2013/03/04

Samba4 AD/DC

Escenario:
FreeBSD 9.1 + Samba 4 (Bind99, SAMBA_INTERNAL) + Bind99 (actualizado desde el DHCP) + DHCP

Resultado:
Funciona!

Manuales consultados:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
http://www.whitneytechnologies.com/?p=422
http://fraterneo.blogspot.com/2012/12/como-configurar-un-controlador-de.html
http://www.freebsd.org/doc/handbook/kerberos5.html
http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php
http://es.wikipedia.org/wiki/Kerberos
http://www.bind9.net/manuals
http://albertolarripa.com/?p=1530
http://www.semicomplete.com/articles/dynamic-dns-with-dhcp
http://forums.freebsd.org/showthread.php?t=33849
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/DNSDHCP.html
http://lani78.wordpress.com/2012/07/23/make-your-dhcp-server-dynamically-update-your-dns-records-on-ubuntu-12-04-precise-pangolin

Parametros de red:
hostname="samdom.example.com"
keymap="spanish.iso.kbd"
#ifconfig_em0="DHCP"
ifconfig_em0="inet 192.168.2.101  netmask 255.255.255.0"
defaultrouter="192.168.2.1"
ifconfig_em1="inet 192.168.1.1  netmask 255.255.255.0"
ipv6_activate_all_interfaces="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
sshd_enable="YES"

Particionado del disco SATA:
ada0        931GB  GPT
    ada0p1  512kB  freebsd-boot
    ada0p2   16GB  freebsd-ufs  /     exrootfs
    ada0p3   32GB  freebsd-swap none  exswap
    ada0p4   64GB  freebsd-ufs  /var  exvarfs
    ada0p5   16GB  freebsd-ufs  /tmp  extmpfs
    ada0p6  803GB  freebsd-ufs  /usr  exusrfs

Claves en el FreeBSD:
root / 123

PORTS
Descargar el arbol de ports "fetch", se descomprime "extract" (se ejecuta la primera vez)
# portsnap fetch extract

Ahora para manterner el arbol de ports actualizado, se ejecuta siempre
# portsnap fetch update

Esta ultima linea se puede agregar al cron para que diario actualice los ports, en /etc/crontab se agrega una linea como esta
00 06 * * * root /usr/sbin/portsnap fetch update >/dev/null 2>&1

ACLS
# cat /etc/fstab
# Device    Mountpoint    FStype    Options    Dump    Pass#
/dev/ada0p2    /        ufs    rw    1    1
/dev/ada0p3    none        swap    sw    0    0
/dev/ada0p4    /var        ufs    rw    2    2
/dev/ada0p5    /tmp        ufs    rw    2    2
/dev/ada0p6    /usr        ufs    rw    2    2

# cat /etc/fstab
# Device    Mountpoint    FStype    Options    Dump    Pass#
/dev/ada0p2    /        ufs    rw,acls    1    1
/dev/ada0p3    none        swap    sw    0    0
/dev/ada0p4    /var        ufs    rw,acls    2    2
/dev/ada0p5    /tmp        ufs    rw,acls    2    2
/dev/ada0p6    /usr        ufs    rw,acls    2    2

# reboot

Configurar las opciones de Bind99
# cd /usr/ports/dns/bind99
# make config

Options for bind99 9.9.2.1

[ ] FIXED_RRSET     Enable fixed rrset ordering
[ ] IDN             International Domain Names
[*] IPV6            IPv6 protocol
[ ] LARGE_FILE      64-bit file support
[*] LINKS           Create conf file symlinks in /usr/local
[*] REPLACE_BASE    Replace base BIND with this version  <-MARCAR ESTA OPCION!
[ ] RPZRRL_PATCH    RPZ improvements + RRL patch (experimental)
[ ] RPZ_NSDNAME     Enable RPZ NSDNAME policy records
[ ] RPZ_NSIP        Enable RPZ NSIP trigger rules
[ ] SIGCHASE        dig/host/nslookup will do DNSSEC validation
[*] SSL             Build with OpenSSL (Required for DNSSEC)
[*] THREADS         Threading support
[*] XML             Support for xml statistics output
[ ] DLZ_POSTGRESQL  G(DLZ): DLZ Postgres driver
[ ] DLZ_POSTGRESQL  G(DLZ): DLZ Postgres driver
[ ] DLZ_MYSQL       G(DLZ): DLZ MySQL driver (no threading)
[ ] DLZ_BDB         G(DLZ): DLZ BDB driver
[ ] DLZ_LDAP        G(DLZ): DLZ LDAP driver
[ ] DLZ_FILESYSTEM  G(DLZ): DLZ filesystem driver
[ ] DLZ_STUB        G(DLZ): DLZ stub driver

