MS AD DNS to BIND9 - Zone Transfer Issues

CrimsonKnight13

CrimsonKnight13

Lord Stabington of [H]ard|Fortress
Joined
Jan 8, 2008
Messages
8,477
Can anyone provide tips to get this working?

I'm having difficulty getting my AD-integrated master zones transferred to my BIND9 server as secondary zones. MS DNS says that the transfers completed successfully but BIND9 doesn't update the zone files. The only way I've achieved a proper zone transfer was through DIG. Running a zone transfer test through the BIND9 Webmin module shows that the tests completed successfully.

Any insight would be greatly appreciated.
 
Attempted to do it with that option on & off. BIND Secondaries is for the older BIND servers but BIND9 recognizes all of the newer standards (according to what I read). Nothing changed. :(
 
Logs please.

dig SOA @master
dig SOA @secondary

Did you increment the zone serials?

Does your named.conf.local look similar to:

zone "secondary.com" {
type slave;
file "/var/cache/bind/db.secondary.com";
masters { 192.168.171.204; };
};
 
mwarps said:
Logs please.

dig SOA @master
dig SOA @secondary

Did you increment the zone serials?

Does your named.conf.local look similar to:

zone "secondary.com" {
type slave;
file "/var/cache/bind/db.secondary.com";
masters { 192.168.171.204; };
};
Click to expand...

I'll post the logs & config tonight. I appreciate the help (though I wasn't sure which place to ask... here or OS).
 
Is your bind system a Linux box? If so, check permissions. I had a new DNS server that wouldn't update turns out Bind didn't have permission on the files so it couldn't update them.
 
Yes, it's on Arch Linux ARM. I know it's at whatever defaults were set. What user/group settings are needed for BIND to correctly update the files?
 
What user owns the directory, and the files? Also what group owns those as well?

It should be read/write for Bind or at least whatever group Bind is in.
 
is Bind in the Bind group? What are the permissions set to?

rw-rw---- would be what I would expect (chmod 660 *.* )
 
I'll check that after work & let you know (no way to remote in from here).
 
drwxr-x--- 2 root named 4096 Aug 3 18:34 named
Click to expand...
-rw-r--r-- 1 root named 222 Aug 2 18:48 10.0.0.rev
-rw-r----- 1 root named 234 Jul 27 17:36 127.0.0.zone
-rw-r--r-- 1 root named 2550 Aug 2 19:23 <snip>.local.hosts
-rw-r----- 1 root named 190 Jul 27 17:36 localhost.zone
-rw-r--r-- 1 root named 1472 Aug 2 19:22 _msdcs.<snip>.local.hosts
-rw-r----- 1 root named 3048 Jul 27 17:36 root.hint
Click to expand...

2 of the files were owned by root:root, so I changed that over to root:named. Does everything here need to be owned by the named account instead?

mwarps said:
Logs please.

dig SOA @master
dig SOA @secondary

Did you increment the zone serials?

Does your named.conf.local look similar to:

zone "secondary.com" {
type slave;
file "/var/cache/bind/db.secondary.com";
masters { 192.168.171.204; };
};
Click to expand...

Here's my config
//
// /etc/named.conf
//

options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
// listen-on-v6 { any; };
// Add this for no IPv4:
// listen-on { none; };

// Default security settings.
allow-recursion {
any;
};
allow-update { none; };
version none;
hostname none;
server-id none;
transfer-format many-answers;
forwarders {
<snip>;
8.8.8.8;
8.8.4.4;
};
forward first;
recursion yes;
allow-transfer {
<snip>;
};
};

masters <snip> { <snip>; };

zone "localhost" IN {
type master;
file "localhost.zone";
allow-transfer { any; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { any; };
};

zone "." IN {
type hint;
file "root.hint";
};

//zone "example.org" IN {
// type slave;
// file "example.zone";
// masters {
// 192.168.1.100;
// };
// allow-query { any; };
// allow-transfer { any; };
//};

logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};

zone "<snip>.local" IN {
type slave;
masters {
<snip>;
};
file "/var/named/<snip>.local.hosts";
notify yes;
allow-query {
any;
};
};
zone "_msdcs.<snip>.local" IN {
type slave;
masters {
<snip>;
};
file "/var/named/_msdcs.<snip>.local.hosts";
notify yes;
allow-query {
any;
};
};
zone "<snip>.in-addr.arpa" IN {
type master;
file "/var/named/<snip>.rev";
};

include "/etc/rndc.key";
Click to expand...

