Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 May 2015 11:53:10 -0700
From:      Mel Pilgrim <list_freebsd@bluerosetech.com>
To:        Jaime Kikpole <jkikpole@cairodurham.org>
Cc:        "questions@freebsd.org" <questions@freebsd.org>
Subject:   Re: AD with FreeBSD DNS & DHCP server
Message-ID:  <55661296.3040501@bluerosetech.com>
In-Reply-To: <0F2E94D2-344C-414C-B2BE-569257CD57DF@cairodurham.org>
References:  <0F2E94D2-344C-414C-B2BE-569257CD57DF@cairodurham.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2015-05-08 19:52, Jaime Kikpole wrote:
> I'm going to be setting up an Active Directory system soon(ish) in a mixed environment.  I've got a lot of non-Windows workstations and servers running FreeBSD and MacOS.  So I was wondering what I needed to do to have internal DNS resolution and DHCP leases running from a FreeBSD virtual server while running Active Directory from another virtual server.
>
> Any advice or places to start reading?

If it's at all possible, use your DCs as your network's DNS servers. 
Windows domains need bidirectional DNS:

- ADS uses DNS to provide locators for directory services and the DCs.
- Replication services require working A/AAAA for the DCs so they can 
find each other without DS.
- Windows Domain computers send authenticated DNS updates to update the 
A/AAAA records for the machine names.

You can work around the first two by having unbound use stub-zones 
pointed at the Windows DNS servers, but unbound will not forward zone 
updates.  You can go a bit further and mostly get the third point as 
well using BIND configured to receive the zone updates, but your Windows 
event logs will have errors about DNS authentication because BIND can't 
do AD-authenticated DNS updates.  Worse, those updates won't make it 
back to Windows DNS, so your AD DNS zones will get stale.  This will be 
a problem.

On my networks, the Windows DNS servers are resolvers for the whole 
network, including extra-domain hosts.  The isc-dhcpd, rtadvd, and 
wide-dhcp6s instances running on my FreeBSD routers hand out the DCs' IP 
addresses as the DNS servers.  The Windows DNS servers have the public 
domain above the AD FQDN added as a primary zone so that the few 
extra-domain hostnames work for everyone as well.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55661296.3040501>