< OK >

Instalar Samba4
# cd /usr/ports/net/samba4
# make config

Options for samba4 4.0.3
[*] ACL_SUPPORT  File system ACL support
[*] ADS          Active Directory support
[*] AIO_SUPPORT  Asyncronous IO support
[ ] AVAHI        Zeroconf via Avahi  <- DESACTIVAR ESTA OPCION!
[*] CUPS         CUPS printing system
[*] DEBUG        With debug information in the binaries
[ ] DEVELOPER    With development support
[*] DNSUPDATE    Dynamic DNS update(require ADS)
[ ] EXP_MODULES  Experimental modules
[*] FAM_SUPPORT  File Alteration Monitor support
[*] LDAP         LDAP support
[ ] MANPAGES     Build and/or install manual pages
[*] PAM_SMBPASS  PAM authentication via passdb backends
[*] PTHREADPOOL  Pthread pool
[*] QUOTAS       Disk quota support
[*] SWAT         SWAT WebGUI
[*] SYSLOG       Syslog support
[*] UTMP         UTMP accounting support
[*] WINBIND      WinBIND support
[ ] NSUPDATE     S(DNS): Use internal DNS with NSUPDATE utility  <- DESACTIVAR ESTA OPCION!
[ ] BIND98       S(DNS): Use bind98 as a DNS server frontend
[*] BIND99       S(DNS): Use bind99 as a DNS server frontend  <- MARCAR ESTA OPCION!

< OK >

# make config-recursive
(todos los otros ports los dejo por defecto)

# make install clean

Nota:
El port de Samba4 con la opcion [*] BIND99 instalara bind99, por eso
primero configuramos las opciones
de bind99 [*] REPLACE_BASE

# rndc-confgen -a -c /etc/namedb/rndc.conf -k rndc-key -b 256
wrote key file "/etc/namedb/rndc.conf"

# cat /etc/namedb/rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};

# edit /etc/namedb/named.conf

options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
...
        listen-on       { 127.0.0.1; 192.168.1.1; };
...
        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
...
//zone "example.com" { type master; file "/etc/namedb/master/empty.db"; };  <- COMENTAR ESTA LINEA!
...
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

// Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
        algorithm hmac-md5;
        secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};

zone "example.com" {
        type master;
        allow-update { key "rndc-key"; };
        allow-transfer { localhost; 192.168.1.1; };
        file "/etc/namedb/dynamic/example.com";
};

zone "1.168.192.in-addr.arpa" {
        type master;
        allow-update { key "rndc-key"; };
        allow-transfer { localhost; 192.168.1.1; };
        file "/etc/namedb/dynamic/1.168.192.in-addr.arpa";
};

# edit /etc/namedb/dynamic/example.com

$TTL 3600 ; 1 hour default TTL
example.com.                IN          SOA         samdom.example.com.         admin.example.com.          (
                                            2013021701          ; Serial
                                            10800               ; Refresh (3 hours)
                                            3600                ; Retry (1 hour)
                                            604800              ; Expire (1 week)
                                            300         ; Negative Response TTL (5 minutes)
                                            )
; DNS Servers
                            IN          NS          samdom.example.com.                 
; MX Records                                                                
                            ;IN         MX          10 mx.example.com.                  
                            ;IN         MX          20 mail.example.com.                
                            IN          A           192.168.1.1                         
; Machine Names                                                             
localhost                   IN          A           127.0.0.1                           
samdom                      IN          A           192.168.1.1                         
kerberos                    IN          A           192.168.1.1                         
ldap                        IN          A           192.168.1.1                         
; Aliases                                                                   
;                                                                           
;_kerberos._udp              IN          SRV         01 00 88 kerberos.example.com.  
;_kerberos._tcp              IN          SRV         01 00 88 kerberos.example.com.
;_kpasswd._udp               IN          SRV         01 00 464 kerberos.example.com.
;_kerberos-adm._tcp          IN          SRV         01 00 749 kerberos.example.com.
;_kerberos                   IN          TXT         EXAMPLE.COM
;
;_ldap._tcp                  IN          SRV         01 00 389 ldap.example.com.
;_ldap._udp                  IN          SRV         01 00 88 ldap.example.com.

