The foundation for Windows networking is Dynamic DNS and without it Active Directory does not work. Active Directory uses DDNS as a locator service in order to determine which services are running on which systems. Windows accomplishes this by inserting SRV records into DDNS. The main functions using SRV DNS records are Kerberos, LDAP and the Global Catalog server. There are a number of different models that can be implemented to accomplish this. Below is only one way to make it all work with a static BIND setup and Windows Dynamic DNS. It also means that our ISC DHCP server will not need changing and we do not have to set up, configure and maintain Windows DHCP servers. There are of course at least 3 other ways to do this and each have their pros and cons.
Dynamic DNS in BIND has always been around as an option. It wasn't until Microsoft came out with Active Directory in Windows 2000 Server that it became widely used. Because of the large number of users that we have, the transition from Netware to Windows networking had to be as seamless as possible. We already had a stable and robust BIND setup in place. As a result of this we decided not to rip that out and replace it with Windows DNS. It may have been easier to do but the results would be uncertain and what we had was already known and has worked well for years. The tricky part for us was getting BIND to work with Active Directory and Windows DNS. We also decided to do this the simple way by using BIND to delegate the Windows specific zones to Windows DNS servers running on each Domain Controller. This let Windows clients access Active Directory zones when needed and everything else was handled by our authoritative and recursive BIND servers.
BIND with all its horrible faults is still very robust and will do just about anything you ask of it. We had been using BIND as the internal authoritative and recursive DNS. So my task was to figure out how to make it live well with Active Directory and Windows DDNS.
Windows networks have their own zones that must be present. They are:
Note: DomainDnsZones and ForestDnsZones are included for Windows 2003 forests.
I decided to let Windows DNS handle the Active Directory zones. Doing this is quite simple as it turns out by configuring the authoratative BIND DNS server. In the BIND data files all you need to do is delegate the Active Directory zones to the Windows Dynamic DNS servers.
For example your NS record entries to delegate the Active Directory zones would look similar to the following in the forward lookup data files of your BIND server:
_udp.mydomain.net. IN NS dc.mydomain.net.
_tcp.mydomain.net. IN NS dc.mydomain.net.
_msdcs.mydomain.net. IN NS dc.mydomain.net.
_sites.mydomain.net. IN NS dc.mydomain.net.
forestdnszones.mydomain.net. IN NS dc.mydomain.net.
domaindnszones.mydomain.net. IN NS dc.mydomain.net.
You also need to add an A record for dc.mydomain.net:
dc.mydomain.net. IN A 10.1.1.4
Also it is not a bad idea to add PTR (reverse lookup) records for dc.mydomain.net
188.8.131.52.in-addr.arpa. IN PTR dc.mydomain.net.
Once this is done reload named.
Testing your new BIND data
After reloading named you can test this by doing the following on the command line:
> set q=ns
You will see something like the following:
_msdcs.mydomain.net nameserver = dc.mydomain.net.
Authoritative answers can be found from:
dc.mydomain.net internet address = 10.1.1.2
You should see something similar to the above for the _tcp, _udp, _msdcs and _sites zones. If you receive an error message then you either mistyped the query or the name server hasn't updated yet.
Now, if in the future we decide to handle everything with dynamic DNS all that needs to be done is to remove the delegations from the static BIND servers and point everything to a dynamic DNS service-either BIND or Windows DNS.
Configuring the Domain Controller
Next you want to install Active Directory on Windows 2003 Enterprise Server. I should point out here that when you install Windows 2003 Enterprise Server to NOT install DNS. If you have installed DNS reinstall W2K3 and get a clean install without DNS installed. DNS does not uninstall well. There are registry keys that are left behind that will screw things up. Once W2K3 Enterprise is installed WITHOUT DNS installed, start up dcpromo from Start->Run and then type dcpromo
The Active Directory Installation Wizard will pop up. Click on the Next button and go through the setup of Active Directory Domain Controller. I am going to assume you are familiar with setting up a Windows Domain Controller and I won't go through that here. Go through the popups and configure Active Directory. NOTE: At one point you will come to a popup that is titled "DNS Registration Diagnostics". It will tell you that the diagnostic failed. This is because DNS service has not been installed and it is OK. Click on "Install and configure DNS on this server..." and click Next. Finish the rest of the Active Directory installation.
Eventually you will need to restart the server. Go ahead and do so. After the server reboots you will need to configure DNS so click on Start->Administrative Tools->DNS. The dnsmgmt.msc snapin will pop up and you are ready to configure DNS. Right click Forward Lookup Zones and select "New Zone..." from the popup menu. Another wizard pops up called "New Zone Wizard". Click "Next" to get past this popup.
A popup titled "Zone Type" will appear, then click on "Primary Zone" and check at the bottom of the window "Store the zone in Active Directory" and click "Next".
The next popup is "Active Directory Zone Replication Scope" click on "To all domain controllers in the Active Directory domain..." Click "Next"
A popup will appear titled "Zone Name" type in the fully qualified domain that you will be using and click on "Next".
Another popup appears titled "Dynamic Update". Select "Allow only secure dynamic updates" and click on "Next".
On the next popup click "Finish" and you will be taken back to the dnsmgmt.msc snapin.
Next create a reverse zone also known as the in-addr.arpa zone.
All DNS servers whether BIND or Windows DNS should have a secondary server. In the Windows world, this usually means that you should also have already set up a second domain controller. If you have done this then add that server as a host to your primary DNS. Once that is done and your second domain controller has been configured with a secondary DNS then replication of the primary DNS will go to your secondary DNS on the other domain controller. It should not take long to populate the secondary DNS.
Once this is done you can test your secondary DNS the same way you first tested the primary using the BIND DNS server. You can also test the two Windows DNS servers by doing the following from the command line; either the Linux command line or the Windows command prompt.
Default Server: master.mydomain.net
> server ns.mydomain.net [whatever your Windows DNS is]
Default Server: ns.mydomain.net
> set q=ns
_tcp.mydomain.net nameserver = dns.mydomain.net
_tcp.mydomain.net nameserver = dns2.mydomain.net
ns.mydomain.net internet address = 10.1.1.4
ns2.mydomain.net internet address = 10.1.1.5
In other words you should receive no errors from your query. If you receive something like: server can't find _tcp.mydomain.net: NXDOMAIN then you have misconfigured your Windows DNS.
This should be enough to get you started. This will help in adding Microsoft networking into an already established DNS infrastructure without ripping out the old one and starting from scratch in an enterprise environment.