Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] samba dns
317 views
Skip to first unread message
Sonic
Apr 6, 2016, 4:30:04 PM4/6/16
to
Can the Samba internal DNS be set as authoritative only (not a resolver)?
Can the Samba DNS server be set as authoritative only for the SRV
zones (_tcp, _udp _msdcs, _sites) and not the parent zone?
Thanks,
Chris
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Can the Samba DNS server be set as authoritative only for the SRV
zones (_tcp, _udp _msdcs, _sites) and not the parent zone?
Thanks,
Chris
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Apr 6, 2016, 4:30:04 PM4/6/16
to
On 06/04/16 21:15, Sonic wrote:
> Can the Samba internal DNS be set as authoritative only (not a resolver)?
>
> Can the Samba DNS server be set as authoritative only for the SRV
> zones (_tcp, _udp _msdcs, _sites) and not the parent zone?
>
> Thanks,
>
> Chris
>
Can you explain what you are trying to do
> Can the Samba internal DNS be set as authoritative only (not a resolver)?
>
> Can the Samba DNS server be set as authoritative only for the SRV
> zones (_tcp, _udp _msdcs, _sites) and not the parent zone?
>
> Thanks,
>
> Chris
>
Rowland
Sonic
Apr 6, 2016, 5:10:04 PM4/6/16
to
Would prefer to continue to use my NSD/Unbound installs for most DNS
(if not all) services. NSD is the authoritative server for the domain,
and Unbound is the cache/resolver that the clients connect to. I'd
like to not disturb this setup but I'll need the SRV records so that
AD works. If the SRV records are fixed I suppose I could host them
using NSD, then Samba wouldn't have to be authoritative for any
records - just forward to the Unbound cache. I don't need hosts
registering themselves in DNS, the only hosts that need to be in DNS
are those doing server duties and already have A records (the DHCP
server relies on them for lease reservations).
(if not all) services. NSD is the authoritative server for the domain,
and Unbound is the cache/resolver that the clients connect to. I'd
like to not disturb this setup but I'll need the SRV records so that
AD works. If the SRV records are fixed I suppose I could host them
using NSD, then Samba wouldn't have to be authoritative for any
records - just forward to the Unbound cache. I don't need hosts
registering themselves in DNS, the only hosts that need to be in DNS
are those doing server duties and already have A records (the DHCP
server relies on them for lease reservations).
Rowland penny
Apr 6, 2016, 5:20:03 PM4/6/16
to
On 06/04/16 21:58, Sonic wrote:
> Would prefer to continue to use my NSD/Unbound installs for most DNS
> (if not all) services. NSD is the authoritative server for the domain,
> and Unbound is the cache/resolver that the clients connect to. I'd
> like to not disturb this setup but I'll need the SRV records so that
> AD works. If the SRV records are fixed I suppose I could host them
> using NSD, then Samba wouldn't have to be authoritative for any
> records - just forward to the Unbound cache. I don't need hosts
> registering themselves in DNS, the only hosts that need to be in DNS
> are those doing server duties and already have A records (the DHCP
> server relies on them for lease reservations).
>
>
>
Your DC needs to be authoritative for your AD domain, this is *not* a
> Would prefer to continue to use my NSD/Unbound installs for most DNS
> (if not all) services. NSD is the authoritative server for the domain,
> and Unbound is the cache/resolver that the clients connect to. I'd
> like to not disturb this setup but I'll need the SRV records so that
> AD works. If the SRV records are fixed I suppose I could host them
> using NSD, then Samba wouldn't have to be authoritative for any
> records - just forward to the Unbound cache. I don't need hosts
> registering themselves in DNS, the only hosts that need to be in DNS
> are those doing server duties and already have A records (the DHCP
> server relies on them for lease reservations).
>
>
>
Samba thing, it is an AD thing. What you can do, is to do what is
recommended, make your AD domain a subdomain of your domain i.e. if your
domain name is 'domain.tld', use 'internal.domain.tld' for your AD domain.
Your AD DC will then be authoritative for the AD domain and will then
forward anything it doesn't know to your unbound machine.