¡Atencion!
Aunque las entradas son correctas para _kerberos y _ldap, como Samba usa sus propios pero consulta a Bind, si las dejo activas causan problemas.

# edit /etc/namedb/dynamic/1.168.192.in-addr.arpa

$TTL 3600 ; 1 hour default TTL
1.168.192.in-addr.arpa. IN          SOA         samdom.example.com.         admin.example.com.          (
                                            2013021701          ; Serial
                                            10800               ; Refresh (3 hours)
                                            3600                ; Retry (1 hour)
                                            604800              ; Expire (1 week)
                                            300                 ; Negative Response TTL (5 minutes)
                                            )
; DNS Servers                                                               
                            IN          NS          samdom.example.com.                 
; Machine IPs                                                               
1                           IN          PTR         samdom.example.com.                 
1                           IN          PTR         kerberos.example.com.

# edit /etc/rc.conf

# Bind
named_enable="YES"
named_chrootdir=""

# /etc/rc.d/named start

# edit /etc/resolv.conf

search example.com
domain EXAMPLE.COM
nameserver 127.0.0.1
#nameserver 8.8.8.8
#nameserver 8.8.4.4

# nslookup samdom
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   samdom.example.com
Address: 192.168.1.1

# nslookup kerberos
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   kerberos.example.com
Address: 192.168.1.1

Instalar isc-dhcp42-server
# cd /usr/ports/net/isc-dhcp42-server

# make config

Options for isc-dhcp42-server 4.2.4_2

[ ] BIND_SYMBOLS  Enable BIND internal symbol table
[*] IPV6          IPv6 protocol
[ ] LDAP          LDAP support
[*] LDAP_SSL      Support LDAP over SSL/TLS
[ ] PARANOIA      Enable support for chroot

<  OK  >

# make config-recursive
# make install clean

# rm /usr/local/etc/dhcpd.conf
# edit /usr/local/etc/dhcpd.conf

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd PRIMARY
#

option domain-name "example.com";
option domain-name-servers 192.168.1.1;
default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-updates on;
ddns-update-style interim;
ddns-domainname "example.com";
allow client-updates;

# Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
        algorithm hmac-md5;
        secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
}

zone example.com. {
        primary 192.168.1.1;
        key rndc-key;
}

zone 1.168.192.in-addr.arpa. {
        primary 192.168.1.1;
        key rndc-key;
}

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

option netbios-name-servers 192.168.1.1;
option netbios-node-type 8;
option time-offset     -18000;     # Bogota GMT -5.0 Hours => -5x60x60 = -18000 Seconds
option ntp-servers 192.168.1.1;
option time-servers 192.168.1.1;

# Dinamics
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.10 192.168.1.110;
  option routers 192.168.1.1;
  option broadcast-address 192.168.1.255;
}

# ifconfig em1 inet 192.168.1.1 netmask 255.255.255.0 up

# edit /etc/rc.conf

ifconfig_em1=" inet 192.168.1.1 netmask 255.255.255.0"

# DHCP Server
dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="em1"
dhcpd_withumask="022"

# /usr/local/etc/rc.d/isc-dhcpd start

Instalar cups-base
# cd /usr/ports/print/cups-base

# make config
Dejo todo por defecto

# make config-recursive
Dejo todo por defecto

# make install clean

# edit /etc/rc.conf

# CUPS
cupsd_enable="YES"

# /usr/local/etc/rc.d/cupsd start

Editamos el archivo y le agregamos la parte "options"
# edit /etc/namedb/rndc.conf

key "rndc-key" {
        algorithm hmac-md5;
        secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";
};

options {
     default-server 127.0.0.1;
     default-key    rndc-key;
};

