How can I import BIND DNS into an Active Directory

I found this great post!

 

-------------------

 

We are currently running BIND 9 on Windows servers for DNS.  I'd like to convert this over to an AD DNS implementation since we are converting everything to Active Directory.

-------------------
I'm not an expert in this area but while someone else responds.. what I would do is setup zone transfers on the BIND servers to your AD DNS Server.  Then, allow on your AD DNS server non secure updates temporarily from that host.  In a nutshell.  The issue then will be to set your clients now to point to the new DNS Server.  Also, i'm not sure how the created records in your new AD DNS will dynamically update once clients change IPs, etc. 

 

-------------------

 

Well the idea is to get away from BIND completely, so they won't need to update in the future... it will all be AD.  My question, I guess, is how can I allow BIND to do a zone transfer to an AD server?  I don't know much abotu BIND and all I can seem to find is information about incremental zone transfers which I don't want, I want the whole kit and kaboodle moved over ASAP!

 

-------------------

 

Not necessary to allow dynamic updates to implement the above zone-transfer method, but should be enabled to simplify management of DNS when clients register themselves.
When storing zone in AD you can secure the zone-data to only allow secure updates to require that the computer is member of AD.

 

Method 1:
As above BIND-server nead to allow zone-transfers.
Create a new secondary zone on AD-server pointing to the BIND-server.
Zone will be transfered automatically when incrementing serial number for zone on master server Change zone-type on AD-server to be primary zone and enable that data shall be stored in AD.

 

Method 2:
Create a new primary zone on AD-server without enabling that data shall be stored in AD.
Copy the original dns-file from BIND-server to %WINDIR%\System32\dns on AD-server.
Reload the zone
Change the zone-property to be stored in AD. Gives better security and replication than old primary/secondary file usage.

 

Method 3:
Create primary zone on AD-server and allow dynamic updates for the zone.
Change the clients to use the new DNS-server (preferably done through DHCP) and run ipconfig/registerdns or wait until they do it automatically.

-------------------

 

OK, so I am gathering that I still need to create the zones on the Windows/AD DNS server first, then BIND will transfer them to the AD server...?  

Will the static records get pushed to the AD server?  I am seeing conflicting info here....?

I only need it to transfer all my static entries one time, not dynamically over time.  Once they are transferred, I am going to turn BIND off and use all Active Directory for DNS.

-------------------

Zone transfer will transfer all records for the DNS-zone.

You will get a conflict when clients try to register dynamic and you have static records resulting in logging that the client could not register/update its record in DNS.

 

-------------------

 

Yeah, you have to create the zone in your AD DNS in order to receive zone transfers.  Unfortunately, i don't think you'll be able to differentiate the type of records you want transfered by static/dynamic like Henjoh09 said. 

What I would do about the dynamic records is to do the zone transfers anyways and then script the updating of those records that are dynamic to either, change them (still waiting on a colleagues answer on how to differentiate between a static record and a dynamic record), or delete it and have it recreated (if it can't be scripted to change a record from static to dynamic).  To create the list of dynamic records I would just create a simple AD query for all computer objects.  It's good that even cluster names appear as a computer object in AD.  Then use that list for either the script that modifies the dynamic records, or the script that will delete the static records and have them be recreated via a psexec ipconfig /registerdns etc.  Either way you would need it. 

 

To get that list ...

1.  launch the command prompt as an administrator

2. type "dsquery computer" or "dsquery computer OUpath parameters"   http://technet.microsoft.com/en-us/library/cc730720.aspx

3.  At the end of the previous command before pressing enter add the -limit parameter or else it will cap off at 100 entries.  You can type 0 as the value after -limit so that all entries are returned.

4. At the end of that type the > for piping the results to a txt file of your choosing.  Before the pipe you can add -uoc to specify Unicode as output

5.  The whole thing should look like "dsquery computer -limit 0 -uoc > c:\mycomputerobjects.txt"

6.  Create a cheesy script, or even better, open it using Excel but use the comma as the delimiting value to split the distinguished name up.  The first field will be the canonical name CN.  That should contain the name of the computer object itself.  Only copy that column.  Paste it into notepad.  Do a "Replace.." to replace all instances of "CN=" with nothing.   Vuala there is your a list of a ton of dynamic records that need changing.

 

-------------------

 

I forgot to tell you.  If my colleague confirms that there is a parameter of the records themselves that can be modified to make it a dynamic record then http://msdn.microsoft.com/en-us/library/ms682132(VS.85).aspx can be used to script your modification of all the Address Records using the list created with the above 6 steps.  I can help you with that.

-------------------

 

I can tell you it went just fine, the records in the DNS zones came right over without a hitch.  I'm still testing it but so far everything looks fantastic.