Set up BIND9 for Linux AD-DC on Ubuntu 18.04 - Part 2

Reconfigure BIND9 for Linux AD-DC on Ubuntu 18.04. Yes, we’ve already gone almost half way. In the first article, we pre-set bind9. Pre-configuring allowed us to initiate the Active Directory domain controller. Now we need to adjust bind9 so that it is ready to take on the role of a full-fledged DNS server domain controller and serve both the local area, and redirect unknown requests to his DNS forwarder.

All articles in best to study order:

Set up BIND9 for Linux AD-DC – Activate the integration of DL
```
sudo nano /var/lib/samba/private/named.conf
```
If everything was done correctly, there will be a line in charge of integrating our version of samba with our bind9 version.

Activation of BIND9

DLThe same file should be inked in the main name configuration
```
sudo nano /etc/bind/named.conf
```
Add to the end
```
include "/var/lib/samba/private/named.conf";
```
Complement name.c

onf

Check the rights to dns.keytab

ls -l /var/lib/samba/private/dns.keytab

AdminGuide.Ru@ag-dc-1:~$ ls -l /var/lib/samba/private/dns.keytab
-rw-r----- 2 root bind 802 Apr 3 19:36 /var/lib/samba/private/dns.keytab

Check the rights to the folder /bind-dns/

ls -ld /var/lib/samba/private

adminguideru@ag-dc-1:~$ ls -ld /var/lib/samba/private
drwxr-xr-x 6 root root 4096 Aug 25 20:43 /var/lib/samba/private

See the rights to /etc/krb5.conf

ls -l /etc/krb5.conf

AdminGuide.Ru@ag-dc-1:~$ ls -l /etc/krb5.conf
-rw-r--r-- 1 root bind 2891 Apr 3 17:51 /etc/krb5.conf

In the event of a discrepancy

sudo chown root:bind /etc/krb5.conf

Check the availability of nsupdate

which nsupdate

AdminGuide.Ru@ag-dc-1:~$ which nsupdate
/usr/bin/nsupdate

Set up BIND9 for Linux AD-DCSup load list of root dns servers

sudo wget -q -O /var/cache/bind/named.root http://www.internic.net/zones/named.root
sudo chown root:bind /var/cache/bind/named.root
sudo chmod 640 /var/cache/bind/named.root

Set up BIND9 for Linux AD-DC Check Config
```
sudo named-checkconf
sudo service bind9 start
```
If no errors are found, the name-checkconf will not give out any information, you can try to run the service. If the launch attempt also does not give any critiques directly to the terminal – then good. DNS server almost ready to go

Set up BIND9 for Linux AD-DC – Create zone files

sudo mkdir /var/cache/bind/master
sudo chown bind:bind /var/cache/bind/master

Localhost

sudo nano /var/cache/bind/master/localhost.zone

We copy the following:

$TTL 3D
$ORIGIN localhost.
@ 1D IN SOA @ root (
                       2013050101 ; serial
                       8H ; refresh
                       2H ; retry
                       4W ; expiry
                       1D ; minimum
                       )
@ IN NS @
        IN A 127.0.0.1

Changing owner and access rights

sudo chown bind:bind /var/cache/bind/master/localhost.zone
sudo chmod 640 /var/cache/bind/master/localhost.zone

0.0.127.in-addr.arpa

sudo nano /var/cache/bind/master/0.0.127.zone

$TTL 3D
@ IN SOA localhost. root.localhost. (
                        2013050101 ; Serial
                        8H ; Refresh
                        2H ; Retry
                        4W ; Expire
                        1D ; Minimum TTL
                        )
IN NS localhost.
1 IN PTR localhost.

sudo chown bind:bind /var/cache/bind/master/0.0.127.zone
sudo chmod 640 /var/cache/bind/master/0.0.127.zone

We start and restart bind9, check created zones

sudo service bind9 restart
host -t A localhost 127.0.0.1
host -t PTR 127.0.0.1 127.0.0.1

AdminGuide.Ru@ag-dc-1:~$ sudo service bind9 restart
AdminGuide.Ru@ag-dc-1:~$ host -t A localhost 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 
localhost has address 127.0.0.1
AdminGuide.Ru@ag-dc-1:~$ host -t PTR 127.0.0.1 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 
1.0.0.127.in-addr.arpa domain name pointer localhost.

If you see the following error on host queries:

;; connection timed out; no servers could be reached

So most likely you have a naughty apparmor.
We watch the log with the help of the command:

tail -n 50 /var/log/syslog

If you see lines there by type:

Aug 25 20:48:53 ag-dc-1 kernel:[ 6806.022442] audit: type=1400 audit(1598377733.390:19): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/private/named.conf" pid=4028 comm="isc-worker0001" requested_mask="r" denied_mask="r" fsuid=111 ouid=0

This means that AppArmor works properly and protects your server. Because AppArmor settings are not the subject of this article, simply disable it and re-run the current item.

Turning off AppArmor

With systemctl stop, disable and ban auto-start for AppArmor

sudo systemctl stop apparmor && sudo systemctl disable apparmor && sudo systemctl mask apparmor

Rebooting the server

sudo reboot -h now

Let’s move on to the section: “Ubuntu Domain Controller – Settings – Part 2”

At the moment, all text content a week earlier is published in my zen blog. Russian-language premieres of video lessons 🙂

The same videos are published on Youtube channel, but there are first English-language premieres 🙂

Платные курсы

Бесплатное обучение

Платные курсы

Бесплатное обучение

Boosty

Платные курсы

Boosty

Configuring BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 1

Linux AD-DC on Ubuntu 18.04 – Setting Samba4 – Part 1