# rndc status
version: 9.9.2-P1
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 99
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

# /usr/local/bin/samba-tool domain provision
Realm [EXAMPLE.COM]: EXAMPLE.COM
 Domain [EXAMPLE]: EXAMPLE
 Server Role (dc, member, standalone) [dc]: dc
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
 DNS forwarder IP address (write 'none' to disable forwarding) [127.0.0.1]: 192.168.1.1
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.1.1
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:               active directory domain controller
Hostname:                  samdom
NetBIOS Domain:            EXAMPLE
DNS Domain:                example.com
DOMAIN SID:                S-1-5-21-3981277467-4260322419-4091201666

# cp /var/db/samba4/private/krb5.conf /etc/
# cat /etc/krb5.conf

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

# edit /etc/rc.conf

# NTP
ntpd_enable="YES"
ntpd_config="/etc/ntp.conf"

# edit /etc/ntp.conf

server 0.pool.ntp.org prefer
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org
driftfile /var/db/ntp.drift

# /etc/rc.d/ntpd start
Starting ntpd.

# edit /etc/rc.conf

# Samba4
samba4_enable="YES"
samba4_config="/usr/local/etc/smb4.conf"
winbindd_enable="YES"

# testparm /usr/local/etc/smb4.conf
Load smb config files from /usr/local/etc/smb4.conf
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions

[global]
        workgroup =EXAMPLE
        realm = example.com
        server role = active directory domain controller
        passdb backend = samba_dsdb
        dns forwarder = 192.168.1.1
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        idmap config * : backend = tdb
        create mask = 0777
        directory mask = 0777
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4, acl_xattr

[netlogon]
        path = /var/db/samba4/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

Para solucionar el error de
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)

# edit /boot/loader.conf

# Samba
kern.maxfiles="20480"

ESTE PASO ES IMPORTANTISIMO, SI NO SE EJECUTA NO ENTRAREMOS AL DOMINIO DESDE LOS CLIENTES!
# /usr/local/sbin/samba4 -i -M single -d 4 &

# killall samba4

# /usr/local/etc/rc.d/samba4 start

# kinit administrator@EXAMPLE.COM
administrator@example.com's Password: miclave123

# klist
Credentials cache: FILE:/tmp/krb5cc_0
            Principal: administrator@EXAMPLE.COM

  Issued               Expires              Principal
Feb 24 02:13:50  Feb 24 12:13:50  krbtgt/EXAMPLE.COM@EXAMPLE.COM

# net rpc join -S samdom -Uadministrator
Enter administrator's password: miclave123
Joined domain EXAMPLE.

# smbclient -L localhost -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk
    sysvol          Disk
    IPC$            IPC       IPC Service (Samba 4.0.3)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

# /usr/local/bin/smbclient //localhost/netlogon -UAdministrator'' -c 'ls'
Enter Administrator's password: miclave123
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]
  .                                       D            0  Sun Feb 24 02:01:16 2013
  ..                                      D            0  Sun Feb 24 02:01:23 2013

            63332 blocks of size 65536. 54255 blocks available

# samba-tool dns query 127.0.0.1 example.com @ ALL
Password for [administrator@EXAMPLE.COM]:
  Name=, Records=4, Children=0
        SOA: serial=1, refresh=900, retry=600, expire=86400, ns=samdom.example.com., email=hostmaster.example.com. (flags=600000f0, serial=1, ttl=3600)
        NS: samdom.example.com. (flags=600000f0, serial=1, ttl=900)
        A: 192.168.1.1 (flags=600000f0, serial=1, ttl=900)
        A: 192.168.2.101 (flags=600000f0, serial=110, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=samdom, Records=2, Children=0
        A: 192.168.1.1 (flags=f0, serial=1, ttl=900)
        A: 192.168.2.101 (flags=f0, serial=110, ttl=900)
  
# wbinfo -u
Administrator
Guest
krbtgt

# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy

TEST DNS
# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samdom.example.com.

# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samdom.example.com.