Sketch
Apr 6, 2016, 5:40:04 PM4/6/16
to
On Wed, 6 Apr 2016, Rowland penny wrote:
> Your DC needs to be authoritative for your AD domain, this is *not* a Samba
> thing, it is an AD thing. What you can do, is to do what is recommended, make
> your AD domain a subdomain of your domain i.e. if your domain name is
> 'domain.tld', use 'internal.domain.tld' for your AD domain.
>
> Your AD DC will then be authoritative for the AD domain and will then forward
> anything it doesn't know to your unbound machine.
Or vice versa. Point unbound at the AD DNS server for lookups to
> Your DC needs to be authoritative for your AD domain, this is *not* a Samba
> thing, it is an AD thing. What you can do, is to do what is recommended, make
> your AD domain a subdomain of your domain i.e. if your domain name is
> 'domain.tld', use 'internal.domain.tld' for your AD domain.
>
> Your AD DC will then be authoritative for the AD domain and will then forward
> anything it doesn't know to your unbound machine.
internal.domain.tld, and let it continue handle other lookups as it
already does. There's no need to repoint clients to AD DNS servers if you
don't want dynamic DNS registration.
Sonic
Apr 7, 2016, 10:20:04 AM4/7/16
to
On Wed, Apr 6, 2016 at 5:29 PM, Sketch <smb...@rednsx.org> wrote:
> There's no need to repoint clients to AD DNS servers if you don't want
> dynamic DNS registration.
Dynamic DNS registration works with the clients pointing to the
> There's no need to repoint clients to AD DNS servers if you don't want
> dynamic DNS registration.
Unbound cache (at an account with a Windows AD server). The clients
must be determining what system to register with via DNS records even
though they don't point to the Windows AD server for DNS resolution.
Which is why I think this entry in the Wiki is not wholly correct:
"Whichever DNS server you use, you must configure the AD DC so that it
uses 127.0.0.1 or its own IP address as DNS server, and all clients
must be configured to use the IP address of the AD DC as DNS. This
server will usually only be able to answer queries regarding servers
and clients that are members of the domain. If you want your server
and clients to be able to also see the rest of the world, you must
configure the DNS server to forward all queries that it cannot answer
itself, to another DNS server which can resolve the rest of the
world."
The part I believe to be incorrect is:
"...all clients must be configured to use the IP address of the AD DC as DNS"
as at least in my experience with a Windows installation this is not a
requirement - even for dynamic registration. As long as the clients
can resolve the AD's records they do work just fine.
Sonic
Apr 7, 2016, 10:30:04 AM4/7/16
to
On Wed, Apr 6, 2016 at 5:13 PM, Rowland penny <rpe...@samba.org> wrote:
> Your DC needs to be authoritative for your AD domain, this is *not* a Samba
> thing, it is an AD thing.
What about: http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/
> Your DC needs to be authoritative for your AD domain, this is *not* a Samba
> thing, it is an AD thing.
?
Sketch
Apr 7, 2016, 10:40:04 AM4/7/16
to
On Thu, 7 Apr 2016, Sonic wrote:
> On Wed, Apr 6, 2016 at 5:13 PM, Rowland penny <rpe...@samba.org> wrote:
>> Your DC needs to be authoritative for your AD domain, this is *not* a Samba
>> thing, it is an AD thing.
>
> What about: http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/
> ?
Your DC needs to be authoratative for your AD domain, unless you want to
> On Wed, Apr 6, 2016 at 5:13 PM, Rowland penny <rpe...@samba.org> wrote:
>> Your DC needs to be authoritative for your AD domain, this is *not* a Samba
>> thing, it is an AD thing.
>
> What about: http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/
> ?
manually maintain its records in DNS. The docs on the website cover the
normal use case, but there is some flexibility there for people who don't
mind doing extra work.
