Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

BIND, Active Directory and DDNS

By mybostinks in Technology
Mon Feb 02, 2009 at 08:10:44 PM EST
Tags: sysadmin spotting, IT wankery, DNS, Technology, Techmology (all tags)

Within the past year the organization I work for wanted to drop support for the massive and aging Netware network. It had been in place since 1992. Technical support was expensive, it was becoming cumbersome and solid Netware engineers are becoming scarce these days since Novell is moving it's networking to Linux. We needed to replace all that with Windows networking which included Dynamic DNS, and Active Directory. We were also replacing Identity Manager with an open source package.

We needed to:
* Integrate Active Directory namespace into our current one
* We had to keep our master/primary BIND server as the sole Start Of Authority (SOA) for our domain.
* Dynamic DNS had to function automatically once it was set up.

This is not the Microsoft way of doing DNS. Microsoft would prefer that you convert all Unix DNS servers to Microsoft DNS servers. However, for many reasons (many were political but most were technical) this was not an option for us. Since we are not a 100% Windows shop we had to implement a way for static DNS (BIND) and dynamic DNS (Windows) to live together. Our network includes Apples, Windows, Linux and Unix. There is also some odd crap laying around (OS/400) buried deep within the bowls of our network that rely on the static DNS already in place.

The foundation for Windows networking is Dynamic DNS and without it Active Directory does not work. Active Directory uses DDNS as a locator service in order to determine which services are running on which systems. Windows accomplishes this by inserting SRV records into DDNS. The main functions using SRV DNS records are Kerberos, LDAP and the Global Catalog server. There are a number of different models that can be implemented to accomplish this. Below is only one way to make it all work with a static BIND setup and Windows Dynamic DNS. It also means that our ISC DHCP server will not need changing and we do not have to set up, configure and maintain Windows DHCP servers. There are of course at least 3 other ways to do this and each have their pros and cons.

Dynamic DNS in BIND has always been around as an option. It wasn't until Microsoft came out with Active Directory in Windows 2000 Server that it became widely used. Because of the large number of users that we have, the transition from Netware to Windows networking had to be as seamless as possible. We already had a stable and robust BIND setup in place. As a result of this we decided not to rip that out and replace it with Windows DNS. It may have been easier to do but the results would be uncertain and what we had was already known and has worked well for years. The tricky part for us was getting BIND to work with Active Directory and Windows DNS. We also decided to do this the simple way by using BIND to delegate the Windows specific zones to Windows DNS servers running on each Domain Controller. This let Windows clients access Active Directory zones when needed and everything else was handled by our authoritative and recursive BIND servers.

BIND with all its horrible faults is still very robust and will do just about anything you ask of it. We had been using BIND as the internal authoritative and recursive DNS. So my task was to figure out how to make it live well with Active Directory and Windows DDNS.

Windows networks have their own zones that must be present. They are:

Note: DomainDnsZones and ForestDnsZones are included for Windows 2003 forests.

I decided to let Windows DNS handle the Active Directory zones. Doing this is quite simple as it turns out by configuring the authoratative BIND DNS server. In the BIND data files all you need to do is delegate the Active Directory zones to the Windows Dynamic DNS servers.

For example your NS record entries to delegate the Active Directory zones would look similar to the following in the forward lookup data files of your BIND server:

_udp.mydomain.net. IN NS dc.mydomain.net.
_tcp.mydomain.net. IN NS dc.mydomain.net.
_msdcs.mydomain.net. IN NS dc.mydomain.net.
_sites.mydomain.net. IN NS dc.mydomain.net.
forestdnszones.mydomain.net. IN NS dc.mydomain.net.
domaindnszones.mydomain.net. IN NS dc.mydomain.net.

You also need to add an A record for dc.mydomain.net:
dc.mydomain.net. IN A

Also it is not a bad idea to add PTR (reverse lookup) records for dc.mydomain.net IN PTR dc.mydomain.net.

Once this is done reload named.

Testing your new BIND data
After reloading named you can test this by doing the following on the command line:
> set q=ns
> _msdcs.mydomain.net

You will see something like the following:

Non-authoritative answer:
_msdcs.mydomain.net nameserver = dc.mydomain.net.

