Home | Journal | Multimedia | Files | Other | Links | About
|
|
|
|
|
|
|
|
dlostboy (at) lostinfo (dot) com Home | Journal | Multimedia | Files | Other | Links | About |
|
|
|
Getting Windows2000 Active Directory to work with ISC's BIND 8: Here are the results of our work to get Win2k to work in a domain that is using BIND instead of MS-DNS. We have successfully made Active Directory work in this manner and now have 2 additional Active Directory controllers who were able to replicate off the original as well. My notes will be in ( )'s. Please keep in mind I love Windows in general but will have my tongue planted firmly in cheek in certain parts of this document. Also keep in mind I'm no expert in anything, this is a compliation of my assumptions, realizations and experience so I may be point-blank wrong on certain topics.
Our setup: Windows makes a number of SRV and A record changes in it's domain in order to relate where the Domain Controllers are using dynamic DNS [RFC 2136]. However in an existing enviroment, this may be undesireable as dynamically created files tend to be hard for humans to look at. Further, pre-created scripts used for DNS changes may not work in a dynamic zone 'db' file unless specifically built for them (which in a dynamic enviroment you should be using nsupdate to do anyway instead of directly editing the files). From the BIND FAQ ( http://www.nominum.com/resources/bind-faq.html#w2k ) we see that "Microsoft Windows 2000 uses a subzone called '_msdcs' to hold the Active Directory data. While this subzone cannot clash with any legal hostname it also makes it impossible to put hosts within this subzone without using an illegal name. The use of such hostnames will be rejected, by default, by BIND." Additionally, MSKB Q255913 tells us there are subdomains '_sites', '_udp', and '_tcp' to worry about. Fortunately while they will complain about it, the servers will work even if they can't update thier reverse DNS entries. While that Q article covers 4 options to getting this mixed-OS scenario to work, it (in MS tradition) leaves out the non-MS solution for DNS. For those who want the safety of a CHROOT'ed DNS setup (smart) and are weary of the MS idea that everything should run as SYSTEM (*cough, cough**exploitable**cough, cough*) , this document covers that "5th" option. In our scenario we will create an ACL [Access Control List] for our Win2k servers and put them all in a subdomain of our parent that they can munge DNS db files to death for. In your named.conf build the ACL, the IP's you will replace with your own. (O'Reilys DNS & Bind 3rd ed page 227 describes how to do subnets should you decide to, which is probably a nice thing to do along with VLAN'ing em out so they keep thier broadcasts to themselves :P)
=================================[named.conf] Now we will stub off the Windows machines to a subdomain of our parent which we will call mydomain.com. We'll call the subdomain win2k.mydomain.com. We will also stub off the '_' based subdomains.
=================================[named.conf]
// Primary server for the root zone... What these basically say is (for the first one for example) "The zone, win2k.mydomain.com, we do control but keep in a file called etc/win2k.mydomain.com.db. I don't want you to validate the format of incoming requests cause you aren't going to like the '_''s, and you can accept dynamic updates to this zone from any IP/Subnet listed in the ACL called win2kservers." Once you do all this, create the basic SOA/Timeout data in the new .db files (You should know how to do that already) and then SIGHUP (restart) the BIND server. Find the reverse entry for your servers now and change them to reflect the change. For example, if the server name was 'exchgserv' then your reverse record for 10.0.0.4 should be "4 IN PTR exchgserv.win2k.mydomain.com." Your forward will be created by the NETLOGON service once started as a member of your new domain. Now that BIND is ready to go, start DCPROMO on the soon-to-be-Active-Directory server. (I believe if you ALREADY have an AD server, all you will have to do is restart NETLOGON to make it work). Set the machine name to exchserv (for example) and the domain as win2k.mydomain.com. [NOTE!: In your DNS properties for Networking, DO NOT have a DNS suffix specified and make sure your newly configured DNS server is what it's using for primary DNS. Otherwise you may have to demote the server and then re-promote it due to it not registering correctly or having a name like exchserv.mydomain.com.win2k.mydomain.com!!!] Once the machine has rebooted, you should have data either in the etc/win2k.mydomain.com file or in a etc/win2k.mydomain.com.ixfr file [changes that are effective but haven't been merged into the core .db file yet]. Follow the directions for using NSLOOKUP in MS-KB Q241515 to verify that information has been placed in your DNS. If it has, congrats! You are working. If it isn't, start debugging... Be sure to keep a close eye on the event viewer in the System Log for errors other than that it couldn't register the DNS in a "0.0.10.in-addr.arpa" file. (I used sislog, a EventViewer -> SysLoghost mediator, for ease in doing this ( http://www.schizo.com/software/sislog/ ) since I have a scrolling monitor of /var/log/messages in my desktop anyway. )
[07/22/03]: You can test SRV record creation like this: |
| ©2000, ©2001 LostInformation |