I tried the the SOA command through dig but both only return root hint servers in the results.

The zones are incremented automatically by AD.

Most recent snippet of named.log
06-Aug-2012 17:28:46.213 notify: info: client <snip>#61878: received notify for zone '<snip>.local'
06-Aug-2012 17:28:46.357 xfer-in: info: transfer of '<snip>.local/IN' from <snip>#53: connected using <snip>#53944
06-Aug-2012 17:28:46.592 xfer-in: info: transfer of '<snip>.local/IN' from <snip>#53: Transfer completed: 32 messages, 32 records, 2890 bytes, 0.234 secs (12350 bytes/sec)
06-Aug-2012 17:29:12.193 notify: info: client <snip>#61878: received notify for zone '_msdcs.<snip>.local'
06-Aug-2012 17:29:25.093 notify: info: client <snip>#61878: received notify for zone '<snip>.local'
06-Aug-2012 17:29:27.961 notify: info: client <snip>#61878: received notify for zone '_msdcs.<snip>.local'
Click to expand...

Edit: Should these zones be master or slave for AD-integrated zones?

Edit 2: I gave ownership to named:named /var/name & all files within. Zone transfers are now working correctly. I might attempt to try master zone replication between AD & BIND. :)
 
Last edited:
EDIT: So the permissions were borked on the zone files/configs. Makes sense. Really should be root:named, but .. who's counting.


I see forwarders in the configuration globally - why? If the server is recursive, and it is authoritative for the domains you have configured, it should work fine. No need for forwarders.
 
It only worked with named:named. root:named seemed to give only partial functionality to the named daemon. A bit odd since I was expecting it work after installation.

I'll delete the forwarders since I'm definitely seeing issues with it.

Have any other recommendations for me? :) I'm trying to figure out why I can't use the BIND server to look up a server name without using the FQDN. Only the AD server responds to such a request correctly.
 
CrimsonKnight13 said:
Have any other recommendations for me? :) I'm trying to figure out why I can't use the BIND server to look up a server name without using the FQDN. Only the AD server responds to such a request correctly.
Click to expand...

Locally or on a machine within the domain?

dns search suffixes will need to be set

on linux, in resolv.conf:

domain yourdomainhere
search yourdomainhere
nameserver ip_address_here
nameserver ip_address_here
 
CrimsonKnight13 said:
rw-r--r-- 1 root named 222 Aug 2 18:48 10.0.0.rev
-rw-r----- 1 root named 234 Jul 27 17:36 127.0.0.zone
-rw-r--r-- 1 root named 2550 Aug 2 19:23 <snip>.local.hosts
-rw-r----- 1 root named 190 Jul 27 17:36 localhost.zone
-rw-r--r-- 1 root named 1472 Aug 2 19:22 _msdcs.<snip>.local.hosts
-rw-r----- 1 root named 3048 Jul 27 17:36 root.hint
Click to expand...

There is the issue. Root has Read and Write access. The Named group has Read only permission, and Everyone has read only to <snip>.local.hosts and _msdcs.<snip>.local.hosts.

If named is in the named group (/etc/groups), which it should be, then you need to change the permissions to be read and write. Since the bind process is probably running under the named account.

chmod 664 *.*.*
or
chmod 664 *.hosts
and
chmod 660 *.zone
Click to expand...

As far as not getting FQDN, what search zones are in your /etc/resolv.conf?
 
mwarps said:
Locally or on a machine within the domain?

dns search suffixes will need to be set

on linux, in resolv.conf:

domain yourdomainhere
search yourdomainhere
nameserver ip_address_here
nameserver ip_address_here
Click to expand...

I attempted it through dig from my desktop & the bind server. I'll have to add those in. Thanks.

ianshot said:
There is the issue. Root has Read and Write access. The Named group has Read only permission, and Everyone has read only to <snip>.local.hosts and _msdcs.<snip>.local.hosts.

If named is in the named group (/etc/groups), which it should be, then you need to change the permissions to be read and write. Since the bind process is probably running under the named account.

As far as not getting FQDN, what search zones are in your /etc/resolv.conf?
Click to expand...

I'll alter the permissions & get the ownership back to root:named. Is there anyway that I can set a permissions mask for that folder?

I haven't altered resolv.conf, which is something I'll do tonight.
 
You must log in or register to reply here.
Back
Top