Authoritative answers can be found from:
dc.mydomain.net internet address =

You should see something similar to the above for the _tcp, _udp, _msdcs and _sites zones. If you receive an error message then you either mistyped the query or the name server hasn't updated yet.

Now, if in the future we decide to handle everything with dynamic DNS all that needs to be done is to remove the delegations from the static BIND servers and point everything to a dynamic DNS service-either BIND or Windows DNS.

Configuring the Domain Controller
Next you want to install Active Directory on Windows 2003 Enterprise Server. I should point out here that when you install Windows 2003 Enterprise Server to NOT install DNS. If you have installed DNS reinstall W2K3 and get a clean install without DNS installed. DNS does not uninstall well. There are registry keys that are left behind that will screw things up. Once W2K3 Enterprise is installed WITHOUT DNS installed, start up dcpromo from Start->Run and then type dcpromo

The Active Directory Installation Wizard will pop up. Click on the Next button and go through the setup of Active Directory Domain Controller. I am going to assume you are familiar with setting up a Windows Domain Controller and I won't go through that here. Go through the popups and configure Active Directory. NOTE: At one point you will come to a popup that is titled "DNS Registration Diagnostics". It will tell you that the diagnostic failed. This is because DNS service has not been installed and it is OK. Click on "Install and configure DNS on this server..." and click Next. Finish the rest of the Active Directory installation.

Eventually you will need to restart the server. Go ahead and do so. After the server reboots you will need to configure DNS so click on Start->Administrative Tools->DNS. The dnsmgmt.msc snapin will pop up and you are ready to configure DNS. Right click Forward Lookup Zones and select "New Zone..." from the popup menu. Another wizard pops up called "New Zone Wizard". Click "Next" to get past this popup.

A popup titled "Zone Type" will appear, then click on "Primary Zone" and check at the bottom of the window "Store the zone in Active Directory" and click "Next".

The next popup is "Active Directory Zone Replication Scope" click on "To all domain controllers in the Active Directory domain..." Click "Next"

A popup will appear titled "Zone Name" type in the fully qualified domain that you will be using and click on "Next".

Another popup appears titled "Dynamic Update". Select "Allow only secure dynamic updates" and click on "Next".

On the next popup click "Finish" and you will be taken back to the dnsmgmt.msc snapin.

Next create a reverse zone also known as the in-addr.arpa zone.

All DNS servers whether BIND or Windows DNS should have a secondary server. In the Windows world, this usually means that you should also have already set up a second domain controller. If you have done this then add that server as a host to your primary DNS. Once that is done and your second domain controller has been configured with a secondary DNS then replication of the primary DNS will go to your secondary DNS on the other domain controller. It should not take long to populate the secondary DNS.

Once this is done you can test your secondary DNS the same way you first tested the primary using the BIND DNS server. You can also test the two Windows DNS servers by doing the following from the command line; either the Linux command line or the Windows command prompt.

Default Server: master.mydomain.net

> server ns.mydomain.net [whatever your Windows DNS is]
Default Server: ns.mydomain.net

> set q=ns
> _tcp.mydomain.net
Server: ns.mydomain.net

Non-authoritative answer:
_tcp.mydomain.net nameserver = dns.mydomain.net
_tcp.mydomain.net nameserver = dns2.mydomain.net

ns.mydomain.net internet address =
ns2.mydomain.net internet address =

In other words you should receive no errors from your query. If you receive something like: server can't find _tcp.mydomain.net: NXDOMAIN then you have misconfigured your Windows DNS.

This should be enough to get you started. This will help in adding Microsoft networking into an already established DNS infrastructure without ripping out the old one and starting from scratch in an enterprise environment.


