Reconfigure BIND9 for Linux AD-DC on Ubuntu 18.04. Yes, we’ve already gone almost half way. In the first article, we pre-set bind9. Pre-configuring allowed us to initiate the Active Directory domain controller. Now we need to adjust bind9 so that it is ready to take on the role of a full-fledged DNS server domain controller and serve both the local area, and redirect unknown requests to his DNS forwarder.
All articles in best to study order:
-
Configuring BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 1
-
Linux AD-DC on Ubuntu 18.04 – Setting Samba4 – Part 1
-
Set up BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 2
-
Linux Samba4 AD-DC on Ubuntu 18.04 – Settings – Part 2
-
DHCP server for Linux AD-DC Ubuntu 18.04. Integration with BIND9
-
Domain Controller on Ubuntu 18.04 – Time Synchronization – NTP
-
Administering the Linux domain controller
-
-
Set up BIND9 for Linux AD-DC – Activate the integration of DL
sudo nano /var/lib/samba/private/named.conf
If everything was done correctly, there will be a line in charge of integrating our version of samba with our bind9 version.
DLThe same file should be inked in the main name configuration
sudo nano /etc/bind/named.conf
Add to the end
include "/var/lib/samba/private/named.conf";
onf
-
Check the rights to dns.keytab
ls -l /var/lib/samba/private/dns.keytab
AdminGuide.Ru@ag-dc-1:~$ ls -l /var/lib/samba/private/dns.keytab -rw-r----- 2 root bind 802 Apr 3 19:36 /var/lib/samba/private/dns.keytab
-
Check the rights to the folder /bind-dns/
ls -ld /var/lib/samba/private
adminguideru@ag-dc-1:~$ ls -ld /var/lib/samba/private drwxr-xr-x 6 root root 4096 Aug 25 20:43 /var/lib/samba/private
-
See the rights to /etc/krb5.conf
ls -l /etc/krb5.conf
AdminGuide.Ru@ag-dc-1:~$ ls -l /etc/krb5.conf -rw-r--r-- 1 root bind 2891 Apr 3 17:51 /etc/krb5.conf
In the event of a discrepancy
sudo chown root:bind /etc/krb5.conf
-
Check the availability of nsupdate
which nsupdate
AdminGuide.Ru@ag-dc-1:~$ which nsupdate /usr/bin/nsupdate
-
Set up BIND9 for Linux AD-DCSup load list of root dns servers
sudo wget -q -O /var/cache/bind/named.root http://www.internic.net/zones/named.root sudo chown root:bind /var/cache/bind/named.root sudo chmod 640 /var/cache/bind/named.root
-
Set up BIND9 for Linux AD-DC Check Config
sudo named-checkconf sudo service bind9 start
If no errors are found, the name-checkconf will not give out any information, you can try to run the service. If the launch attempt also does not give any critiques directly to the terminal – then good. DNS server almost ready to go
-
Set up BIND9 for Linux AD-DC – Create zone files
sudo mkdir /var/cache/bind/master sudo chown bind:bind /var/cache/bind/master
-
Localhost
sudo nano /var/cache/bind/master/localhost.zone
We copy the following:
$TTL 3D $ORIGIN localhost. @ 1D IN SOA @ root ( 2013050101 ; serial 8H ; refresh 2H ; retry 4W ; expiry 1D ; minimum ) @ IN NS @ IN A 127.0.0.1
Changing owner and access rights
sudo chown bind:bind /var/cache/bind/master/localhost.zone sudo chmod 640 /var/cache/bind/master/localhost.zone
-
0.0.127.in-addr.arpa
sudo nano /var/cache/bind/master/0.0.127.zone
$TTL 3D @ IN SOA localhost. root.localhost. ( 2013050101 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D ; Minimum TTL ) IN NS localhost. 1 IN PTR localhost.
sudo chown bind:bind /var/cache/bind/master/0.0.127.zone sudo chmod 640 /var/cache/bind/master/0.0.127.zone
-
-
We start and restart bind9, check created zones
sudo service bind9 restart host -t A localhost 127.0.0.1 host -t PTR 127.0.0.1 127.0.0.1
AdminGuide.Ru@ag-dc-1:~$ sudo service bind9 restart AdminGuide.Ru@ag-dc-1:~$ host -t A localhost 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: localhost has address 127.0.0.1 AdminGuide.Ru@ag-dc-1:~$ host -t PTR 127.0.0.1 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: 1.0.0.127.in-addr.arpa domain name pointer localhost.
If you see the following error on host queries:
;; connection timed out; no servers could be reached
So most likely you have a naughty apparmor.
We watch the log with the help of the command:tail -n 50 /var/log/syslog
If you see lines there by type:
Aug 25 20:48:53 ag-dc-1 kernel:[ 6806.022442] audit: type=1400 audit(1598377733.390:19): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/private/named.conf" pid=4028 comm="isc-worker0001" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
This means that AppArmor works properly and protects your server. Because AppArmor settings are not the subject of this article, simply disable it and re-run the current item.
-
Turning off AppArmor
With systemctl stop, disable and ban auto-start for AppArmor
sudo systemctl stop apparmor && sudo systemctl disable apparmor && sudo systemctl mask apparmor
Rebooting the server
sudo reboot -h now
-
-
Let’s move on to the section: “Ubuntu Domain Controller – Settings – Part 2”
-
At the moment, all text content a week earlier is published in my zen blog. Russian-language premieres of video lessons 🙂
The same videos are published on Youtube channel, but there are first English-language premieres 🙂
Vkontakte Comments
Default Comments