I'm in the process of migrating from a workgroup served by a BIND9 DNS server, to a AD Domain based on Windows Server 2008 R2, and I'd like to keep using the BIND server until the AD infrastructure is ready.
During the setup of AD, via dcpromo, I get a warning that I should make sure our current DNS server delegates the AD domain name to the AD server.
Suppose my AD domain is mydomain.lan, and my regular BIND domain is example.com. I'm setting my BIND server as authoritive for lan., but would like to delegate mydomain.lan. to the AD server's IP.
My named.conf.local contains:
zone "lan" {
type master;
file "zone.lan";
};
And zone.lan contains:
$ORIGIN lan.
$TTL 1H ; 1 hour
@ IN SOA dns.example.com. hostmaster.example.com. (
201008137 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
IN NS dns.example.com.
$ORIGIN mydomain.lan.
@ IN NS dc1.mydomain.lan.
dc1 IN A 10.10.0.200 ; 'glue' record
When I query dns.example.com for "lan", I can the expected answer, but when I query for "mydomain.lan" or "dc1.mydomain.lan" I get an NXDOMAIN response. All my tries so far have failed.
How do I properly create and delegate a subzone?
Update: some more info
$ dig mydomain.lan @dns.example.com NS +norecurse
; <<>> DiG 9.7.0-P1 <<>> @dns.example.com mydomain.lan NS +norecurse
; (3 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23380
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mydomain.lan. IN NS
;; AUTHORITY SECTION:
mydomain.lan. 3600 IN NS dc1.mydomain.lan.
;; ADDITIONAL SECTION:
dc1.mydomain.lan. 3600 IN A 10.10.0.200
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sun Aug 15 00:41:05 2010
;; MSG SIZE rcvd: 64
$ dig @dc1.mydomain.lan dc1.mydomain.lan
dig: couldn't get address for 'dc1.mydomain.lan': not found
$ dig @10.10.0.200 dc1.mydomain.lan
; <<>> DiG 9.7.0-P1 <<>> @10.10.0.200 dc1.mydomain.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21348
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dc1.mydomain.lan. IN A
;; ANSWER SECTION:
dc1.mydomain.lan. 1200 IN A 10.10.0.200
;; Query time: 6 msec
;; SERVER: 10.10.0.200#53(10.10.0.200)
;; WHEN: Sun Aug 15 00:55:11 2010
;; MSG SIZE rcvd: 50
$ dig @10.10.0.200 mydomain.lan
; <<>> DiG 9.7.0-P1 <<>> @10.10.0.200 mydomain.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24664
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mydomain.lan. IN A
;; ANSWER SECTION:
mydomain.lan. 600 IN A 10.10.0.200
;; Query time: 0 msec
;; SERVER: 10.10.0.200#53(10.10.0.200)
;; WHEN: Sun Aug 15 01:04:39 2010
;; MSG SIZE rcvd: 46
-
Looks like you're missing 'dc1' as a host in the AD-managed zone; the glue is only used to find the authoritative servers, not as actual content once those servers have been reached.
You might want to explore
dig +traceto see the servers queried, when not using@server.name, to see the delegation chain being chased.Martijn Heemels : The .lan is a private TLD, so +trace can't resolve it since it starts at the public root servers. dc1 is found properly and authoritatively when using nslookup on the AD server, so it knows about itself. The problem appears to be that the glue doesn't work: When I query dns.example.com for dc1.mydomain.lan I get an NXDOMAIN. Similarly when I query dc1 from the LAN, except when I specify the server as an IP address! This works: 'dig dc1.mydomain.lan @10.10.0.200', while this doesn't: 'dig dc1.mydomain.lan @dc1.mydomain.lan'.From Phil P
0 comments:
Post a Comment