If you would like to read the first part in this article series please go to Migrating DNS servers from Linux to Windows (Part 1).
Introduction
As we indicated in the previous article, a properly functioning Domain Name Services (DNS) infrastructure is essential for Active Directory environments. For reasons described in the previous article however, organizations sometimes have Linux BIND name servers providing the underling DNS infrastructure for Active Directory. For political reasons it may not always be possible to migrating your BIND servers to Windows Server DNS servers, but if it is possible the previous article presented a walkthrough by my colleague Todd Lamothe to demonstrate step by step how this can be accomplished. This follow up article provides some additional insights and resources on what may be involved in such migrations.
Secure dynamic updates using TSIG
DNS Dynamic Updates is a standard specified in RFC 2136 and allows DNS clients to register and dynamically update their resource records with DNS servers whenever changes happen. Dynamic updates simplifies administration of DNS zones, especially for DHCP clients, and is an essential feature of how Active Directory interoperates with DNS. Ensuring that dynamic updates are secure is important and Microsoft has provides an ACL-based mechanism called Secure Dynamic Update for doing this. This ACL-based approach has been available since Windows 2000 Server which also introduced support for the Generic Security Service Application Program Interface (GSS-API,) specified in RFC 2078 that uses Kerberos v5 authentication protocol as a mechanism for establishing a security context by passing security tokens between DNS clients and name servers. The implementation of this for Windows Server DNS is explained in detail here.
If TSIG is a requirement for securing DNS in your environment then you should probably stay with BIND name servers instead of migrating them to Windows Server DNS because of some peculiarities in how the TSIG standard is implemented in Windows Server DNS. This therefore may be an important consideration when you are still in the planning stage of a migration. To ensure TSIG can work properly in your Active Directory environment and to explain some of the difficulties of making TSIG work with Windows Server DNS, the following resources may be of some help:
- How to implement GSS-TSIG on ISC BIND (DDI Guru)
- ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS (Michael Kuron’s Blog)
- Infoblox and GSS-TSIG (Accumuli Security)
- The Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing (UCF STIG Viewer)
And for a vendor-based BIND DNS appliance solution that fully supports interoperability scenarios with Active Directory using GSS-TSIG, you may want to check out BlueCat Networks.
Staying on BIND
If you’re deploying a new Active Directory infrastructure and would prefer for whatever reasons to use BIND name servers (either existing ones or new ones) instead of using Windows Server DNS and thereby sidestep the whole issue of DNS migration, you should know that there are some pros and cons to such a decision and various gotchas associated with configuring BIND DNS to work with Active Directory. The best resources on how to properly accomplish this that I’ve found to date are as follows:
- Using Linux BIND DNS Servers for Active Directory Domains (ServerLab)
- Linux BIND as DNS to Active Directory Domain Controller (Ignacio Ocampo’s Blog)
In addition to the above tutorials you may also want to check out the following threads on the TechNet forums:
The following Reddit threads may also be of some help in this regard:
- https://www.reddit.com/r/sysadmin/comments/1vfc9d/using_linux_bind_dns_servers_for_active_directory/
- https://www.reddit.com/r/sysadmin/comments/34mkb2/boss_wants_dns_on_linux_instead_of_windows_how/
Also be sure to check out the following thread on ServerFault:
Finally, I’ve been told by some insiders at Microsoft that the following very old Knowledge Base article that focuses on Active Directory in Windows 2000 Server and DNS in Windows NT 4.0 (!) still applies to the current version of Windows Server, and that it will continue to apply for the foreseeable future in regard to Active Directory and DNS in upcoming versions of Windows Server:
- KB255913: Integrating Windows 2000 DNS into an existing BIND or Windows NT 4.0-based DNS namespace
Believe it or not, you can learn some very useful information from this article about how Active Directory domains are registered in DNS and about the various kinds of resource records involved in the process, and the information you can glean this way may be of help to you when DNS migrations go wrong in Active Directory environments. For example, I heard from one consultant that when an organization he had heard about first deployed Active Directory with Windows Server 2003 they had a big political fight with the DNS administrators who wanted to keep BIND name servers in place for the zone hosting resource records for the organization’s domain name which we’ll call contoso.com. After much heated discussion the IT department eventually decided to allow the BIND name servers to continue to host resource records for contoso.com but installed the DNS Server role on domain controllers in Active Directory Integrated Mode and use the Microsoft DNS servers to host the special Active Directory resource records like _msdcs.contoso.com, _udp.contoso.com, _tcp.contoso.com, and _sites.contoso.com. (See the KB article above for explanation of these resource records if you’re not familiar with them as it’s important to understand their function if you’re planning on administering DNS for Active Directory). Splitting their DNS environment between BIND and Microsoft DNS servers like this was tricky to set up but once they did it everything worked smoothly until one day their new admin staff retired the BIND servers thinking they were no longer needed–and neglected to merge their DNS zones with those of the Microsoft DNS servers before retiring them!!
Additional resources on migrating BIND to Windows DNS
While the walkthrough in the previous article of this series should help get you going in migrating your Linux BIND name servers to Windows Server DNS, there are some other tutorials and guides available that may be of assistance to you in this regard. Here are some of the best ones that have been recommended to me by my colleagues who have worked on such projects:
- How to Migrate DNS from Unix to Windows (Bright Hub)
- Migrate DNS from Linux to Windows 2008 DNS? (ServerFault)
- Migrate linux dns to window dns (Experts Exchange – membership required)
The steps involved in BIND to Windows DNS are also summarized in the responses in this thread on the TechNet forums:
Finally, there’s this one which is old but is still good and may be useful in certain situations:
Still got questions about migrating DNS?
If you have any questions about domain controller hardware planning, the best place to ask them may be on one of the following TechNet forums:
If you don’t get help that you need there, you can try sending your question to [email protected] so we can publish it in the Ask Our Readers section of our WServerNews newsletter to see whether any of the almost 100,000 IT pro subscribers of our newsletter may have any suggestions on how to resolve your problem.
If you would like to read the first part in this article series please go to Migrating DNS servers from Linux to Windows (Part 1).
