Tag Archives: RHEL

Setting up GSS-TSIG on RHEL9 Bind Server for Active Directory Dynamic DNS Updates (DDNS)

This blog takes over from the last blog on setting up Bind9. If you haven’t already done so follow the instructions on the previous blog before following this blog.
https://paularquette.com/setting-up-bind9-dns-server-on-rhel-9-for-a-brand-new-active-directory-domain-controller/

The next steps that are needed to get GSS-TSIG working is to do the following:

Install krb5-workstation (On Bind Server)

dnf install krb5-workstation

Modify /etc/krb5.conf

[libdefaults]
default_realm = AD.TEST.LAB #UnComment

[realms]
AD.TEST.LAB = {
kdc = ad.test.lab
admin_server = ad.test.lab
}

[domain realm]
.ad.test.lab = AD.TEST.LAB
ad.test.lab = AD.TEST.LAB

Create User (On Domain Controller)

Create user account:
User Logon Name Needs To Match Server Name

Check Password Never Expires
Make sure to check the box for “This account supports Kerberos AES 256bit encryption”

Create KeyTab (On Domain Controller) (Admin Command Prompt)

ktpass -princ DNS/[email protected] -mapuser [email protected] -pass Temp1234 -out C:\Temp\bind.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

Copy bind.keytab to RHEL Bind Server

Copy to /tmp
chown named:named bind.keytab
chmod 400 bind.keytab
mv /tmp/bind.keytab /etc

Test kinit

kinit -k -t /etc/bind.keytab DNS/[email protected]
klist

Update /etc/named.conf

Add under options:
tkey-gssapi-keytab “/etc/bind.keytab”;
forwarders { 8.8.8.8; 8.8.4.4; };

Update /etc/named.rfc1912.conf

Comment Out allow-update lines

In Forward Zone Add:

update-policy {
grant * subdomain ad.test.lab. ANY;
};

In Reverse Zone Add:

update-policy {
grant * subdomain 104.1.10.in-addr.arpa. PTR;
};

Fix SELinux

/sbin/restorecon -v /etc/bind.keytab

Force Updates

Restart-Service netlogon (Will Force the DC DNS Entries)
ipconfig /registerdns (Will force A and PTR records)

Setting up Bind9 DNS Server on RHEL 9 for a brand new Active Directory Domain Controller

I installed Red Hat with my developer subscription and chose to install Bind with the GUI installation. The instructions that follow are what needs to be done to setup Bind9 in the most simplistic of forms to allow your first Domain Controller to be installed without installing AD DNS and pointing it to Bind9 instead.

RHEL9 Box:

Hostname: bind
IP: 10.1.104.5

Domain Controller:

Hostname: TestAD01.ad.test.lab
IP: 10.1.104.100

This does not include the instructions for Setting up GSS-TSIG to allow for dynamic updates. These instructions will be in a follow up post.

Configure DNS To Automatically Start

sudo systemctl enable named --now

Verify That DNS is Started

sudo systemctl status named

Configure DNS File

sudo vi /etc/named.conf
listen-on port 53 { localnets; }   #Remove 127.0.0.1
allow-query       { localnets; |;  #Remove localhost

Modify named.rfc1912.zones

sudo vi /etc/named.rfc1912.zones

Create Foward & Reverse Lookups For Zone With File Definition At Bottom of File

zone "ad.test.lab" IN {
       type master;
       file "/var/named/forward.ad.test.lab";
       allow-update { 10.1.104.100; };   #Domain Controller IP
};

zone "0.104.1.10.in-addr.arpa" IN {
       type master;
       file "/var/named/reverse.ad.test.lab";
       allow-update { 10.1.104.100; };     #Domain Controller IP
};

Verify Configuration Files Have No Issue (No News is Good News)

sudo named-checkconf

Create Forward Lookup File (Tab Delimited) [Space between bind.ad.test.lab and root.ad.test.lab]

sudo vi /var/named/forward.ad.test.lab

Create Reverse Lookup File (Tab Delimited) [Space between bind.ad.test.lab and root.ad.test.lab]

sudo vi /var/named/reverse.ad.test.lab

Run Named Checkzone

sudo named-checkzone forward.ad.test /var/named/forward.ad.test.lab
sudo named-checkzone reverse.ad.test /var/named/reverse.ad.test.lab

Restart Named Service

sudo systemctl restart named

Add Firewall Exception for Port 53

sudo firewall-cmd --permanent --add-port=53/tcp
sudo firewall-cmd --permanent --add-port=53/udp
sudo firewall-cmd --reload

Modify resolv.conf

sudo vi /etc/resolv.conf
search ad.test.lab
nameserver 10.1.104.5

After Verifying Forward & Reverse Works, Set DNS IP Config To Sustain Reboots

sudo nmtui

Walk through the GUI and change the DNS Server IP Address to point to yourself. This will make sure through reboots that resolv.conf doesn’t get overwritten back to your old settings.

Bring up a Domain Controller For the Domain

At this point you should be able to bring up a domain controller for the domain name you configured and as long as you configure it with the IP address that you allowed to update those zones you should be able to run a brand new Domain Controller without DNS.

Where we go from here

At this point the next blog will go over setting up GSS-TSIG to allow for dynamic updates from Active Directory clients.