Transfer Windows AD DNS zones to BIND
Original by /u/rootwyrm on reddit preserved here for future reference in case it gets deleted.
Okay, step back. I've been doing this longer than anyone else here, guaranteed. First up, that's NOT how DNS works. You do not replicate. You push updates with NOTIFY and IXFR. Secondly, there are very specific requirements.
First, BIND must be minimum 9.9 for 2k12/2k12R2 and 9.6 for 2k8/2k8R2. Forest Functional level as set in AD.
Second, you must configure AD DNS appropriately.
DNS -> AD DNS Server
Right Click, Properties
Advanced Tab
Select the following options (ALL are required):
- Enable BIND secondaries
- Enable round robin (domain clients will fail to hit BIND otherwise)
- Enable netmask ordering
- Enable DNSSEC validation for remote responses (UNCHECK if feeding from non-DNSSEC BIND)
- Name checking: Multibyte (UTF8) or All Names
- Load zone data on startup: From Active Directory and registry
- Enable automatic scavenging should be checked
- Scavenging period should be set appropriately
Root Hints MUST BE UPDATED MANUALLY. You can use the “Resolve” button to do this.
Forward Lookup Zone -> EXAMPLE.COM
- Do NOT add BIND to Name Servers (yet)
- Zone Transfers → Allow zone transfers
- Zone Transfers → Only to servers listed on the Name Servers tab
- Apply Changes
- Name Servers → Add BIND servers one at a time
- If accepting dynamic updates from BIND (nsupdate), TSIG or GSS must be configured for Secure only updating
Forward Lookup Zone -> _msdcs.EXAMPLE.COM
- Repeat the same steps as in EXAMPLE.COM
- Dynamic updates must be Secure Only
Reverse Lookup Zone -> 0.0.10.in-addr.arpa (repeat for all reverse zones)
- Repeat as in EXAMPLE.COM
- Security → “Everyone” must have Read allowed
BIND configuration (example)
options { ... check-names master warn; // Must be WARN only for AD allow-notify { localhost; AD_SERVER.IP.ADDRESS; }; allow-transfer { localhost; AD_SERVER.IP.ADDRESS; }; ends-udp-size 4096; max-udp-size 4096; dnssec-enable yes; //optional dnssec-validation yes; // optional, can be yes or no dnssec-lookaside auto; // MUST be auto for AD }; zone "EXAMPLE.COM" { type slave; masters { AD_SERVER.IP.ADDRESS; }; file "/something/appropriate/base/etc/is/not/appropriate"; allow-transfer { "AD_SERVER.IP.ADDRESS"; }; allow-notify { "AD_SERVER.IP.ADDRESS"; }; }; zone "_msdcs.EXAMPLE.COM" { type slave; masters { AD_SERVER.IP.ADDRESS; }; file "/something/appropriate/that/is/different"; allow-transfer { "AD_SERVER.IP.ADDRESS"; }; allow-notify { "AD_SERVER.IP.ADDRESS"; }; }; zone "0.0.10.in-addr.arpa" { type slave; masters { AD_SERVER.IP.ADDRESS; }; file "/something/appropriate/that/is/different"; allow-transfer { "AD_SERVER.IP.ADDRESS"; }; allow-notify { "AD_SERVER.IP.ADDRESS"; }; };