This configuration uses BIND as DDNS server for AD. No need for Windows DDNS.
References:
There are six subdomains to control the process:
_msdcs, _sites, _tcp and _udp, ForestDnsZones and DomainDnsZones.
Domain controllers insert SRV records into these subdomains.
Create six subdomains and allow dynamic updates from domain controllers
to these 6 specific zones. In your /var/named/chroot/etc/named.conf put:
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow {127.0.0.1; } keys { "rndckey"; };
inet 192.168.1.103 allow { 192.168.1.0/24; } keys { "rndckey"; };
};
server 192.168.1.103 {
keys { rndckey; };
};
acl DC-mydomain.local {
192.168.1.110;
};
options {
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
recursion yes;
allow-recursion {
127.0.0.1;
192.168.1.0/24;
};
listen-on {
127.0.0.1;
192.168.1.103;
};
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
query-source address * port 53;
version "REFUSED";
allow-query {
127.0.0.1;
192.168.1.0/24;
};
};
zone "." IN {
type hint;
file "named.root";
};
zone "example.local" IN {
type master;
file "data/example.local.zone.db";
allow-update { none; };
allow-transfer { none; };
};
// put slave zones in the slaves/ directory so named can update them
// put dynamically updateable zones in the slaves/ directory so named can update them
zone "1.168.192.in-addr.arpa" IN {
type master;
file "slaves/mydomain.local.rev.zone.db";
allow-update {DC-mydomain.local; key rndckey; };
allow-transfer { none; };
};
zone "mydomain.local" IN {
type master;
file "slaves/mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "_msdcs.mydomain.local" IN {
type master;
file "slaves/_msdcs.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "_sites.mydomain.local" IN {
type master;
file "slaves/_sites.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "_tcp.mydomain.local" IN {
type master;
file "slaves/_tcp.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "_udp.mydomain.local" IN {
type master;
file "slaves/_udp.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "ForestDnsZones.mydomain.local" IN {
type master;
file "slaves/ForestDnsZones.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "DomainDnsZones.mydomain.local" IN {
type master;
file "slaves/DomainDnsZones.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
Download root hints (named.root) to:
/var/named/chroot/var/named
Create the 6 zone files with this configuration:
$ttl 86400
@ IN SOA ns.mydomain.local. admin.mydomain.local. (
2010091200 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns.mydomain.local.
Create forward lookup zone:
$ttl 86400
@ IN SOA ns.mydomain.local. admin.mydomain.local. (
2010091200 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns.mydomain.local.
ns IN A 192.168.1.103
dc1 IN A 192.168.1.110
dns1 IN CNAME ns.mydomain.local.
110 IN PTR dc1.mydomain.local.
103 IN PTR ns.mydomain.local.
Create reverse lookup zone:
$ttl 86400
@ IN SOA ns.mydomain.local. admin.mydomain.local. (
2010091200 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns.mydomain.local.
103 IN PTR ns.mydomain.local.
110 IN PTR dc1.mydomain.local.
Build DC:
Build Windows Server 2003 AD controller and configure tcp/ip setting to use the BIND server for dns, test dns and run dcpromo. Make sure to configure dns suffix for server and enable registering dns in tcp/ip properties of DC’s nic.
Test:
Test dns from domain controller with dcdiag.exe (dcdiag /test:DNS)
Check syslog in CentOS (tail –f /var/log/messages) for jnl files (ddns updates) creation.
No comments:
Post a Comment