AD with FreeBSD DNS & DHCP server
Mel Pilgrim
list_freebsd at bluerosetech.com
Wed May 27 18:53:17 UTC 2015
On 2015-05-08 19:52, Jaime Kikpole wrote:
> I'm going to be setting up an Active Directory system soon(ish) in a mixed environment. I've got a lot of non-Windows workstations and servers running FreeBSD and MacOS. So I was wondering what I needed to do to have internal DNS resolution and DHCP leases running from a FreeBSD virtual server while running Active Directory from another virtual server.
>
> Any advice or places to start reading?
If it's at all possible, use your DCs as your network's DNS servers.
Windows domains need bidirectional DNS:
- ADS uses DNS to provide locators for directory services and the DCs.
- Replication services require working A/AAAA for the DCs so they can
find each other without DS.
- Windows Domain computers send authenticated DNS updates to update the
A/AAAA records for the machine names.
You can work around the first two by having unbound use stub-zones
pointed at the Windows DNS servers, but unbound will not forward zone
updates. You can go a bit further and mostly get the third point as
well using BIND configured to receive the zone updates, but your Windows
event logs will have errors about DNS authentication because BIND can't
do AD-authenticated DNS updates. Worse, those updates won't make it
back to Windows DNS, so your AD DNS zones will get stale. This will be
a problem.
On my networks, the Windows DNS servers are resolvers for the whole
network, including extra-domain hosts. The isc-dhcpd, rtadvd, and
wide-dhcp6s instances running on my FreeBSD routers hand out the DCs' IP
addresses as the DNS servers. The Windows DNS servers have the public
domain above the AD FQDN added as a primary zone so that the few
extra-domain hostnames work for everyone as well.
More information about the freebsd-questions
mailing list