Moving an AD Zone from Windows to BIND
bsfinkel at anl.gov
bsfinkel at anl.gov
Tue Jul 28 17:52:46 UTC 2009
bsfinkel at anl.gov wrote:
>> This is not really a BIND-related question, but I thought that maybe
>> some people on this list can point me in the right direction.
>> Maybe someone has already done what I need to do.
>>
>> I have one zone
>>
>> xxx.yyy.example.com
>>
>> that is on a Windows DNS server, completely under the control of
>> Windows. This zone is slaved on my BIND servers. Within these zones
>> are the AD records
>>
>> ForestDNSZones.xxx.yyy.example.com
>> DomainDNSZones.xxx.yyy.example.com
>> _msdcs.xxx.yyy.example.com
>> _sites.xxx.yyy.example.com
>> _tcp.xxx.yyy.example.com
>> _udp.xxx.yyy.example.com
>>
>> What I need is a procedure that I can use to move the base zone
>>
>> xxx.yyy.example.com
>>
>> to BIND, while keeping the six AD zones on the Windows DNS Server.
and Michael Milligan <milli at acmeps.com> replied:
>Is this base zone AD-integrated? If so, then your domain-joined clients
> (PCs and laptops) are sending dynamic updates for their A records
>(forward-mapping), unless you have specifically changed the behavior (at
>several touch points). You need to handle this unless you don't care
>about client A records and can stand all the "dynamic update denied"
>messages you're gonna see.
>
>And you're completely glossing over the DHCP side of this whole equation.
>
>> If I were to define the six AD zones on the Windows DNS Server,
>> would the SRV, CNAME, and other AD records move to the new zones
>> automatically? I have no problem taking the zone file on one of my
>> BIND slaves, removing the AD records, adding delegations for the six
>> AD zones, and making this file into a master.
>
>It works just fine to define those 6 zones plus the apex zone
>(xxx.yyy.example.com) as master on your BIND server and just allow (by
>IP address) each of your domain controllers to do dynamic updates to
>those zones. You just create them as empty zones, then on each domain
>controller, simply stop and then start the netlogon service to have the
>dynamic records that they need added back in (they check and add any
>missing records). Watch syslog to make sure this happens. You can also
>use GSS-TSIG in the latest versions of BIND to allow clients and domain
>controllers to do dynamic updates of their DNS records too, but that's
>another can of worms.
>
>It works the same if you want to leave just those 6 zones on Microsoft too.
I am not worried about the DHCP piece. There are two zones I have to
convert. One is mostly static and contains Windows Servers. The
other is dynamic, with client machines under the control of a Windows
DHCP server. For this zone, we will change DHCP to static leases
before the conversion, and all new machines will be registered via
our host database, which will automatically update DHCP.
I do not want any dynamic DNS to my BIND servers, as I am not sure
how that DDNS would interface with DNSSEC.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994
More information about the bind-users
mailing list