Using Linux BIND DNS Servers for Active Directory Domains

Overview

Active Directory relies on DNS to function correctly. Without it, many of the services would fail and most of your client computers would be unable to find the domain controllers. Typically, as recommended by Microsoft, your Active Directory domains should be hosted on a Windows DNS server. However, since Windows DNS is strongly based on BIND DNS version 9, a BIND server may also host Active Directory domains.

An example of an environment where you would use a Linux-based BIND DNS server for your Active Directory is one that has a very large LinuxUnix install base. In this scenario, you may want your Active Directory zones hosted on your already existing infrastructure.

Another example is having a DNS appliance from a third-party vendor, like Infoblox, power your internal name service. These appliances are usually based on BIND, are very powerful, and provide advanced enterprise features not found in basic BIND installation, like the one we’ll be doing.

The Pros

A Linux BIND server is a very light-weight and fast DNS server. You will not need a lot of hardware to power it in medium to large environments. Another benefit is, arguably, Linux can be more secure as there are fewer known vulnerabilities.

The Cons

You will lose some Active Directory features. Without complex third-party packages, BIND domain zones may only have a single master, unlike with Windows DNS. A Windows name server in an Active Directory environment is capable of multi-master, giving you much higher availability.

Another con is most Windows environments do not have strong Linux skillsets available. You may find your resources are unable to properly maintain and administer the Linux BIND DNS server.

Server Configuration

Our servers for this lab have the following configuration. This information is provided to make it easier to follow along. I do not include hardware specifications, because those are strongly based on uniqueness of your environment.

Hostname	Operating System	Roles	IP Address	Domain
NS01	CentOS 6.5	DNS Name Server	172.30.0.5	corp.serverlab.intra
DC01	Windows Server 2012 R2	Domain Controller	172.30.0.10	corp.serverlab.intra

The name server will have the following zones created for Active Directory. These must be created before DC01, our first domain controller, is promoted to be an Active Directory domain controller. Without the zones, DC01 will not be able to register the required DNS records for Active Directory to function properly.

DNS Domain Zone	Our Lab’s Zone
your-fqdn-domain-name	corp.serverlab.intra	Required
_msdcs.your-fqdn-domain-name	_msdcs.corp.serverlab.intra	Optional
_sites.your-fqdn-domain-name	_sites.corp.serverlab.intra	Optional
_tcp.your-fqdn-domain-name	_tcp.corp.serverlab.intra	Optional
_udp.your-fqdn-domain-name	_udp.corp.serverlab.intra	Optional

The first domain zone is required. The remaining zones are only needed if you want to organize your records into different databases, which may be for administrative or performance reasons. If you do not create these zones, they will automatically be created in the first zone’s database.

Install and Configure BIND

Log onto your CentOS server with an account that has administrative privileges.
Install BIND.
```
yum install bind
```
Open the BIND configuration file into a text editor, like VI or Nano. The configuration file is located here.
/etc/named.conf

Look for the Option directive. It should start with the following lines.

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;

Replace the listen-on port option’s IP address with that of your DNS server.
Replace the allow-query option’s value of localhost with the network allowed to run queries. For example, 172.30.0.0/24. You may also enter the value any to allow any client to submit queries.

With the new values, the above lines should now look similar to this.

options {
        listen-on port 53 { 172.30.0.5; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { 172.30.0.0/24; };
        recursion yes;

Create the Active Directory Domain Zones

With the configuration file still open, add the following lines. Remember to rename the fully qualified domain names of zones to match your environment.

zone "corp.serverlab.intra" IN {
        type master;
        file "dynamic/corp.serverlab.intra";
        allow-update { 172.30.0.0/24; 192.168.1.0/24; };
};

zone "_msdcs.corp.serverlab.intra" IN {
        type master;
        file "dynamic/_msdcs.corp.serverlab.intra";
        allow-update { 172.30.0.0/24; 192.168.1.0/24; };
};

Save the configuration file and then exit the text editor.
Navigate to the default zone database location for dynamic databases. We’re creating our databases here to allow our Active Directory client computers to be able to automatically register their DNS records.
```
cd /var/named/dynamic
```

Create two new database files based on the empty template.

cp ../named.empty corp.serverlab.intra

cp ../named.empty _msdcs.corp.serverlab.intra

Open the corp.serverlab.intra database file into a text editor. It should look like the example below.

$TTL 3H
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
        AAAA    ::1

We need to modify it to look like this, for our corp.serverlab.intra domain.

$TTL 3H
@       IN SOA  ns01.corp.serverlab.intra. admin.corp.serverlab.intra. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns01.corp.serverlab.intra.
ns01               IN     A     172.30.0.5

Save your changes and exit the text editor.

Open the database for _msdcs.corp.serverlab.intra and modify it to look like the following.

$TTL 3H
@       IN SOA  ns01.corp.serverlab.intra. admin.corp.serverlab.intra. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns01.corp.serverlab.intra.

Save your changes and exit the text editor.
Start the BIND daemon.
```
service bind start
```
Configure BIND to automatically start at boot.
```
chkconfig bind on
```

Configure DNS Server to Query Itself

Open the resolv.conf configuration into a text editor, like VI or Nano.
```
vi /etc/resolv.conf
```
Modify it to look like the following, replacing the highlighted text to match your environment.
```
search corp.serverlab.intra
search _msdcs.corp.serverlab.intra
nameserver 127.0.0.1
```
Save your changes and exit the text editor.

Promote Your Windows Server to a Domain Controller

You are all set. All that’s remaining is for you to point your Windows server to the linux BIND server for DNS, and then promote it to an Active Directory domain controller. The required DNS records will automatically be registered, and you will have a fully functional Active Directory domain, aside from the multi-master replication.

No related posts found