Hi,
I want to add a slave zone to our UCS DNS Server (zone where our AD DNS server acting as master).
Didn’t understand, how to do this ?
Please have a look if Cool Solution - DNS-Forwarding and subdomains helps.
The official documentation only covers the general method as part of trust relationships.
hth,
Dirk
1 Like
I would also suggest to use /etc/bind/local.conf.proxy to configure slave zones - @ahrnke answer is perfect.
Thank you for replies. Though it can be added, it will be not reflected in GUI ? (“Univention Management Console”).
I added such way and see no any changes there.
Anyway seems like it doesn’t work. I see this in /var/log/syslog:
named[25475]: zone myslavezone.com/IN: Transfer started.
named[25475]: transfer of ‘myslavezone.com/IN’ from 1.2.3.4#53: connected using local-ip#33471
named[25475]: transfer of ‘myslavezone.com/IN’ from 1.2.3.4#53: failed while receiving responses: REFUSED
named[25475]: transfer of ‘myslavezone.com/IN’ from 1.2.3.4#53: Transfer status: REFUSED
Hey @isrgff,
No, slave zones are not reflected in the UCS interface. Besides, it would add nothing as this zones are only included as read-only - nothing can be changed within UCS. The settings for these zones will continue to be carried out on the DNS master - in your case, AD DNS. Microsoft fully supports the use and integration of BIND into its DNS scheme. As with any product integration, however, there are some limitations and configuration issues that must be addressed. From the syslog message I guess the master (your AD DNS) is not configured to allow transfers. Therefore, I would assume that the master DNS must be configured. A (in my opinion) rather good tutorial on this can be found at Linux and BIND9 as a DNS Secondary for Active Directory – vswitchzero
However, this is not really a UCS specific topic anymore, since it is now merely a standard bind integration.
Thank you, I got the idea, though I’m not strong in BIND. But, when we have two UCS servers, “master and slave”, if I understand right, - when I make DNS changes in GUI on first server, then it appears on second. Is it Bind as well or is it some UCS “magic” ?
Indeed there is a difference, but no magic is involved 
UCS systems make use of ldap directory service (or as alternative Samba, in case UCS acts as AD) as data backend - and this backend is what you configure via the UCS GUI. Any changes are distributed via listener/notifier domain replication, and this is also the way how the name servers to be used by a UCS system are notified about changes, see administration of dns data with bind for details on that.
In contrast - you asked for product integration using a Microsoft AD server as DNS master and using the UCS bind server as a slave. This scenario is relatively common and supported by Microsoft - in this case the classic DNS “zone transfer” and notifier mechanisms are used, which is a pure DNS topic and has nothing to do with the way how UCS or Windows replicates data. Univention systems support this DNS slave scenario as well, as already mentioned. In this case the Windows system stays in charge of the zones, the UCS servers deliver such zones only in addition to the ones configured within UCS. See Slave_Zones for configuration and in case of problems see Debugging.
Thanks again. I followed the guide of integration with AD DNS and now I got messages, that zone transferred successfully. Unfortunately, name resolution for this zone still does not work. I enabled debug (ucr set dns/debug/level=10) but still don’t understand, what’s wrong, because a lot of info and little is useful:
client @0x7f02b85870e0 1.2.3.4#59633 (some.myaddomain.com): ns_client_attach: ref = 1
client @0x7f02b85870e0 1.2.3.4#59633 (some.myaddomain.com): query (cache) ‘some.myaddomain.com/A/IN’ approved
client @0x7f02b85870e0 1.2.3.4#59633 (some.myaddomain.com): replace
fetch: some.myaddomain.com/A
log_ns_ttl: fctx 0x7f02b85f3800: fctx_create: some.myaddomain.com (in ‘.’?): 1 518356
Would you mind to share the relevant content of the file /etc/bind/local.conf.proxy for your domain some.myaddomain.com?
What is the output of the following command? (To be executed on the same UCS server bind is installed - it is expected to display the DNS data of this zone.)
$ dig AXFR some.myaddomain.com @127.0.0.1
I finally gave up and decided to do another approach - add zone directly to idm server. Zone consists the only record, “*”, wildcard. This is not work neither for some reason. Dig doesn’t resolve. Is it generally possible to do ?