Rowland penny
Apr 7, 2016, 10:40:04 AM4/7/16
to
On 07/04/16 15:19, Sonic wrote:
> On Wed, Apr 6, 2016 at 5:13 PM, Rowland penny <rpe...@samba.org> wrote:
>> Your DC needs to be authoritative for your AD domain, this is *not* a Samba
>> thing, it is an AD thing.
> What about: http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/
> ?
First and foremost, this is your domain, so you can do what you want
> On Wed, Apr 6, 2016 at 5:13 PM, Rowland penny <rpe...@samba.org> wrote:
>> Your DC needs to be authoritative for your AD domain, this is *not* a Samba
>> thing, it is an AD thing.
> What about: http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/
> ?
with it, but I wouldn't use anything that didn't rely on the dns info
stored in AD. I would also point out, that website is not a Samba or
Microsoft website and as such I cannot recommend using it.
If you want to use it, you will have rely on help from the page you
linked to.
If you use the internal dns server, or better still, Bind9 dlz, you get
(just like Windows) multi-master dns with dns info replicated between
the DCs. You will not get this with the setup you posted, in fact, you
may get a single point of failure.
This is my opinion, yours may differ.
Rowland
Sketch
Apr 7, 2016, 10:40:05 AM4/7/16
to
On Thu, 7 Apr 2016, Sonic wrote:
> On Wed, Apr 6, 2016 at 5:29 PM, Sketch <smb...@rednsx.org> wrote:
>> There's no need to repoint clients to AD DNS servers if you don't want
>> dynamic DNS registration.
>
> Dynamic DNS registration works with the clients pointing to the
> Unbound cache (at an account with a Windows AD server). The clients
> must be determining what system to register with via DNS records even
> though they don't point to the Windows AD server for DNS resolution.
I'm surprised that works, I always just assumed it dyndns'd to it's DNS
>> There's no need to repoint clients to AD DNS servers if you don't want
>> dynamic DNS registration.
>
> Dynamic DNS registration works with the clients pointing to the
> Unbound cache (at an account with a Windows AD server). The clients
> must be determining what system to register with via DNS records even
> though they don't point to the Windows AD server for DNS resolution.
server. Maybe Windows is looking up what server to register with in DNS
(under _msdcs), or via LDAP?
Sonic
Apr 7, 2016, 11:00:03 AM4/7/16
to
On Thu, Apr 7, 2016 at 10:28 AM, Sketch <smb...@rednsx.org> wrote:
> I'm surprised that works, I always just assumed it dyndns'd to it's DNS
> server. Maybe Windows is looking up what server to register with in DNS
> (under _msdcs), or via LDAP?
I was surprised as well. I reconfigured the setup knowing I wouldn't
> I'm surprised that works, I always just assumed it dyndns'd to it's DNS
> server. Maybe Windows is looking up what server to register with in DNS
> (under _msdcs), or via LDAP?
need dynamic DNS registration as all of the necessary systems already
had static DNS records and was surprised when the clients were still
registering with the AD.
Basically AD points to itself for DNS, forwards to Unbound (on another
system), which is cache/resolver and has stub-zone pointing to the AD.
All clients point the Unbound server for DNS resolution.
Sonic
Apr 7, 2016, 11:00:03 AM4/7/16
to
On Thu, Apr 7, 2016 at 10:34 AM, Rowland penny <rpe...@samba.org> wrote:
> First and foremost, this is your domain, so you can do what you want with
> it, but I wouldn't use anything that didn't rely on the dns info stored in
> AD. I would also point out, that website is not a Samba or Microsoft website
> and as such I cannot recommend using it.
Microsoft does have some info:
> First and foremost, this is your domain, so you can do what you want with
> it, but I wouldn't use anything that didn't rely on the dns info stored in
> AD. I would also point out, that website is not a Samba or Microsoft website
> and as such I cannot recommend using it.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/f90eb354-aa57-4d6b-b86b-3bab7910ca78/pure-windows-2008-r2-domain-with-bind-dns-server
https://technet.microsoft.com/en-us/library/dd316373.aspx
Trying to get an idea if much of this has been explored by Samba 4 users.