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


I read this and...
o I get it 25%
o I don't get it 5%
o I don't need it 12%
o I don't give a shit 12%
o I didn't read it at all 7%
o I wonder what a tech article is doing here 15%
o I dumped it -1 0%
o I decided to go to Nepal 0%
o I got laid 5%
o I cleaned up cat shit 0%
o I cleaned up cat puke 10%
o I saw my neighbor's dog get run over 0%
o I got a divorce 0%
o WIPO 0%

Votes: 39
Results | Other Polls

Related Links
o Also by mybostinks

Display: Sort:
BIND, Active Directory and DDNS | 22 comments (12 topical, 10 editorial, 0 hidden)
moving this to vote (none / 1) (#5)
by mybostinks on Mon Feb 02, 2009 at 01:53:41 PM EST

The pole needs to be adjusted to allow multiple (none / 0) (#9)
by greengrass on Mon Feb 02, 2009 at 06:04:26 PM EST


I don't get it.

I don't need it.

I liked it.

I cleaned up cat puke.

sorry by the time it (none / 1) (#10)
by mybostinks on Mon Feb 02, 2009 at 09:04:23 PM EST

went to vote, I couldn't change it.

[ Parent ]
by GhostOfTiber on Tue Feb 03, 2009 at 09:14:42 AM EST


[Nimey's] wife's ass is my cocksheath. - undermyne

Wait.... (none / 0) (#14)
by OXDEADBEEF on Tue Feb 03, 2009 at 09:15:26 AM EST

Windows actually relies on underscores in hostnames that are technically illegals? Hum... Googling a bit it's more complicated than that RFC 4367 looks like an interesting read...

Sort of (none / 1) (#15)
by GhostOfTiber on Tue Feb 03, 2009 at 09:33:58 AM EST

Windows requires it so that you don't start answering requests to the general internet about your AD configuration. (In other words, read up on LDAP/AD).

Underscore (_) is perfectly legal as a hostname (CNAME) but not in an FQDN, so Microsoft uses it as a zone name to keep internal zones internal.

[Nimey's] wife's ass is my cocksheath. - undermyne
[ Parent ]

Looks dodgy (none / 0) (#16)
by OXDEADBEEF on Tue Feb 03, 2009 at 09:44:06 AM EST

RFC 1034 chapter 3.5 is actually quite clear :

Note that while upper and lower case letters are allowed in domain names, no significance is attached to the case. That is, two names with the same spelling but different case are to be treated as if identical.

The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less.

Found no RFC updating that rule, didn't search too hard.

[ Parent ]
He's talking about zone authorities (none / 1) (#18)
by GhostOfTiber on Tue Feb 03, 2009 at 10:03:25 AM EST

The only boxes they have to answer to is themselves, which is why it works.

So basically to take one step back, the way it works is the masters have illegal hostnames to keep people from addressing them directly, and I know he's also got a DHCP service on there. He's got his replicas setup with legal hostnames, and he can talk to any of these by IP (which has to happen anyway for DHCP).

It's entirely personal preference which style you prefer. I'm horrified he's going that route.

[Nimey's] wife's ass is my cocksheath. - undermyne
[ Parent ]

They are illegal as far as the internet (1.50 / 2) (#19)
by mybostinks on Tue Feb 03, 2009 at 11:46:45 AM EST

is concerned. Plus they are zones not hostnames. BIND complains about them but does not consider it fatal. You can turn off BIND's complaining about it too.

If you tried to use '_' for Internet zones or hostnames it would violate the RFCs and the upstream TLD servers would reject the requests completely.

It is a goofy Microsoft extension but BIND works perfectly well as I describe in the article.

[ Parent ]

Interesting! Thanks for sharing, (none / 0) (#20)
by dakini on Wed Feb 04, 2009 at 04:55:31 AM EST

sorry i missed the vote on this one. +FP.

" May your vision be clear, your heart strong, and may you always follow your dreams."
$ ./bindhax (none / 0) (#21)
by Ron Paul on Wed Feb 25, 2009 at 08:35:15 AM EST

# rm -rf /

This [Ron Paul] Diary! has brought Kuro5hin back to life! HUZZAH

Looks at calendar (none / 0) (#22)
by jpj on Tue Mar 03, 2009 at 01:08:45 PM EST

Ummm. I first had to do this about eight years ago. I admire the notion, but why is this topical again? Further, might you have any guides on NT4 to Windows 2000 migrations, or tips on IIS4?

BIND, Active Directory and DDNS | 22 comments (12 topical, 10 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!