From owner-freebsd-questions@FreeBSD.ORG Wed May 27 18:53:17 2015 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6E7D64EE for ; Wed, 27 May 2015 18:53:17 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from mario.brtsvcs.net (mario.brtsvcs.net [IPv6:2607:fc50:0:a400::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 429FB17C for ; Wed, 27 May 2015 18:53:17 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:2580:181:21c:c0ff:fe7f:96ee]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mario.brtsvcs.net (Postfix) with ESMTPSA id CDFE12C160E; Wed, 27 May 2015 18:53:14 +0000 (UTC) Received: from [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id A81FB9B9; Wed, 27 May 2015 11:53:11 -0700 (PDT) Message-ID: <55661296.3040501@bluerosetech.com> Date: Wed, 27 May 2015 11:53:10 -0700 From: Mel Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Jaime Kikpole CC: "questions@freebsd.org" Subject: Re: AD with FreeBSD DNS & DHCP server References: <0F2E94D2-344C-414C-B2BE-569257CD57DF@cairodurham.org> In-Reply-To: <0F2E94D2-344C-414C-B2BE-569257CD57DF@cairodurham.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2015 18:53:17 -0000 On 2015-05-08 19:52, Jaime Kikpole wrote: > I'm going to be setting up an Active Directory system soon(ish) in a mixed environment. I've got a lot of non-Windows workstations and servers running FreeBSD and MacOS. So I was wondering what I needed to do to have internal DNS resolution and DHCP leases running from a FreeBSD virtual server while running Active Directory from another virtual server. > > Any advice or places to start reading? If it's at all possible, use your DCs as your network's DNS servers. Windows domains need bidirectional DNS: - ADS uses DNS to provide locators for directory services and the DCs. - Replication services require working A/AAAA for the DCs so they can find each other without DS. - Windows Domain computers send authenticated DNS updates to update the A/AAAA records for the machine names. You can work around the first two by having unbound use stub-zones pointed at the Windows DNS servers, but unbound will not forward zone updates. You can go a bit further and mostly get the third point as well using BIND configured to receive the zone updates, but your Windows event logs will have errors about DNS authentication because BIND can't do AD-authenticated DNS updates. Worse, those updates won't make it back to Windows DNS, so your AD DNS zones will get stale. This will be a problem. On my networks, the Windows DNS servers are resolvers for the whole network, including extra-domain hosts. The isc-dhcpd, rtadvd, and wide-dhcp6s instances running on my FreeBSD routers hand out the DCs' IP addresses as the DNS servers. The Windows DNS servers have the public domain above the AD FQDN added as a primary zone so that the few extra-domain hostnames work for everyone as well.