HPE Community
Operating System - HP-UX
1820695 Members
2844 Online
109627 Solutions
New Discussion юеВ

Bind 9.2 Dynamic DNS with Active Directory

 
Patrick Wallek
Honored Contributor

тАО10-31-2005 03:55 AM

тАО10-31-2005 03:55 AM

Bind 9.2 Dynamic DNS with Active Directory

We are being forced into implementing MS Active Directory in our environment. Apparently AD relies *heavily* on DNS. Our primary internal DNS server is an HP-UX 11.11 machine running BIND 9.2.

Since the AD servers must be able to update DNS, I have added entries like the following into my named.conf file:

acl "ad-abc.com" {
1.2.3.22;
1.2.3.20;
1.2.3.21;
};

zone "abc.com" {
type master;
file "db.abc";
allow-update { "ad-abc.com"; };
};

This seems to be working as it shoud. Windows is adding the entries it needs for AD to work.

I had an initial problem where I would get a "journal out of sync with zone" error when stopping and restarting named. I have gotten around that by configuring keys and using 'rndc stop' to stop named.

Now the problem I have is with updating entries in DNS. Historically we have done this by editing the /etc/hosts file and then running a script which runs hosts_to_named with multiple '-d' and '-n' arguments so all of our domaing and networks will be processed.

This does not seem to work well now. I have added a new host to the /etc/hosts file and verified that the name and the IP address are unique. I then ran our update script. When I then do an nslookup for any hosts it failes with "*** dnsserver.abc.com can't find host1: server failed". It fails for *ANY* host that is in the same domain as the new host I added. If I take out the new entry things work again.

When our update script runs, it stops named (via 'rndc stop'), runs hosts_to_named, and then restarts named (via '/sbin/init.d/named start').

Is there another, better, way to do our updates?

How do other folks handle updates like this?

I am currently at a loss.

Thanks in advance!
0 Kudos
Reply
6 REPLIES 6
Geoff Wild
Honored Contributor

тАО10-31-2005 05:23 AM

тАО10-31-2005 05:23 AM

Re: Bind 9.2 Dynamic DNS with Active Directory

Yes - there is a better way using a tool called dnsupdate (which uses nsupdate).

http://www.btree.org/dnsupdate/

That's what I use.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО10-31-2005 05:24 AM

тАО10-31-2005 05:24 AM

Re: Bind 9.2 Dynamic DNS with Active Directory

I believe(may be wrong) the actual database structure on the windows side is the same as it would be if it were sitting in /var/named

Therefore, one could have the windows server do a text dump of the DNS database to a location that can be accessed by the HP-UX DNS/Bind server.

cron can trigger an ssh job to copie the databases to a place where they can be copied into /var/named and automatically restart the named daemon.

It may seem like a job but the hosts_to_named option never worked for me either in my lab and I sent to a situation where the actual dns database was downloaded.

Another idea would be to make the HP-UX DNS server not a master server but a slave. Some kind of access to the Windows ADS server is required but this might also solve the problem.

Nice to talk to you Patrick. I wish I could have made it to Orlando to speak/drink/etc with you again.

Maybe next year. HP-World Europe anybody?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО10-31-2005 05:43 AM

тАО10-31-2005 05:43 AM

Re: Bind 9.2 Dynamic DNS with Active Directory

You won't like this but is better if you use a Windows primary DNS server, or your active directory may give you a lot of problems, then setup a secondary DNS in the HP-UX if you want. In the Windows DNS console, enable "Bind secondaries".
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Geoff Wild
Honored Contributor

тАО10-31-2005 06:01 AM

тАО10-31-2005 06:01 AM

Re: Bind 9.2 Dynamic DNS with Active Directory

We run Bind as primary and Active Dir as secondaries - with no issues at all.

One caveat - don't let MS DHCP servers allow-update - there is a bug (suprise) in MS DHCP - where they don't update PTR records when they remove an A record. How do they fix their own? they run a "scavender" script after the fact to clean up extra PTR records...

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО10-31-2005 06:33 AM

тАО10-31-2005 06:33 AM

Re: Bind 9.2 Dynamic DNS with Active Directory

I actually prefer to download and compile/link named from the guys that invented the stuff --- www.isc.org. It's an easy build and it works like a charm and generally has features that HP is months to years from implementing. One of the things that you should be aware of is that you do not mix manual (or scripted) updates with dynamic updates.

This portion of the nsupdate command says it all:

"Zones that are under dynamic control voa nsupdate or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost."

I would also use ISC's dhcpd; it's very good and works and plays well with DDNS.
If it ain't broke, I can fix that.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО10-31-2005 06:45 AM

тАО10-31-2005 06:45 AM

Re: Bind 9.2 Dynamic DNS with Active Directory

I don't know if AD does anything with DHCP or not, but we do NOT use DHCP to assign IP addresses here (thank goodness). The only reason I allow the AD servers to update DNS is to do whatever they need to do with their _msdcs, _tcp, _udp and _sites subdomains withing AD.

I **think** I have figured a work-around (very ugly work-around) for my current issue. I am going to wait a bit before I assign points and post my resolution to see if anyone else chimes in.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.