Migrate Microsoft AD integrated DNS to BIND - HELP Needed drew.sullivan[ at ]gmail.com 6/5/2007 12:46:57 PM I have recently configured a Linux server with BIND 9.3.3 to act as the DNS for a small internal LAN running a Win2k3 Active Directory. I know the pros/cons of running a non-microsoft DNS already. I verified correct configuration of BIND by running dcpromo on a test server. The DNS test passed and all the special subzones were updated with the AD SRV records. My problem is that I am trying to get a pre-existing AD that was using a Microsoft AD integrated DNS to re-register its SRV records to the new BIND server. I have already set the zones in the MIcrosoft DNS to not be integrated in the AD. I then saved off the zone files created in the %systemroot%. The Microsoft DNS services were then uninstalled from the domain controller. Don't panic everyone, I know how to recreate the zones using a Microsoft DNS server if I have too. The domain controller was then configured to point to the BIND DNS server as its primary (and only) DNS server. When I restart netlogon or use nltest /fix to recreate the zones the dynamic updates fail. I am receiving event id 5774 errors in the system log. I will paste a snippet below: The dynamic registration of the DNS record '_ldap._tcp.Default-First- Site-Name._sites.ForestDnsZones.MyLAN.Local. 600 IN SRV 0 100 389 ExistingAD.MyLAN.Local.' failed on the following DNS server: DNS server IP address: 172.25.1.1 Returned Response Code (RCODE): 5 Returned Status Code: 9017 ADDITIONAL DATA Error Value: DNS bad key. It appears to me that the domain controller is still trying to use secure dynamic updates to the BIND DNS server using the gss-tsig protocol. I know there is a BIND dirivitive out there that support GSS-TSIG, but I would rather not go that route. Can someone point me in the right direction to reconfigure my existing domain controller to send unsecure DNS updates to the BIND server? Keep in mind, if I stand up a new domain controller with dcpromo, it can register in the BIND DNS without error. I do not believe the BIND configuration is the problem. Yes, the BIND server is configured to allow dynamic updates from the existing domain controller's IP address.

Re: Migrate Microsoft AD integrated DNS to BIND - HELP Needed "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 6/5/2007 3:21:18 PM Read inline please. In news:1181047617.538386.279880[ at ]w5g2000hsg.googlegroups.com, drew.sullivan[ at ]gmail.com <drew.sullivan[ at ]gmail.com> typed: [Quoted Text] > I have recently configured a Linux server with BIND 9.3.3 to act as > the DNS for a small internal LAN running a Win2k3 Active Directory. I > know the pros/cons of running a non-microsoft DNS already. > > I verified correct configuration of BIND by running dcpromo on a test > server. The DNS test passed and all the special subzones were updated > with the AD SRV records. > > My problem is that I am trying to get a pre-existing AD that was using > a Microsoft AD integrated DNS to re-register its SRV records to the > new BIND server. I have already set the zones in the MIcrosoft DNS to > not be integrated in the AD. I then saved off the zone files created > in the %systemroot%. The Microsoft DNS services were then uninstalled > from the domain controller. Don't panic everyone, I know how to > recreate the zones using a Microsoft DNS server if I have too. The > domain controller was then configured to point to the BIND DNS server > as its primary (and only) DNS server. > > When I restart netlogon or use nltest /fix to recreate the zones the > dynamic updates fail. I am receiving event id 5774 errors in the > system log. I will paste a snippet below: > > The dynamic registration of the DNS record '_ldap._tcp.Default-First- > Site-Name._sites.ForestDnsZones.MyLAN.Local. 600 IN SRV 0 100 389 > ExistingAD.MyLAN.Local.' failed on the following DNS server: > > DNS server IP address: 172.25.1.1 > Returned Response Code (RCODE): 5 > Returned Status Code: 9017 > > ADDITIONAL DATA > Error Value: DNS bad key. > > It appears to me that the domain controller is still trying to use > secure dynamic updates to the BIND DNS server using the gss-tsig > protocol. I know there is a BIND dirivitive out there that support > GSS-TSIG, but I would rather not go that route. Can someone point me > in the right direction to reconfigure my existing domain controller to > send unsecure DNS updates to the BIND server? > > Keep in mind, if I stand up a new domain controller with dcpromo, it > can register in the BIND DNS without error. I do not believe the BIND > configuration is the problem. Yes, the BIND server is configured to > allow dynamic updates from the existing domain controller's IP > address. Default Domain Controller Policy Computer Configuration -Administrative templates -Network -DNS Client - Update Security level-Enable and set to unsecured updates only. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================