1

continuing the last question about Windows AD + Linux BIND. I decided to create a subdamain for AD to run on.

It's ad.wxxx.xxxxx. My configuration is okay, but I don't think it does the delegation job right. I have DNS and AD on the same server on xxx.xx.27.15, and the main name server for wxxx.xxxxx is at xxx.xx.26.1.

The problem is that I have configurated a zone for that subdomain, and a NS record and A record for dns.ad.wxxx.xxxxx, both pointing to xxx.xx.27.15. I can do nslookup, but I can't join the AD domain with another computer.

When I'm using the full ad.wxxx.xxxxx, the error message says that I don't have delegation for the following subdomain: ad.wxxx.xxxxx, and it cannot find the SRV record for Active Directory Domain Controller (ADDC).

But when I use its NetBIOS (AD), I can succesfully join. What's the problem here?

Shane Hsu
  • 131
  • 1
  • 3
  • 10

1 Answers1

6

I suggest configuring an internally facing forwarder zone for ad.wxxx.xxxx instead of trying to handle it as a NS delegation with A record glue. This will forward traffic for the subdomain to the upstream AD server instead of relying on other nameservers to chase the delegation. The answers will still get cached by the BIND server that performs the forwarding.

zone "ad.wxxx.xxxx" in {
    type forward;
    forwarders { ad.server.ip.here; secondary.ad.ip.here; };
};

If your BIND nameserver is only used internally, this will suffice. Otherwise if you wish to ensure that outside traffic does not get forwarded to your AD server, you will need to look into how to set up source address based views...and keep in mind that this is not a recommended configuration, as if your BIND server becomes compromised they have a vector on your AD infrastructure.

Andrew B
  • 31,858
  • 12
  • 90
  • 128