Adding support for Active Directory to BIND9 DNS.

Taking DNS a step further

Back in September 2010 I posted an article on creating your own DNS server (using BIND9) and linked to DHCP. There was probably one element of that setup that was missing – Microsoft’s Active Directory.

Active Directory uses DNS as its domain controller location mechanism and leverages the namespace design of DNS in the design of Active Directory domain names. As a result, DNS is positioned within the discoverability and logical structure components of Active Directory technology components. If you’re running your own AD server, it’s a fair bet that the install wanted you to install DNS as well (you’re actively prompted by the 2008 R2 install).

So what do you do if you don’t want a proliferation of DNS servers across your network – or (like me) you prefer to farm out processes like DNS and DHCP to “helper” servers without having to blow your budget on Microsoft licences?

Simple: Add the AD DNS functionality into your BIND9 server by utilising the SRV record type.

A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. We leverage off this to provide the relevant answer to a client or servers quering for AD service, protocol and location information.

For more information on how DNS Support for Active Directory works, you can read this Microsoft Technet article.

An alias by any other name…

Finding the DNS Alias for your AD server

Some of the SRV records will refer to this value so it’s a good opportunity to note it down. I’m still using Windows Server 2003 R2 in my environment, so these instructions my vary dependant on build and version.

From the “Administrative Tools“, launch “Active Directory Sites and Services“. Once the MMC (Microsoft Management Console) has started up, expand the following items:

→ Sites
    → Default-First-Site-Name
        → Servers
            → [server name] (this will be the name of your AD server)
                → NTDS Settings

Right click on “NTDS Settings” and select “Properties“. Under the “General” tab look for the value next to DNS alias. The alpha-numeric GUID that preceeds the ._msdcs.[dnsDomainName] is the value you need to note down.

Freeze the zone record

Next we’ll need to freeze the zone file of our primary name server so we can make changes to it.

cd /var/lib/bind
sudo rndc freeze zone

… where zone is the name of the DNS zone you’re editing. This will disable dynamic updates to the zone while you’re editing it. Now we add the records to the zone file.

Adding the relevent SRV records

For the purposes of this HOWTO we’ll assume the following values:

  • DNS Domain: example.com
  • AD Host: adserver
  • GUID: dc41138f-f32e-22ff-9e10-9893dc599536

Remember:

Take note to be carefull to include the trailing “.” on the FQDN when adding/editing records in the zone file!

First add an A record for the AD server’s hostname, as well a CNAME for the AD server’s GUID – this will be used for RPC lookups…

$ORIGIN example.com.
adserver A 192.168.1.1
$ORIGIN _msdcs.example.com.
dc41138f-f32e-22ff-9e10-9893dc599536 CNAME adserver.example.com.

Note:

_msdcs is the Microsoft-specific subdomain that enables the location of domain controllers that have specific roles in the Active Directory domain or forest.

To facilitate locating Windows Server 2003+ based domain controllers, in addition to the standard _Service._Protocol.DnsDomainName format, the Net Logon service registers SRV records that identify the well-known server-type pseudonyms “dc” (domain controller), “gc” (global catalog), “pdc” (primary domain controller), and “domains” (globally unique identifier, or GUID) as prefixes in the _msdcs subdomain.

To accommodate locating domain controllers by server type or by GUID (abbreviated “dctype“), Windows Server 2003 and later based domain controllers register SRV records in the following form:

_Service._Protocol.DcType._msdcs.DnsDomainName

For a complete list of definitions of the names associated with registered SRV records, refer to the “SRV Records Registered by Net Logon” in this Technet article.

Rather than showing the entries bit-by-bit, with an explaination of each, I’ve opted to display all of them with the relevant values that you need to change to suit your organisation (highlighted). If you want to know what each one does, refer to the article above.

$ORIGIN _tcp.dc._msdcs.example.com.
_kerberos               SRV     0 0 88 adserver.example.com.
_ldap                   SRV     0 0 389 adserver.example.com.

$ORIGIN _udp.example.com.
_kerberos               SRV     0 0 88 adserver.example.com.
_kpasswd                SRV     0 0 464 adserver.example.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.example.com.
_kerberos               SRV     0 0 88 adserver.example.com.
_ldap                   SRV     0 0 389 adserver.example.com.
_gc                     SRV     0 0 3268 adserver.example.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.example.com.
_kerberos               SRV     0 0 88 adserver.example.com.
_ldap                   SRV     0 0 389 adserver.example.com.

$ORIGIN _tcp.Default-First-Site-Name._sites.adserver.example.com.
_ldap                   SRV     0 0 389 adserver.example.com.
_gc                     SRV     0 0 3268 adserver.example.com.

$ORIGIN _tcp.example.com.
_kerberos               SRV     0 0 88 adserver.example.com.
_ldap                   SRV     0 0 389 adserver.example.com.
_kpasswd                SRV     0 0 464 adserver.example.com.
_gc                     SRV     0 0 3268 adserver.example.com.
_ldap._tcp.gc._msdcs    SRV     0 0 3268 adserver.example.com.
_ldap._tcp.pdc._msdcs   SRV     0 0 389 adserver.example.com.
_ldap._tcp.adserver.example.com     SRV     0 0 389 adserver.example.com.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     SRV     0 0 3268 adserver.example.com.
_ldap._tcp.dc41138f-f32e-22ff-9e10-9893dc599536.domains._msdcs  SRV     0 0 389 adserver.example.com.
_ldap._tcp.Default-First-Site-Name._sites.adserver.example.com      SRV     0 0 389 adserver.example.com.

Once you’ve added the records to the zone file, you can unfreeze it, then restart the relevent services…

sudo rndc unfreeze zone
sudo /etc/init.d/bind9 restart
sudo /etc/init.d/dhcp3-server restart

Testing the changes

SRV records may be queried with standard network administration tools, such as the DIG or nslookup.

dig SRV _ldap._tcp.dc._msdcs.Domain_Name
host -t SRV _ldap._tcp.dc._msdcs.Domain_Name
nslookup -type=SRV _ldap._tcp.dc._msdcs.Domain_Name
nslookup

> set type=all
> _ldap._tcp.dc._msdcs.Domain_Name


Categories: Technical Resource
Tags: , , , , , , , , , , , ,