Sketch
Apr 7, 2016, 11:10:04 AM4/7/16
to
On Thu, 7 Apr 2016, Sonic wrote:
> Microsoft does have some info:
> https://social.technet.microsoft.com/Forums/windowsserver/en-US/f90eb354-aa57-4d6b-b86b-3bab7910ca78/pure-windows-2008-r2-domain-with-bind-dns-server
> https://technet.microsoft.com/en-us/library/dd316373.aspx
>
> Trying to get an idea if much of this has been explored by Samba 4 users.
My guess would be not much, because BIND9_DLZ exists and (mostly) gives
> https://social.technet.microsoft.com/Forums/windowsserver/en-US/f90eb354-aa57-4d6b-b86b-3bab7910ca78/pure-windows-2008-r2-domain-with-bind-dns-server
> https://technet.microsoft.com/en-us/library/dd316373.aspx
>
> Trying to get an idea if much of this has been explored by Samba 4 users.
you the best of both worlds. If you want to use bind with MS DNS servers,
then you have to go that route, but it's not necessary with Samba 4 and
BIND9_DLZ.
Sonic
Apr 7, 2016, 11:20:04 AM4/7/16
to
On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smb...@rednsx.org> wrote:
> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
> the best of both worlds.
Which does bring up a question. It seems that outside of a feature or
> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
> the best of both worlds.
two and some added flexibility that there is, at the core, no
difference between Samba's internal DNS and BIND9_DLZ as there are no
text editable BIND zone files for the AD domain, it's more like BIND
is just the frontend serving up the data on port 53.
So to keep things simple as in the other scenario with the Windows
server, if I plan to use Unbound as the cache for all of the clients,
I can stub-zone to Samba4 for the AD domain records. The Samba4 AD
points to itself and uses Unbound as the forwarder. Seems simpler than
putting BIND in the middle, as I don't know if it's buying me
anything.
Rowland penny
Apr 7, 2016, 12:00:04 PM4/7/16
to
On 07/04/16 16:12, Sonic wrote:
> On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smb...@rednsx.org> wrote:
>> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
>> the best of both worlds.
> Which does bring up a question. It seems that outside of a feature or
> two and some added flexibility that there is, at the core, no
> difference between Samba's internal DNS and BIND9_DLZ as there are no
> text editable BIND zone files for the AD domain, it's more like BIND
> is just the frontend serving up the data on port 53.
No, Bind isn't just a front end, there are zone files, but you just
> On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smb...@rednsx.org> wrote:
>> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
>> the best of both worlds.
> Which does bring up a question. It seems that outside of a feature or
> two and some added flexibility that there is, at the core, no
> difference between Samba's internal DNS and BIND9_DLZ as there are no
> text editable BIND zone files for the AD domain, it's more like BIND
> is just the frontend serving up the data on port 53.
don't see them because they are in memory.
Apr 7 16:46:04 dc1 named[19554]: Loading 'AD DNS Zone' using driver dlopen
Apr 7 16:46:05 dc1 named[19554]: samba_dlz: started for DN
DC=samdom,DC=example,DC=com
Apr 7 16:46:05 dc1 named[19554]: samba_dlz: starting configure
Apr 7 16:46:05 dc1 named[19554]: samba_dlz: configured writeable zone
'0.168.192.in-addr.arpa'
Apr 7 16:46:05 dc1 named[19554]: samba_dlz: configured writeable zone
'samdom.example.com'
Apr 7 16:46:05 dc1 named[19554]: samba_dlz: configured writeable zone
'_msdcs.samdom.example.com'
Rowland
Sonic
Apr 7, 2016, 2:10:03 PM4/7/16
to
On Thu, Apr 7, 2016 at 11:47 AM, Rowland penny <rpe...@samba.org> wrote:
> No, Bind isn't just a front end, there are zone files, but you just don't
> see them because they are in memory.
Doesn't Samba contain the database that DLZ loads?
> No, Bind isn't just a front end, there are zone files, but you just don't
> see them because they are in memory.
