Differences

This shows you the differences between two versions of the page.

--- tutorial:dns:windows-ad-transfer-to-bind [2018-05-13 14:34]
weichbr created
+++ tutorial:dns:windows-ad-transfer-to-bind [2018-06-03 14:10]
@@ Line 1: / Line 1: @@
-{{tag>tutorial dns}}
-====== Transfer Windows AD DNS zones to BIND ======
-Original by [[https://www.reddit.com/r/homelab/comments/3zqg2y/using_bind_linux_as_a_backup_dns_server_to_a/cyog5pb/|/u/rootwyrm on reddit]] preserved here for future reference in case it gets deleted.
-----
-Okay, step back. I've been doing this longer than anyone else here, guaranteed. First up, that's NOT how DNS works. You do not replicate. You push updates with NOTIFY and IXFR. Secondly, there are very specific requirements.
-First, BIND must be minimum 9.9 for 2k12/2k12R2 and 9.6 for 2k8/2k8R2. Forest Functional level as set in AD.
-Second, you must configure AD DNS appropriately.
-==== DNS -> AD DNS Server ====
-Right Click, Properties
-=== Advanced Tab ===
-Select the following options (ALL are required):
-  * Enable BIND secondaries
-  * Enable round robin (domain clients will fail to hit BIND otherwise)
-  * Enable netmask ordering
-  * Enable DNSSEC validation for remote responses (UNCHECK if feeding from non-DNSSEC BIND)
-  * Name checking: Multibyte (UTF8) or All Names
-  * Load zone data on startup: From Active Directory and registry
-  * Enable automatic scavenging should be checked
-  * Scavenging period should be set appropriately
-Root Hints **MUST BE UPDATED MANUALLY**. You can use the "Resolve" button to do this.
-==== Forward Lookup Zone -> EXAMPLE.COM ====
-  * Do NOT add BIND to Name Servers (yet)
-  * Zone Transfers -> Allow zone transfers
-  * Zone Transfers -> Only to servers listed on the Name Servers tab
-  * Apply Changes
-  * Name Servers -> Add BIND servers one at a time
-  * If accepting dynamic updates from BIND (nsupdate), TSIG or GSS must be configured for Secure only updating
-==== Forward Lookup Zone -> _msdcs.EXAMPLE.COM ====
-  * Repeat the same steps as in EXAMPLE.COM
-  * Dynamic updates must be **Secure Only**
-==== Reverse Lookup Zone -> 0.0.10.in-addr.arpa (repeat for all reverse zones) ====
-  * Repeat as in EXAMPLE.COM
-  * Security -> "Everyone" must have Read allowed
-==== BIND configuration (example) ====
-    options {
-        ...
-        check-names master warn; // Must be WARN only for AD
-        allow-notify {
-            localhost; AD_SERVER.IP.ADDRESS;
-        };
-        allow-transfer {
-            localhost; AD_SERVER.IP.ADDRESS;
-        };
-        ends-udp-size 4096;
-        max-udp-size 4096;
-        dnssec-enable yes; //optional
-        dnssec-validation yes; // optional, can be yes or no
-        dnssec-lookaside auto; // MUST be auto for AD
-    };
-    zone "EXAMPLE.COM" {
-        type slave;
-        masters { AD_SERVER.IP.ADDRESS; };
-        file "/something/appropriate/base/etc/is/not/appropriate";
-        allow-transfer { "AD_SERVER.IP.ADDRESS"; };
-        allow-notify { "AD_SERVER.IP.ADDRESS"; };
-    };
-    zone "_msdcs.EXAMPLE.COM" {
-        type slave;
-        masters { AD_SERVER.IP.ADDRESS; };
-        file "/something/appropriate/that/is/different";
-        allow-transfer { "AD_SERVER.IP.ADDRESS"; };
-        allow-notify { "AD_SERVER.IP.ADDRESS"; };
-    };
-    zone "0.0.10.in-addr.arpa" {
-        type slave;
-        masters { AD_SERVER.IP.ADDRESS; };
-        file "/something/appropriate/that/is/different";
-        allow-transfer { "AD_SERVER.IP.ADDRESS"; };
-        allow-notify { "AD_SERVER.IP.ADDRESS"; };
-    };