From owner-freebsd-questions@FreeBSD.ORG Wed May 27 19:06:17 2015 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 717678C6 for ; Wed, 27 May 2015 19:06:17 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2A01D634 for ; Wed, 27 May 2015 19:06:17 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by qkdn188 with SMTP id n188so11506188qkd.2 for ; Wed, 27 May 2015 12:06:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=4FkTERKY4dhxlUOwLW5KAFVD7vzc4DyNjIku2+i6FgQ=; b=SfHoxGPk41Xu7Wv558DV3rmk7LeKzc0ub2css2LtALY/Tv4Jyo8Si2US0m1O//mHy7 sdRhB3F34iVTktGNd6p5tlhQdGA/qrHY7VvpN0dbBUIesb6pOsZ4oxd0vzZjjSQqaXAf uX2832LSvJoQkrtlIwo60HKlxwe8OjJ5SgdEL1RRKMA5izIU6oh5k92i1RsQJGBwGZ3G OZujzCifWc1Lbs5B9RaOpIUw5d9ZSXHtYifuZWzXQJ78tNndopeG6r6SyyQC6cK3YUTJ QB86LdPyZcYyBdvxcecwTAZao42Gg9oScURYrNbmgoWTx8q/4wQV4neB4AUEKl58bFXf rHhg== MIME-Version: 1.0 X-Received: by 10.55.22.74 with SMTP id g71mr16099279qkh.28.1432753575454; Wed, 27 May 2015 12:06:15 -0700 (PDT) Received: by 10.96.198.65 with HTTP; Wed, 27 May 2015 12:06:15 -0700 (PDT) In-Reply-To: <55661296.3040501@bluerosetech.com> References: <0F2E94D2-344C-414C-B2BE-569257CD57DF@cairodurham.org> <55661296.3040501@bluerosetech.com> Date: Wed, 27 May 2015 12:06:15 -0700 Message-ID: Subject: Re: AD with FreeBSD DNS & DHCP server From: Kurt Buff To: "questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2015 19:06:17 -0000 On Wed, May 27, 2015 at 11:53 AM, Mel Pilgrim wrote: > On 2015-05-08 19:52, Jaime Kikpole wrote: >> >> I'm going to be setting up an Active Directory system soon(ish) in a mixed >> environment. I've got a lot of non-Windows workstations and servers running >> FreeBSD and MacOS. So I was wondering what I needed to do to have internal >> DNS resolution and DHCP leases running from a FreeBSD virtual server while >> running Active Directory from another virtual server. >> >> Any advice or places to start reading? > > > If it's at all possible, use your DCs as your network's DNS servers. Windows > domains need bidirectional DNS: > > - ADS uses DNS to provide locators for directory services and the DCs. > - Replication services require working A/AAAA for the DCs so they can find > each other without DS. > - Windows Domain computers send authenticated DNS updates to update the > A/AAAA records for the machine names. > > You can work around the first two by having unbound use stub-zones pointed > at the Windows DNS servers, but unbound will not forward zone updates. You > can go a bit further and mostly get the third point as well using BIND > configured to receive the zone updates, but your Windows event logs will > have errors about DNS authentication because BIND can't do AD-authenticated > DNS updates. Worse, those updates won't make it back to Windows DNS, so > your AD DNS zones will get stale. This will be a problem. > > On my networks, the Windows DNS servers are resolvers for the whole network, > including extra-domain hosts. The isc-dhcpd, rtadvd, and wide-dhcp6s > instances running on my FreeBSD routers hand out the DCs' IP addresses as > the DNS servers. The Windows DNS servers have the public domain above the > AD FQDN added as a primary zone so that the few extra-domain hostnames work > for everyone as well. What he said, x100. AD is intimately bound up in DNS, with lots of dynamic updates of service records, etc. Let your Windows AD DCs do both DNS and DHCP. Just make sure that the DHCP service is running as an unprivileged AD user. See, among many others, this article: https://technet.microsoft.com/en-us/library/cc732584.aspx