Sonic
Apr 7, 2016, 2:20:03 PM4/7/16
to
On Thu, Apr 7, 2016 at 2:08 PM, Rowland penny <rpe...@samba.org> wrote:
> Well yes and then no, the dns info is stored in AD, but Bind extracts it and
> uses it to populate the dlz zones, or so I understand.
That's what I meant earlier by Bind as a frontend - Samba holds the
data, and it's either served up to clients directly via Samba or via
Bind, using the DLZ mechanism.
> Well yes and then no, the dns info is stored in AD, but Bind extracts it and
> uses it to populate the dlz zones, or so I understand.
That's what I meant earlier by Bind as a frontend - Samba holds the
data, and it's either served up to clients directly via Samba or via
Bind, using the DLZ mechanism.
Rowland penny
Apr 7, 2016, 2:20:04 PM4/7/16
to
On 07/04/16 19:00, Sonic wrote:
> On Thu, Apr 7, 2016 at 11:47 AM, Rowland penny <rpe...@samba.org> wrote:
>> No, Bind isn't just a front end, there are zone files, but you just don't
>> see them because they are in memory.
> Doesn't Samba contain the database that DLZ loads?
> On Thu, Apr 7, 2016 at 11:47 AM, Rowland penny <rpe...@samba.org> wrote:
>> No, Bind isn't just a front end, there are zone files, but you just don't
>> see them because they are in memory.
> Doesn't Samba contain the database that DLZ loads?
Well yes and then no, the dns info is stored in AD, but Bind extracts it
and uses it to populate the dlz zones, or so I understand.
Rowland
and uses it to populate the dlz zones, or so I understand.
Rowland penny
Apr 7, 2016, 2:40:03 PM4/7/16
to
On 07/04/16 19:18, Sonic wrote:
> On Thu, Apr 7, 2016 at 2:08 PM, Rowland penny <rpe...@samba.org> wrote:
>> Well yes and then no, the dns info is stored in AD, but Bind extracts it and
>> uses it to populate the dlz zones, or so I understand.
> That's what I meant earlier by Bind as a frontend - Samba holds the
> data, and it's either served up to clients directly via Samba or via
> Bind, using the DLZ mechanism.
No, it is more than a frontend, there are differences in the set up of
> On Thu, Apr 7, 2016 at 2:08 PM, Rowland penny <rpe...@samba.org> wrote:
>> Well yes and then no, the dns info is stored in AD, but Bind extracts it and
>> uses it to populate the dlz zones, or so I understand.
> That's what I meant earlier by Bind as a frontend - Samba holds the
> data, and it's either served up to clients directly via Samba or via
> Bind, using the DLZ mechanism.
the internal dns server and Bind9. You can swap between the two, but
most changes are probably the internal dns server to Bind9.
If you only have one DC, then the best choice is probably the internal
dns, but you are probably better off with Bind9 if you have more than
one DC, every DC can be authoritative for the dns domain for instance.
Rowland
Sonic
Apr 7, 2016, 6:20:04 PM4/7/16
to
On Thu, Apr 7, 2016 at 10:16 AM, Sonic <sonic...@gmail.com> wrote:
> Dynamic DNS registration works with the clients pointing to the
> Unbound cache (at an account with a Windows AD server). The clients
> must be determining what system to register with via DNS records even
> though they don't point to the Windows AD server for DNS resolution.
Works just as well with a Samba AD. Just tested - client points to
> Dynamic DNS registration works with the clients pointing to the
> Unbound cache (at an account with a Windows AD server). The clients
> must be determining what system to register with via DNS records even
> though they don't point to the Windows AD server for DNS resolution.
Unbound but still registers itself in the AD.
Matthew Delfino
Apr 12, 2016, 12:00:03 PM4/12/16
to
A really high-level question here…
Say I have awesomecompany.loc as my domain, with existing BIND 9 servers handling all of our DNS. Here I have many servers and clients that would be connecting to my AD, which have addresses like...
"server.awesomecompany.loc"
"0245imac.awesomecompany.loc"
Then I decide to put in a trio of AD DCs running Samba in a new domain of "samdom.awesomecompany.loc." I make it a subdomain of by BIND 9-managed "awesomecompany.loc" and let the Samba DCs be authoritative over "samdom.awesomecompany.loc."
