Main page » Set up BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 2

Set up BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 2

by Belfigor
88 views
Set up BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 2

Reconfigure BIND9 for Linux AD-DC on Ubuntu 18.04. Yes, we’ve already gone almost half way. In the first article, we pre-set bind9. Pre-configuring allowed us to initiate the Active Directory domain controller. Now we need to adjust bind9 so that it is ready to take on the role of a full-fledged DNS server domain controller and serve both the local area, and redirect unknown requests to his DNS forwarder.

All articles in best to study order:

  1. Configuring BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 1

  2. Linux AD-DC on Ubuntu 18.04 – Setting Samba4 – Part 1

  3. Set up BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 2

  4. Linux Samba4 AD-DC on Ubuntu 18.04 – Settings – Part 2

  5. DHCP server for Linux AD-DC Ubuntu 18.04. Integration with BIND9

  6. Domain Controller on Ubuntu 18.04 – Time Synchronization – NTP

  7. Administering the Linux domain controller

 

    1. Set up BIND9 for Linux AD-DC – Activate the integration of DL

      sudo nano /var/lib/samba/private/named.conf

      If everything was done correctly, there will be a line in charge of integrating our version of samba with our bind9 version.

      Set up BIND9 for Linux AD-DC on Ubuntu 18.04 - Part 2 - Activation OF BIND9 DL

      Activation of BIND9

      DLThe same file should be inked in the main name configuration

      sudo nano /etc/bind/named.conf

      Add to the end

      include "/var/lib/samba/private/named.conf";
      Set up BIND9 for Linux AD-DC on Ubuntu 18.04 - Part 2 - Supplement name.conf

      Complement name.c

      onf

    2. Check the rights to dns.keytab

      ls -l /var/lib/samba/private/dns.keytab
      AdminGuide.Ru@ag-dc-1:~$ ls -l /var/lib/samba/private/dns.keytab
      -rw-r----- 2 root bind 802 Apr 3 19:36 /var/lib/samba/private/dns.keytab
    3. Check the rights to the folder /bind-dns/

      ls -ld /var/lib/samba/private
      adminguideru@ag-dc-1:~$ ls -ld /var/lib/samba/private
      drwxr-xr-x 6 root root 4096 Aug 25 20:43 /var/lib/samba/private
    4. See the rights to /etc/krb5.conf

      ls -l /etc/krb5.conf
      AdminGuide.Ru@ag-dc-1:~$ ls -l /etc/krb5.conf
      -rw-r--r-- 1 root bind 2891 Apr 3 17:51 /etc/krb5.conf

      In the event of a discrepancy

      sudo chown root:bind /etc/krb5.conf
    5. Check the availability of nsupdate

      which nsupdate
      AdminGuide.Ru@ag-dc-1:~$ which nsupdate
      /usr/bin/nsupdate
    6. Set up BIND9 for Linux AD-DCSup load list of root dns servers

      sudo wget -q -O /var/cache/bind/named.root http://www.internic.net/zones/named.root
      sudo chown root:bind /var/cache/bind/named.root
      sudo chmod 640 /var/cache/bind/named.root
    7. Set up BIND9 for Linux AD-DC Check Config

      sudo named-checkconf
      sudo service bind9 start

      If no errors are found, the name-checkconf will not give out any information, you can try to run the service. If the launch attempt also does not give any critiques directly to the terminal – then good. DNS server almost ready to go

    8. Set up BIND9 for Linux AD-DC – Create zone files

      sudo mkdir /var/cache/bind/master
      sudo chown bind:bind /var/cache/bind/master
      1. Localhost

        sudo nano /var/cache/bind/master/localhost.zone

        We copy the following:

        $TTL 3D
        
        $ORIGIN localhost.
        
        @ 1D IN SOA @ root (
                               2013050101 ; serial
                               8H ; refresh
                               2H ; retry
                               4W ; expiry
                               1D ; minimum
                               )
        
        @ IN NS @
                IN A 127.0.0.1

        Changing owner and access rights

        sudo chown bind:bind /var/cache/bind/master/localhost.zone
        sudo chmod 640 /var/cache/bind/master/localhost.zone
      2. 0.0.127.in-addr.arpa

        sudo nano /var/cache/bind/master/0.0.127.zone
        $TTL 3D
        
        @ IN SOA localhost. root.localhost. (
                                2013050101 ; Serial
                                8H ; Refresh
                                2H ; Retry
                                4W ; Expire
                                1D ; Minimum TTL
                                )
        
        IN NS localhost.
        
        1 IN PTR localhost.
        sudo chown bind:bind /var/cache/bind/master/0.0.127.zone
        sudo chmod 640 /var/cache/bind/master/0.0.127.zone
    9. We start and restart bind9, check created zones

      sudo service bind9 restart
      host -t A localhost 127.0.0.1
      host -t PTR 127.0.0.1 127.0.0.1
      
      AdminGuide.Ru@ag-dc-1:~$ sudo service bind9 restart
      AdminGuide.Ru@ag-dc-1:~$ host -t A localhost 127.0.0.1
      Using domain server:
      Name: 127.0.0.1
      Address: 127.0.0.1#53
      Aliases: 
      
      localhost has address 127.0.0.1
      AdminGuide.Ru@ag-dc-1:~$ host -t PTR 127.0.0.1 127.0.0.1
      Using domain server:
      Name: 127.0.0.1
      Address: 127.0.0.1#53
      Aliases: 
      
      1.0.0.127.in-addr.arpa domain name pointer localhost.

      If you see the following error on host queries:

      ;; connection timed out; no servers could be reached
      

      So most likely you have a naughty apparmor.
      We watch the log with the help of the command:

      tail -n 50 /var/log/syslog

      If you see lines there by type:

      Aug 25 20:48:53 ag-dc-1 kernel:[ 6806.022442] audit: type=1400 audit(1598377733.390:19): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/private/named.conf" pid=4028 comm="isc-worker0001" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
      

      This means that AppArmor works properly and protects your server. Because AppArmor settings are not the subject of this article, simply disable it and re-run the current item.

      1. Turning off AppArmor

        With systemctl stop, disable and ban auto-start for AppArmor

        sudo systemctl stop apparmor && sudo systemctl disable apparmor && sudo systemctl mask apparmor

        Rebooting the server

        sudo reboot -h now
    10. Let’s move on to the section: “Ubuntu Domain Controller – Settings – Part 2”

At the moment, all text content a week earlier is published in my zen blog. Russian-language premieres of video lessons 🙂

The same videos are published on Youtube channel, but there are first English-language premieres 🙂

Text.ru - 100.00%

You may also like

Leave a Comment