-names ignore" option is required to permit underscores in the DNS names.
"allow-update" will only allow updates from the IP (or ACL) specified.
Basically, I used the "Add or remove a role" and followed the steps, at the "DNS Registration Diagnostics" it failed, so I dropped to syslog and found out that Windows needs to make a number of SRV and A record changes in it's domain in order to relate where the Domain Controllers are using dynamic DNS.
Here is my log...
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1618: updating zone 'win2k3.example.com/IN': adding an RR at 'win2k3.example.com' A
Oct 6 23:25:08 neptune named[32137]: journal file /etc/bind/db.win2k3.example.com.jnl does not exist, creating it
Oct 6 23:25:08 neptune named[32137]: /etc/bind/db.win2k3.example.com.jnl: create: permission denied
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1618: updating zone 'win2k3.example.com/IN': error: journal open failed: unexpected error
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1622: updating zone 'win2k3.example.com/IN': adding an RR at '_ldap._tcp.win2k3.example.com' SRV
Oct 6 23:25:08 neptune named[32137]: journal file /etc/bind/db.win2k3.example.com.jnl does not exist, creating it
Oct 6 23:25:08 neptune named[32137]: /etc/bind/db.win2k3.example.com.jnl: create: permission denied
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1622: updating zone 'win2k3.example.com/IN': error: journal open failed: unexpected error
Oct 6 23:25:08 neptune named[32137]: client 192.168.0.200#1626: updating zone 'win2k3.example.com/IN': adding an RR at '_ldap._tcp.Default-First-Site-Name._sites.win2k3.example.com' SRV
Oct 6 23:25:08 neptune named[32137]: journal file /etc/bind/db.win2k3.example.com.jnl does not exist, creating it
Oct 6 23:25:08 neptune named[32137]: /etc/bind/db.win2k3.example.com.jnl: create: permission denied
output omitted
BIND here needed to create db.win2k3.example.com.jnl, but there was a permissions problem with /etc/bind, so I ...
# chown bind:bind /etc/bind
# chmod 760 /etc/bind
then jumped to windows, ran the test again, and "The operation completed successfully."
After that I restarted, and went to check BIND records and found out that they were updated and the .jnl file was created.
Testing and Verification
1. Start nslookup utility in interactive mode
2. Type set type=all
3. Type _ldap._tcp.dc._msdcs.win2k3.example.com
and my result was...
Server: ns.master-zone.net
Address: 192.168.0.3_ldap._tcp.dc._msdcs.win2k3.example.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = win2k3.win2k3.example.com
win2k3.example.com nameserver = ns.master-zone.net
win2k3.win2k3.example.com internet address = 192.168.0.200
ns.master-zone.net internet address = 192.168.0.3
Enjoy this article?
October 20th, 2009 - 13:59
hello,
thanks for the great quality of your blog, every time i come here, i’m amazed.
black hattitude.
October 26th, 2009 - 01:52
Glad you liked it =)
I will do my best to keep it up.