Configure Active Directory with BIND as DNS Server

If we are configuring Windows Active Directory, then it is always preferable to use the DNS server from Windows server as well. However, for test purposes I have setup a Cent OS 7 server as a DNS server running BIND and a separate Windows 2016 server running Active Directory services. 

The primary reason for this setup was to change the FQDN of my ESXi server to the domain (prv.com) that I had setup in my DNS server running BIND. After changing the hostname (srv) and domain name (prv.com), the FQDN of ESXi server was srv.prv.com and the vCenter was vc.prv.com. Now, I wanted to test authentication of the ESXi and vCenter servers through Active Directory. So, I setup a Windows server and configured Active Directory services but did not add DNS services. In this blog we are going to configure the linux DNS server and authenticate the vCenter and ESXi servers using AD authentication services. 

The details of the servers are as follows:

• ns01                   192.168.2.1            ns01.prv.com
• ns02                   192.168.2.2            ns02.prv.com
• ns03                   192.168.2.3            ns03.prv.com
• vCenter              192.168.2.181        vc.prv.com
• ESXi server        192.168.2.208       srv.prv.com
• AD server           192.168.2.35         dc01.prv.com

After changing the FQDN of the ESXi server, I added the A and PTR records for the vCenter, ESXi server and the AD server in the DNS server as following.

 [root@ns01 ~]# cat /var/named/zones/forward.prv  
 $TTL 86400  
 @    IN   SOA   ns01.prv.com.  root.prv.com. (  
         2018110521;Serial  
         3600   ;Refresh  
         1800   ;Retry  
         604800  ;Expire  
         86400   ;minimum TTL  
 )  
 @                IN   NS   ns01.prv.com.  
 @                IN   NS   ns02.prv.com.  
 @                IN   NS   ns03.prv.com.  
 ns01              IN   A    192.168.2.1
 ns02              IN   A    192.168.2.2  
 ns03              IN   A    192.168.2.3  
 vc                IN   A    192.168.2.181  
 srv               IN   A    192.168.2.208  
 dc01              IN   A    192.168.2.35  

 [root@ns01 ~]# cat /var/named/zones/reverse.prv  
 $TTL 86400  
 @    IN   SOA   ns01.prv.com. root.prv.com. (  
         2018110513 ;Serial  
         3600    ;Refresh  
         1800    ;Retry  
         604800   ;Expire  
         86400   ;Minimum TTL  
 )  
 @     IN   NS    nso1.prv.com  
 @     IN   NS    ns02.prv.com.  
 @     IN   NS    ns03.prv.com.  
 @     IN   PTR   prv.com.  
 1     IN   PTR   ns01.prv.com.  
 2     IN   PTR   ns02.prv.com.  
 3     IN   PTR   ns03.prv.com.  
 181   IN   PTR   vc.prv.com.   
 208   IN   PTR   srv.prv.com.  
 35    IN   PTR   dc01.prv.com.  

Now, I try to join the ESXi server to the AD, however, an error was thrown saying the server could not join AD.

After a few tries I decide to check the logs from ESXi and the DNS server as well. After running tcpdump on both the servers, I try to join the ESXi server to the AD again. Then, the following logs show up:

NS01

 15:27:21.388453 IP srv.prv.com.51314 > ns01.prv.com.domain: 6822+ A? dc01.prv.com. (30)  
 15:27:21.388769 IP ns01.prv.com.domain > srv.prv.com.51314: 6822* 1/3/3 A 192.168.200.35 (151)  
 15:27:21.409225 ARP, Request who-has 192.168.200.234 tell srv.prv.com, length 46  
 15:27:21.487515 IP srv.prv.com.60836 > ns01.prv.com.domain: 38511+ SRV? _ldap._tcp.dc._msdcs.DC01.PRV.COM. (51)  
 15:27:21.487808 IP ns01.prv.com.domain > srv.prv.com.60836: 38511 NXDomain* 0/1/0 (96)  

ESXi

 09:42:21.388352 IP srv.prv.com.51314 > ns01.prv.com.domain: 6822+ A? dc01.prv.com. (30)  
 09:42:21.388870 IP truncated-ip - 97 bytes missing! ns01.prv.com.domain > srv.prv.com.51314: 6822* 1/3/3 A 192.168.200.35 (151)  
 09:42:21.487656 IP srv.prv.com.60836 > ns01.prv.com.domain: 38511+ SRV? _ldap._tcp.dc._msdcs.DC01.PRV.COM. (51)  

The communication between srv.prv.com (ESXi server) and ns01.prv.com (DNS server) can be broken down as follows:

• srv.prv.com is sending a query to ns01.prv.com asking for the A record details (hostname to IP) of dc01.prv.com which is the AD server.

• ns01.prv.com then sends a reply saying that the IP of dc01.prv.com is 192.168.2.35 as per the A record found in the zone file in the DNS server.

• Then srv.prv.com sends a query to ns01.prv.com asking for the SRV record details of "_ldap._tcp.dc._msdcs.DC01.PRV.COM."

• ns01.prv.com replies with NXDomain, meaning "_ldap._tcp.dc._msdcs.DC01.PRV.COM" is non-existent, it does not exist as there is no record of it in the zone file in the DNS server.

After googling for an hour or so, I found this link that has detailed steps to add records in the DNS zone file. These entries are required to allow AD authentication services to be used along with BIND DNS. Then I modified the forward zone file to add the missing SRV records:

 [root@ns01 ~]# cat /var/named/zones/forward.prv  
 $TTL 86400  
 @    IN   SOA   ns01.prv.com.  root.prv.com. (  
         2018110522;Serial  
         3600   ;Refresh  
         1800   ;Retry  
         604800  ;Expire  
         86400   ;minimum TTL  
 )  
 @                          IN   NS   ns01.prv.com.  
 @                          IN   NS   ns02.prv.com.  
 @                          IN   NS   ns03.prv.com.  
 ns01                       IN   A    192.168.2.1  
 ns02                       IN   A    192.168.2.2  
 ns03                       IN   A    192.168.2.3
 vc                         IN   A    192.168.2.181   
 srv                        IN   A    192.168.2.208  
 dc01                       IN   A    192.168.2.35  
 _ldap._tcp.pdc._msdcs      IN   SRV   0 100  389  dc01.prv.com.  
 _ldap._tcp.gc._msdcs       IN   SRV   0 100  3268 dc01.prv.com.  
 _kerberos._tcp.dc._msdcs   IN   SRV   0 100  88   dc01.prv.com.  
 _ldap._tcp.dc._msdcs       IN   SRV   0 100  389  dc01.prv.com. 

Then I restarted the named service for the changes to be reflected.

Now, when I try to join the ESXi and vCenter to AD server with the following credentials, I finally succeed.