My question is, would I have to give new DNS A records to all the machines that would be binding to that domain in samdom.awesomecompany.loc? Like…
"server.samdom.awesomecompany.loc"
"0245imac.samdom.awesomecompany.loc"
(Assume I’m not doing dynamic DNS, by the way.) Or is there really no good reason to do that, as the previously-used addresses should work fine?
If I can use the previously-used addresses, what sorts of records do I want to put in samdom.awesomecompany.loc? Just the AD DCs and all the particular records that AD populates it with?
Thanks in advance!
Matthew
©2016 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
L.P.H. van Belle
Apr 12, 2016, 12:20:03 PM4/12/16
to
What i would do, is setup a unbound server as slave dns of the samba dns zone. (Best is to use bind_dlz on the samba servers.)
I dont know unbound, but i would surprise me if its not possible to setup a slave.
I do simular but then with Bind Dns.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Matthew Delfino
> Verzonden: dinsdag 12 april 2016 17:49
> Aan: Rowland penny
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] samba dns
>
> "server.samdom.awesomecompany.loc"
> "0245imac.samdom.awesomecompany.loc"
>
> (Assume I?m not doing dynamic DNS, by the way.) Or is there really no good
I dont know unbound, but i would surprise me if its not possible to setup a slave.
I do simular but then with Bind Dns.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Matthew Delfino
> Verzonden: dinsdag 12 april 2016 17:49
> Aan: Rowland penny
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] samba dns
>
> On 2016.04.06, at 4:13 PM, Rowland penny <rpe...@samba.org> wrote:
> >
> > On 06/04/16 21:58, Sonic wrote:
> >> Would prefer to continue to use my NSD/Unbound installs for most DNS
> >> (if not all) services. NSD is the authoritative server for the domain,
> >> and Unbound is the cache/resolver that the clients connect to. I'd
> >> like to not disturb this setup but I'll need the SRV records so that
> >> AD works. If the SRV records are fixed I suppose I could host them
> >> using NSD, then Samba wouldn't have to be authoritative for any
> >> records - just forward to the Unbound cache. I don't need hosts
> >> registering themselves in DNS, the only hosts that need to be in DNS
> >> are those doing server duties and already have A records (the DHCP
> >> server relies on them for lease reservations).
> >>
> >>
> >>
> >
> > Your DC needs to be authoritative for your AD domain, this is *not* a
> Samba thing, it is an AD thing. What you can do, is to do what is
> recommended, make your AD domain a subdomain of your domain i.e. if your
> domain name is 'domain.tld', use 'internal.domain.tld' for your AD domain.
> >
> > Your AD DC will then be authoritative for the AD domain and will then
> forward anything it doesn't know to your unbound machine.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> I?m feeling like this stuff is always assumed to be common knowledge.
> On 2016.04.06, at 4:13 PM, Rowland penny <rpe...@samba.org> wrote:
> >
> > On 06/04/16 21:58, Sonic wrote:
> >> Would prefer to continue to use my NSD/Unbound installs for most DNS
> >> (if not all) services. NSD is the authoritative server for the domain,
> >> and Unbound is the cache/resolver that the clients connect to. I'd
> >> like to not disturb this setup but I'll need the SRV records so that
> >> AD works. If the SRV records are fixed I suppose I could host them
> >> using NSD, then Samba wouldn't have to be authoritative for any
> >> records - just forward to the Unbound cache. I don't need hosts
> >> registering themselves in DNS, the only hosts that need to be in DNS
> >> are those doing server duties and already have A records (the DHCP
> >> server relies on them for lease reservations).
> >>
> >>
> >>
> >
> > Your DC needs to be authoritative for your AD domain, this is *not* a
> Samba thing, it is an AD thing. What you can do, is to do what is
> recommended, make your AD domain a subdomain of your domain i.e. if your
> domain name is 'domain.tld', use 'internal.domain.tld' for your AD domain.
