Moving an AD Zone from Windows to BIND

Michael Milligan milli at acmeps.com
Mon Jul 27 23:38:41 UTC 2009 

bsfinkel at anl.gov wrote:
> This is not really a BIND-related question, but I thought that maybe
> some people on this list can point me in the right direction.
> Maybe someone has already done what I need to do.
> 
> I have one zone
> 
>      xxx.yyy.example.com
> 
> that is on a Windows DNS server, completely under the control of
> Windows.  This zone is slaved on my BIND servers.  Within these zones
> are the AD records
> 
>      ForestDNSZones.xxx.yyy.example.com
>      DomainDNSZones.xxx.yyy.example.com
>      _msdcs.xxx.yyy.example.com
>      _sites.xxx.yyy.example.com
>      _tcp.xxx.yyy.example.com
>      _udp.xxx.yyy.example.com
> 
> What I need is a procedure that I can use to move the base zone
> 
>      xxx.yyy.example.com
> 
> to BIND, while keeping the six AD zones on the Windows DNS Server.

Is this base zone AD-integrated?  If so, then your domain-joined clients
 (PCs and laptops) are sending dynamic updates for their A records
(forward-mapping), unless you have specifically changed the behavior (at
several touch points).  You need to handle this unless you don't care
about client A records and can stand all the "dynamic update denied"
messages you're gonna see.

And you're completely glossing over the DHCP side of this whole equation.

> If I were to define the six AD zones on the Windows DNS Server,
> would the SRV, CNAME, and other AD records move to the new zones
> automatically?  I have no problem taking the zone file on one of my
> BIND slaves, removing the AD records, adding delegations for the six
> AD zones, and making this file into a master.

It works just fine to define those 6 zones plus the apex zone
(xxx.yyy.example.com) as master on your BIND server and just allow (by
IP address) each of your domain controllers to do dynamic updates to
those zones.  You just create them as empty zones, then on each domain
controller, simply stop and then start the netlogon service to have the
dynamic records that they need added back in (they check and add any
missing records).  Watch syslog to make sure this happens.  You can also
use GSS-TSIG in the latest versions of BIND to allow clients and domain
controllers to do dynamic updates of their DNS records too, but that's
another can of worms.

It works the same if you want to leave just those 6 zones on Microsoft too.

Regards,
Mike

-- 
Michael Milligan                                   -> milli at acmeps.com

More information about the bind-users mailing list