Active Directory x Linux DNS

  • 235 Views
  • Last Post 20 December 2016
adriaoramos posted this 19 December 2016

Good morning
I have in my enterprise many domain controllers that are DNS servers too
My network team is intending to change DNS and install Linux DNS servers.
Is there any document that explains how to change DNS from Window to Linux in an operational active directory domain?
Is that possible?
Thanks


LEGAL ADVICE This message is for use by the intended recipient and contains information that may be privileged, confidential and/or under applicable law. If you are not the intended recipient, you are hereby formally notified that any use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by return e-mail and delete this e-mail from your system.


Order By: Standard | Newest | Votes
patrickg posted this 19 December 2016

Assuming the linux dns servers are using new IP’s, once they are up and all the dns entries have been entered just flip the AD ones to non-authoritative servers and set the linux ones

as the forwarding addresses. Then your “running” off of them, at that point the DNS configuration on every device needs to be flipped to the new DNS servers. At that point I ran wireshark on the DC’s to monitor for DNS traffic…there are usually a couple of

devices which people forget to update, then eventually uninstall the DNS role from all of the DC’s.

 

The last time I did a conversion, the network had around 10k devices on it. Switchover for DNS took 15-minutes or so but it took a couple of weeks to cleanup remaining clients with hard-coded

entries.

 


~Patrick

 

show

bshwjt posted this 19 December 2016

Yes. It is possible. Only dynamic DNS records will be not updated automatically but you can be scripted that.Let me search the doc. Will share.
On 19-Dec-2016 5:01 PM, <adriaoramos@xxxxxxxxxxxxxxxx> wrote:
Good morning
I have in my enterprise many domain controllers that are DNS servers too
My network team is intending to change DNS and install Linux DNS servers.
Is there any document that explains how to change DNS from Window to Linux in an operational active directory domain?
Is that possible?
Thanks


LEGAL ADVICE This message is for use by the intended recipient and contains information that may be privileged, confidential and/or under applicable law. If you are not the intended recipient, you are hereby formally notified that any use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by return e-mail and delete this e-mail from your system.


a-ko posted this 19 December 2016

There are a lot of “whosie whatsies” when it comes to DNS and Active Directory. I’d suggest you sit down and have a conversation with the network team to ensure

they can provide you what you need in order for Windows AD DNS to function.

 

Windows relies very heavily on dynamic updates with DNS. In some cases, DHCP (with Name Protection) can perform this task but you will still require

dynamic DNS for the following functions:

 





  • Windows Clustering


  • KMS-based Activation


  • Domain Controllers (since these are probably not DHCP)


 

You will need to make sure that the DNS system they wish to use allows you to use GSS-TSIG Kerberos-based dynamic updates. This will require Kerberos to be configured

on the Linux DNS system. There are some guides around if you want to do this.

 

Dynamic DNS is a critical and key component of a healthy Windows Active Directory infrastructure.

 

If they cannot provide for this functionality (and it should be seen as mandatory), then you should ask them to simply delegate the AD zone to your DCs.

 

-Mike Cramer

show

eccoleman posted this 20 December 2016

I highly recommend that to preserve the “best of both worlds” to use Mike’s recommendation of a delegated zone. This keeps AD DC’s fully authoritative for everything

it needs, and everything else can use the Linux Bind DNS.  Use forwarders as appropriate to resolve DNS from AD back to the Bind servers.

 

That said, our Infoblox appliances appear to support GSS-TSIG, so we are considering the feasibility of using that and getting out of the DNS business. I’m not

holding my breath though.

 

--

Erik Coleman

Senior Manager, Enterprise Systems

Technology Services at Illinois

University of Illinois at Urbana-Champaign

 

 

 

 

 

 

 

show

a-ko posted this 20 December 2016

This is an industry wide problem right now. I call it a problem because in every case where I’ve seen it done the DNS system is either implemented poorly, the

product is poor, or the people engineering it don’t understand the below situation with Dynamic DNS.

 

We’ve had big challenges with getting dynamic DNS running in my organization using bluecat IPAM/DNS appliances. From what materials I’ve read on Bluecat they’re

a fairly extensible system and has support for this functionality. I don’t do the day-to-day with the system so it’s hard for me to pinpoint exactly where our problems are but I do know that our network team has had to rebuild 2 implementations with top level

Bluecat engineering support to do it successfully without losing the data.

 

Typically, the “taking over DNS” thing is in combination of owning the following services:

 





  • DNS


  • DHCP


  • NTP


  • Load Balancing (F5 GTM likes to own DNS zones as well)


 

Modern plans seem to be trending towards a DHCP-everything environment (where all servers are DHCP), but given what I’ve seen out of the robustness of the solution

we’ve got (and it’s really poor from my outside assessment), I’m scared to see what would happen if the DHCP leases/reservation database poofed into thin air without backups, especially considering our firewall rules are 1:1 across our server stack.

 

My company isn’t the only one undergoing this transition. Years ago I saw an MSP espouse the virtues of Infoblox. The marketing seemed on point and from a high

level view the product seemed to be pretty decent, even going so far as offering pretty extensive APIs for DNS management, and doing the often rarely implemented (and when it is, poorly) DNSSEC key management and rotation (something Windows generally handles

very well).

 

A company I recently interviewed for recently passed the buck on DNS to their networking team as well. I’m unsure as to whether their experience has been positive

or negative.

 

-Mike Cramer

 

 

 

show

Close