> >
> > Your AD DC will then be authoritative for the AD domain and will then
> forward anything it doesn't know to your unbound machine.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
> Everyone starts talking about samdom.example.com
> <http://samdom.example.com/> before first stating, "Here?s why you want to
> use a 'samdom' or whatever name you like, for a subdomain on your
> network." Even here: https://wiki.samba.org/index.php/DNS
> <https://wiki.samba.org/index.php/DNS> it?s at the very bottom. Why not
> network." Even here: https://wiki.samba.org/index.php/DNS
> have it at the very top?
>
> A really high-level question here?
>
>
> Say I have awesomecompany.loc as my domain, with existing BIND 9 servers
> handling all of our DNS. Here I have many servers and clients that would
> be connecting to my AD, which have addresses like...
>
> "server.awesomecompany.loc"
> "0245imac.awesomecompany.loc"
>
> Then I decide to put in a trio of AD DCs running Samba in a new domain of
> "samdom.awesomecompany.loc." I make it a subdomain of by BIND 9-managed
> "awesomecompany.loc" and let the Samba DCs be authoritative over
> "samdom.awesomecompany.loc."
>
> My question is, would I have to give new DNS A records to all the machines
> that would be binding to that domain in samdom.awesomecompany.loc? Like?
> Say I have awesomecompany.loc as my domain, with existing BIND 9 servers
> handling all of our DNS. Here I have many servers and clients that would
> be connecting to my AD, which have addresses like...
>
> "server.awesomecompany.loc"
> "0245imac.awesomecompany.loc"
>
> Then I decide to put in a trio of AD DCs running Samba in a new domain of
> "samdom.awesomecompany.loc." I make it a subdomain of by BIND 9-managed
> "awesomecompany.loc" and let the Samba DCs be authoritative over
> "samdom.awesomecompany.loc."
>
> My question is, would I have to give new DNS A records to all the machines
>
> "server.samdom.awesomecompany.loc"
> "0245imac.samdom.awesomecompany.loc"
>
> (Assume I?m not doing dynamic DNS, by the way.) Or is there really no good
> reason to do that, as the previously-used addresses should work fine?
>
> If I can use the previously-used addresses, what sorts of records do I
> want to put in samdom.awesomecompany.loc? Just the AD DCs and all the
> particular records that AD populates it with?
>
> Thanks in advance!
>
> Matthew
>
>
>
> ©2016 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
> KNOCK, inc. This message and any attachments contain information, which is
> confidential and/or privileged. If you are not the intended recipient,
> please refrain from any disclosure, copying, distribution or use of this
> information. Please be aware that such actions are prohibited. If you
> have received this transmission in error, kindly notify the sender by e-
> mail. Your cooperation is appreciated.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> If I can use the previously-used addresses, what sorts of records do I
> want to put in samdom.awesomecompany.loc? Just the AD DCs and all the
> particular records that AD populates it with?
>
> Thanks in advance!
>
> Matthew
>
>
>
> ©2016 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
> KNOCK, inc. This message and any attachments contain information, which is
> confidential and/or privileged. If you are not the intended recipient,
> please refrain from any disclosure, copying, distribution or use of this
> information. Please be aware that such actions are prohibited. If you
> have received this transmission in error, kindly notify the sender by e-
> mail. Your cooperation is appreciated.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Apr 12, 2016, 12:50:03 PM4/12/16
to
On 12/04/16 16:49, Matthew Delfino wrote:
> I’m feeling like this stuff is always assumed to be common knowledge.
> Everyone starts talking about samdom.example.com
> <http://samdom.example.com> before first stating, "Here’s why you want
> I’m feeling like this stuff is always assumed to be common knowledge.
> Everyone starts talking about samdom.example.com
> to use a 'samdom' or whatever name you like, for a subdomain on your
> network." Even here: https://wiki.samba.org/index.php/DNS it’s at the
> very bottom. Why not have it at the very top?
