Transfer Windows AD DNS zones to BIND

Original by /u/rootwyrm on reddit preserved here for future reference in case it gets deleted.


Okay, step back. I've been doing this longer than anyone else here, guaranteed. First up, that's NOT how DNS works. You do not replicate. You push updates with NOTIFY and IXFR. Secondly, there are very specific requirements.

First, BIND must be minimum 9.9 for 2k12/2k12R2 and 9.6 for 2k8/2k8R2. Forest Functional level as set in AD.

Second, you must configure AD DNS appropriately.

DNS -> AD DNS Server

Right Click, Properties

Advanced Tab

Select the following options (ALL are required):

  • Enable BIND secondaries
  • Enable round robin (domain clients will fail to hit BIND otherwise)
  • Enable netmask ordering
  • Enable DNSSEC validation for remote responses (UNCHECK if feeding from non-DNSSEC BIND)
  • Name checking: Multibyte (UTF8) or All Names
  • Load zone data on startup: From Active Directory and registry
  • Enable automatic scavenging should be checked
  • Scavenging period should be set appropriately

Root Hints MUST BE UPDATED MANUALLY. You can use the “Resolve” button to do this.

Forward Lookup Zone -> EXAMPLE.COM

  • Do NOT add BIND to Name Servers (yet)
  • Zone Transfers → Allow zone transfers
  • Zone Transfers → Only to servers listed on the Name Servers tab
  • Apply Changes
  • Name Servers → Add BIND servers one at a time
  • If accepting dynamic updates from BIND (nsupdate), TSIG or GSS must be configured for Secure only updating

Forward Lookup Zone -> _msdcs.EXAMPLE.COM

  • Repeat the same steps as in EXAMPLE.COM
  • Dynamic updates must be Secure Only

Reverse Lookup Zone -> 0.0.10.in-addr.arpa (repeat for all reverse zones)

  • Repeat as in EXAMPLE.COM
  • Security → “Everyone” must have Read allowed

BIND configuration (example)

  options {
      ...
      check-names master warn; // Must be WARN only for AD
      allow-notify {
          localhost; AD_SERVER.IP.ADDRESS;
      };
      allow-transfer {
          localhost; AD_SERVER.IP.ADDRESS;
      };
      ends-udp-size 4096;
      max-udp-size 4096;
      dnssec-enable yes; //optional
      dnssec-validation yes; // optional, can be yes or no
      dnssec-lookaside auto; // MUST be auto for AD
  };
  
  zone "EXAMPLE.COM" {
      type slave;
      masters { AD_SERVER.IP.ADDRESS; };
      file "/something/appropriate/base/etc/is/not/appropriate";
      allow-transfer { "AD_SERVER.IP.ADDRESS"; };
      allow-notify { "AD_SERVER.IP.ADDRESS"; };
  };
  zone "_msdcs.EXAMPLE.COM" {
      type slave;
      masters { AD_SERVER.IP.ADDRESS; };
      file "/something/appropriate/that/is/different";
      allow-transfer { "AD_SERVER.IP.ADDRESS"; };
      allow-notify { "AD_SERVER.IP.ADDRESS"; };
  };
  
  zone "0.0.10.in-addr.arpa" {
      type slave;
      masters { AD_SERVER.IP.ADDRESS; };
      file "/something/appropriate/that/is/different";
      allow-transfer { "AD_SERVER.IP.ADDRESS"; };
      allow-notify { "AD_SERVER.IP.ADDRESS"; };
  };
  • tutorial/dns/windows-ad-transfer-to-bind.txt
  • Last modified: 2018-05-13 14:34
  • by Nico Weichbrodt