Delegate from BIND to Windows 2003 DNS (AD Zone)

Wed Apr 13 13:50:18 UTC 2005

FabriceR <nospam at spam.net> wrote:

>I have bind DNS (8.3.3-REL-NOESW) for my compagny and we'll install a 
>Windows 2003 AD with DNS. Our plan is :
>
>* Keep our clients on BIND DNS (compagny.fr)
>* Create the 2003 AD zone DNS (ad.compagny.fr)
>* Delegate ad to 2003 DNS (the DC machine) in BIND
>
>To do this, I create a stub zone in BIND DNS witch point to the 2 DC 
>2003. The creation is ok and I can query BIND DNS about NS record for 
>ad.compagny.fr (and A records associates).
> 
>When I try a query (other than NS) for the ad.compagny.fr domaine on 
>BIND DNS, I have an error.
>
>I supposed the problem is that Windows 2003 AD DNS have multiple master. 
>Each DC is master on the zone and each DC give SOA with his own name (cf 
>at the end, the "host -C")
>
>Hope you have some links or hints.
>Best regards,
>FabriceR
>
>
>$ dig NS ad.compagny.fr
>
>; <<>> DiG 9.2.1 <<>> NS ad.compagny.fr
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14691
>;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>
>;; QUESTION SECTION:
>;ad.compagny.fr.            IN      NS
>
>;; ANSWER SECTION:
>ad.compagny.fr.     3600    IN      NS      dc2.ad.compagny.fr.
>ad.compagny.fr.     3600    IN      NS      dc1.ad.compagny.fr.
>
>;; ADDITIONAL SECTION:
>dc2.ad.compagny.fr. 3600 IN    A       192.168.7.27
>dc1.ad.compagny.fr. 3600 IN    A       192.168.7.17
>
>;; Query time: 1 msec
>;; SERVER: 127.0.0.1#53(127.0.0.1)
>;; WHEN: Tue Apr 12 15:57:13 2005
>;; MSG SIZE  rcvd: 114
>
>$
>
>$ dig @dc1.ad.compagny.fr. SOA ad.compagny.fr
>
>; <<>> DiG 9.2.1 <<>> @dc1.ad.compagny.fr. SOA ad.compagny.fr
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14064
>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
>;; QUESTION SECTION:
>;ad.compagny.fr.            IN      SOA
>
>;; ANSWER SECTION:
>ad.compagny.fr.     3600    IN      SOA     dc1.ad.compagny.fr. 
>hostmaster. 900 900 600 86400 3600
>
>;; ADDITIONAL SECTION:
>dc1.ad.compagny.fr. 3600 IN    A       192.168.7.17
>
>;; Query time: 0 msec
>;; SERVER: 192.168.7.17#53(dc1.ad.compagny.fr.)
>;; WHEN: Tue Apr 12 15:57:37 2005
>;; MSG SIZE  rcvd: 107
>$
>$ more /etc/bind/named.conf
>...
>// Zone ad
>zone "ad.compagny.fr" IN {
>         type stub;
>         file "/etc/bind/db.ad.compagny.fr";
>         masters { 192.168.7.27; 192.168.7.27; };
>};
>...
>$
>$ host -C ad.compagny.fr.
>ad.compagny.fr      NS      dc1.ad.compagny.fr
>dc1.ad.compagny.fr     hostmaster      (900 900 600 86400 3600)
>  !!! ad.compagny.fr SOA hostmaster hostmaster has illegal mailbox
>  !!! ad.compagny.fr SOA expire is less than 1 week (1 day)
>ad.compagny.fr      NS      dc2.ad.compagny.fr
>dc2.ad.compagny.fr     hostmaster      (900 900 600 86400 3600)
>  *** dc2.ad.compagny.fr and dc1.ad.compagny.fr have different primary 
>for ad.compagny.fr
>$

All you need to do is this:

   1) If you are using the W2k AD multi-master DNS, then choose ONE
      of the DNS Servers to be the "master".  Say, dc1.

   2) Add this delegation line to the 

          compagny.fr

      zone:

          ad  IN  NS  dc1.ad.compagny.fr

I would suggest that you make your BIND servers slave servers for the

     ad.compagny.fr

zone.  That way, all of your zones will be on BIND servers that the
clients can query.  If clients already have the BIND servers in their
TCP/IP configuration, then they can continue to query those BIND servers
and not have to know about the W2k AD DNS Server(s), and a query to
the BIND servers will not result in that query being forwarded to the
W2k DNS Servers to get an authoritative answer.

Note that if you use the W2k multi-master configuration, and you have
BIND slaves, then you might experience zone serial number problems.
See MS KB article 282826.  It is for that reason that I have only ONE
MS W2k+3 DNS Server (and four DCs).

For more details on WS W2k DNS and BIND interaction/integration, see
the archives of this list (and of its late sister list
bind9-users at isc.org), where there have been many postings in the past
years.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994