Active Directory With Bind9
By Tony Hoyle
Active directory with bind9
Conventional wisdom would have it your machines have to use windows dns. Not a wisdom I’ve ever subscribed to.. DNS is not magic, not even Microsoft DNS.. In reality it’s something I even used in production for a while with zero issues..
On your zone file just add:
_DomainDnsZones NS ad.example.com.
_ForestDnsZones NS ad.example.com.
_msdcs NS ad.example.com.
_sites NS ad.example.com.
_kerberos._tcp SRV 0 0 88 ad.example.com.
_kerberos-adm._tcp SRV 0 0 749 ad.example.com.
_ldap._tcp SRV 10 50 389 ad.example.com.
_kerberos._udp SRV 0 0 88 ad.example.com.
_kerberos-master._udp SRV 0 0 88 ad.example.com.
_kpasswd._udp SRV 0 0 464 ad.example.com.
AD likes to run its own DNS but that can just be its own view of the world, for that machine. The clients really don’t care as long as a DNS lookup returns the results it was expecting.
Windows machines will try to update DNS directly but they don’t seem to mind being refused (as they should be, random machines having permission to modify DNS is a bit wierd). Same with sssd, although you might want to add dyndns_update=false just to reduce the noise in the logs.
You can configure bind so clients could update your bind server directly through gss-tsig.. I have some notes on this (especially securing it properly) although personally haven’t bothered beyond testing.