AD DDNS Updates ignored with Bind 9 ?

  • Thread starter Thread starter Kai Berssin
  • Start date Start date
K

Kai Berssin

I'm about to implement an Active Directory environment with Windows
Server 2003 Active Directory Domain Controllers and Bind 9.2.1 DNS
servers. For that, I've created 4 new zones "_mcds.DOMAINNAME",
"_sites.DOMAINNAME", "_tcp.DOMAINNAME", and "_udp.DOMAINNAME" on the
Bind server, each zone containing an "allow-update { IP_OF_AD_DCs; };"
statement (yes, I know about the security issues). Adding or updating
a record with "nsupdate" works fine, i.e. in general the dynamic
update feature works. Adding a new AD DC with DCPROMO also works (in
the sense that there is no error message), i.e basically the
communication between AD and DNS functions, and AD recognizes the DNS
server as to be configured for dynamic updates (otherwise DCPROMO
would complain). However, none of the records generated by DCPROMO
(the stuff you can find in netlogon.dns) is written to the Bind zone
files or the corresponding JNL files. Does anybody has experienced the
same problems and can offer me a tip as to what the problem might be ?
If I trace the communication between the DC AD and the DNS server
during DCPROMO with Netmon, I cannot find any errors or warnings; the
only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
"Prerequisite: DOMAINNAME of type Req for all on class Unknown class".
Apparently, the DNS record class in the prerequisites record is
unknown to Netmon, is it also unknown to Bind ?

Kind regards,

Kai
 
You problem is buried in the details, but to start:

It is a very poor idea to try to manually create the sub-zones
an DCs records. Let the DCs do it.

Dynamic DNS is a practical requirement.

It is also a good idea to use an MS DNS server (but this is not
a strong recommendation because BIND can certainly work.)

The DNS server needs to be dynamic.
 
KB> However, none of the records generated by DCPROMO (the stuff you
KB> can find in netlogon.dns) is written to the Bind zone files or
KB> the corresponding JNL files.

What do the logs for BIND say ?
 
Dear Herb,

thank you very much for this answer. Unfortunately there are some
contraints I have to obey:

a) Our DNS infrastructure is based on BIND 9.2.1 on Solaris 8, so
Windows DNS is no option.

b) I want to configure as few dynamic zones as possible. Therefore, I
thought it's a good idea to pre-create the _msdcs, _sites, _tcp, and
_udp zones so that the master zone can be kept static.

c) To give you a better idea of what I'm trying, these are the
relevant parts of my named.conf file:

acl slaveserver {
....
};

acl masterserver {
....
};

acl addomaincontrollers {
....
};

options {
directory "/var/named";
# the default is to fail, if the master file is not correct
# check-names master warn;

pid-file "/var/run/named.pid";

datasize default;
stacksize default;
coresize default;
files unlimited;
recursion yes;

listen-on-v6 { any; };
listen-on { any; };
// query-source address * port *;
allow-query { any; localhost; };
allow-recursion { any; localhost;};
allow-transfer { slaveserver; localhost; };
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

logging {
# category lame-servers { null; };
# category cname { null; };
channel query_logging {
file "/var/log/named_log"
versions 3 size 100M;
print-category yes;
print-severity yes;
print-time yes;
};

category queries {
query_logging;
};
};


zone "." IN {
type hint;
file "db.root.hint";
};

zone "localhost" IN {
type master;
file "db.localhost";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.0.0.127.in-addr.arpa";
allow-update { none; };
};

#
# zone definitions
#

zone "root.company.com" IN {
type master;
file "db.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { none; };
notify yes;
};

zone "_msdcs.root.company.com" IN {
type master;
file "db._msdcs.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { addomaincontrollers; };
notify yes;
};

zone "_sites.root.company.com" IN {
type master;
file "db._sites.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { addomaincontrollers; };
notify yes;
};

zone "_tcp.root.company.com" IN {
type master;
file "db._tcp.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { addomaincontrollers; };
notify yes;
};

zone "_udp.root.company.com" IN {
type master;
file "db._udp.root.company.com";
allow-transfer { slaveserver; localhost; };
allow-update { addomaincontrollers; };
notify yes;
};

zone "1.10.in-addr.arpa" IN {
type master;
file "db.1.10.in-addr.arpa";
allow-transfer { slaveserver; localhost; };
allow-update { none; };
notify yes;
};
 
In
Kai Berssin said:
Dear Herb,

thank you very much for this answer. Unfortunately there are some
contraints I have to obey:

a) Our DNS infrastructure is based on BIND 9.2.1 on Solaris 8, so
Windows DNS is no option.

b) I want to configure as few dynamic zones as possible. Therefore, I
thought it's a good idea to pre-create the _msdcs, _sites, _tcp, and
_udp zones so that the master zone can be kept static.

c) To give you a better idea of what I'm trying, these are the
relevant parts of my named.conf file:
Click to expand...
<snip>

Kai, I *believe* your issue is a single label DNS domain name, that is if
"DOMAINNAME" is a relative facsimile of your domain. It should be in the
form of domainname.com or domainname.net, etc. BIND is probably barking at
that, especially from this message:
only curious thing is a line "Dyn Upd PRE records to DOMAINNAME" ->
"Prerequisite: DOMAINNAME of type Req for all on class Unknown class".
Click to expand...

If you cannot allow dynamic updates, don't manually create them one by one
as it appears you are saying you're doing. Share out the system32\config
folder to allow access to the netlogon.dns files. This is the data you want
to register. One of the local universities do it that way for their
departments that require AD, and the BIND guys create the zones from that
file.

It would be nice to use DNS locally on the DC and allow zone transfers to
the BIND server to create a secondary. Would be alot easier.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
Kai Berssin said:
Dear Herb,

thank you very much for this answer. Unfortunately there are some
contraints I have to obey:
a) Our DNS infrastructure is based on BIND 9.2.1 on Solaris 8, so
Windows DNS is no option.
Click to expand...

It is frequently best to just delegate the Zone from the BIND
servers to a child zone for Win2000+

But BIND can work.
b) I want to configure as few dynamic zones as possible. Therefore, I
thought it's a good idea to pre-create the _msdcs, _sites, _tcp, and
_udp zones so that the master zone can be kept static.
Click to expand...

Probably a bad idea and definitely overcomplicated.

Better than this is to just use the idea above and delegate all
of Win2000 to a child zone.
c) To give you a better idea of what I'm trying, these are the
relevant parts of my named.conf file:
Click to expand...

I can do BIND but it's going to be error prone and not worth
the trouble. You will hate it forever.
 
Kai, I *believe* your issue is a single label DNS domain name, that is if
"DOMAINNAME" is a relative facsimile of your domain. It should be in the
form of domainname.com or domainname.net, etc. BIND is probably barking at
that, especially from this message:
Click to expand...

IF that is the case then delegating a CHILD zone for
Win2000 Domain becomes virtually mandatory.
 
In
Herb Martin said:
IF that is the case then delegating a CHILD zone for
Win2000 Domain becomes virtually mandatory.
Click to expand...

Since we haven't heard back, I'm assuming it is a single label name...
Tricky, even with delegation. But the reg needs changed to force it to allow
reg.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
Back
Top