# host -t A ldap.example.com
ldap.example.com has address 192.168.1.1

# host -t SRV _kerberos._tcp.example.com
_kerberos._tcp.example.com has SRV record 1 0 88 kerberos.example.com.

# host -t SRV _kerberos._udp.example.com
_kerberos._udp.example.com has SRV record 1 0 88 kerberos.example.com.

# host -t SRV _kpasswd._udp.example.com
_kpasswd._udp.example.com has SRV record 1 0 464 kerberos.example.com.

# host -t SRV _kerberos-adm._tcp.example.com
_kerberos-adm._tcp.example.com has SRV record 1 0 749 kerberos.example.com.
¡Atencion!
Al inactivar las lineas referentes a _kerberos y _ldap las consultas no se resuelven.

# host -t A samdom.example.com
samdom.example.com has address 192.168.1.1

Crear un usuario
# samba-tool user add miguel
New Password: miclave123
Retype Password: miclave123
User 'miguel' created successfully

Verificar el usuario creado
# wbinfo --name-to-sid miguel
S-1-5-21-1013221894-234835428-3392388920-1103 SID_USER (1)

# reboot

Compartir impresoras
# edit /usr/local/etc/smb4.conf

[printers]
            comment = All Printers
            path = /var/spool/samba
            browseable = No
            guest ok = Yes
            printable = Yes
            use client driver = Yes
            default devmode = Yes
            ;show add printer wizard = no # Para no mostrar el asistente de impresoras

Para que los clientes Windows puedan consultar en el servidor que sirve
las impresoras en busca de drivers, debemos crear el directorio.
# mkdir -p /var/db/samba4/printer-drivers/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}
# edit /usr/local/etc/smb4.conf

[print$]
            comment = Printer Drivers
            path = /var/db/samba4/printer-drivers
            browseable = yes
            guest ok = no
            read only = yes
            write list = root

Compartir carpetas y bloquear algunas extensiones peligrosas
# mkdir /home/tmp
# mkdir /home/tmp
# edit /usr/local/etc/smb4.conf

[tmp]
            comment = Temporary file space
            path = /home/tmp
            valid users = %U
            public = no
            writable = no
            browseable = yes
            printable = no
# Las siguientes lineas generan problemas si uso ACLS, dejar inactivas!
#           create mask = 0777
#           directory mask = 0777
#           force create mode = 0777
#           force directory mode = 0777
#           force user = nobody
#           force group = nobody
            write list = %U
            # Bloqueo de algunos archivos por extencion
            veto files = /*.reg/*.com/*.scr/*.cmd/*.exe/*.pif/*.bat/*.{*}/
            delete veto files = yes

Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
  http://www.microsoft.com/en-us/download/details.aspx?id=7887

1 Instalar Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)

2 Inicio / Panel de control / Programas / Activar o desactivar las caracteristicas de Windows

  (se abre ventanita)
 
3        - Herramientas de administracion de funciones
          - Herramientas de AD DS y AD LDS
            - Herramientas de AD DS
              * Centro de administracion de Active Directory
              * Herramientas de linea de comandos y complementos de AD DS

4 Aceptar

5 Wind + R
    dsa.msc

Nota:
Para poder entrar a administrar el dominio mediante el comand dsa.msc, hay que estar logueado como el usuario administrator / miclave123 para poder ver los datos.

Nota:
Mejor usar # rndc-confgen > /root/dhcp_updater.key

named.conf

key "rndc-key" {
       algorithm hmac-md5;
       secret "+VsrLah1EEr+HKRTGRJyWA==";
 };

 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
 };

dhcpd.conf

# Take this from the /etc/namedb/rndc.conf file
 key "rndc-key" {
       algorithm hmac-md5;
       secret "+VsrLah1EEr+HKRTGRJyWA==";
 };

Una nota muy importante en caso de querer editar manualmente los archivos del DNS http://forums.freebsd.org/showthread.php?t=33849

"Note about editing dynamic zones manually

If you have to edit the zone files of dynamic zones manually while the DNS server is running, you’ll have to freeze the zones with # rndc freeze <myzone> before editing and unfreeze them with # rndc thaw <myzone> after editing. This is because named(8) has internal state information and external journal files attached to dynamic zones that have to be kept in sync with the zone files."