If you follow the Samba guide to setting up an AD DC:
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Near the top, under the heading 'Preconditions' there is a link to to
the Active Directory naming FAQ:
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ
This explains all about the best practice when it comes to an AD domain
and DNS.
>
> A really high-level question here…
>
> Say I have awesomecompany.loc as my domain, with existing BIND 9
> servers handling all of our DNS. Here I have many servers and clients
> that would be connecting to my AD, which have addresses like...
>
> "server.awesomecompany.loc"
> "0245imac.awesomecompany.loc"
>
> Then I decide to put in a trio of AD DCs running Samba in a new domain
> of "samdom.awesomecompany.loc." I make it a subdomain of by BIND
> 9-managed "awesomecompany.loc" and let the Samba DCs be authoritative
> over "samdom.awesomecompany.loc."
>
> My question is, would I have to give new DNS A records to all the
> machines that would be binding to that domain in
> samdom.awesomecompany.loc? Like…
>
> "server.samdom.awesomecompany.loc"
> "0245imac.samdom.awesomecompany.loc"
>
> (Assume I’m not doing dynamic DNS, by the way.) Or is there really no
> good reason to do that, as the previously-used addresses should work fine?
>
> If I can use the previously-used addresses, what sorts of records do I
> want to put in samdom.awesomecompany.loc? Just the AD DCs and all the
> particular records that AD populates it with?
>
DNS name, this would make your Kerberos Realm
'SAMDOM.AWESOMECOMPANY.LOC' and as such, any machine that is joined to
your AD domain would also have to use the 'samdom.awesomecompany.loc'
DNS domain.
Rowland
> Thanks in advance!
>
> Matthew
>
>
>
> ------------------------------------------------------------------------
Sonic
Apr 13, 2016, 10:30:04 AM4/13/16
to
On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smb...@rednsx.org> wrote:
> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
> the best of both worlds. If you want to use bind with MS DNS servers, then
> you have to go that route, but it's not necessary with Samba 4 and
> BIND9_DLZ.
That's clear but I was thinking more of the analogous configuration
> the best of both worlds. If you want to use bind with MS DNS servers, then
> you have to go that route, but it's not necessary with Samba 4 and
> BIND9_DLZ.
where I continue to use NSD instead of BIND9_DLZ (or Samba).
Sketch
Apr 13, 2016, 10:40:03 AM4/13/16
to
On Wed, 13 Apr 2016, Sonic wrote:
> On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smb...@rednsx.org> wrote:
>> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
>> the best of both worlds. If you want to use bind with MS DNS servers, then
>> you have to go that route, but it's not necessary with Samba 4 and
>> BIND9_DLZ.
>
> That's clear but I was thinking more of the analogous configuration
> where I continue to use NSD instead of BIND9_DLZ (or Samba).
My understanding of Unbound is that designed as a caching nameserver, not
> On Thu, Apr 7, 2016 at 11:00 AM, Sketch <smb...@rednsx.org> wrote:
>> My guess would be not much, because BIND9_DLZ exists and (mostly) gives you
>> the best of both worlds. If you want to use bind with MS DNS servers, then
>> you have to go that route, but it's not necessary with Samba 4 and
>> BIND9_DLZ.
>
> That's clear but I was thinking more of the analogous configuration
> where I continue to use NSD instead of BIND9_DLZ (or Samba).
an authoratative nameserver. It's supposed to serve DNS to clients from
another server, such as BIND or Samba's internal DNS server. Pointing it
to your domain's authoratative Samba/BIND9_DLZ DNS servers seems like the
proper way to set it up to me.
Sonic
Apr 13, 2016, 11:00:04 AM4/13/16
to
On Wed, Apr 13, 2016 at 10:29 AM, Sketch <smb...@rednsx.org> wrote:
> My understanding of Unbound is that designed as a caching nameserver, not an
> authoratative nameserver. It's supposed to serve DNS to clients from
> another server, such as BIND or Samba's internal DNS server. Pointing it to
> your domain's authoratative Samba/BIND9_DLZ DNS servers seems like the
> proper way to set it up to me.
Have been using Unbound in this way for well over a year with an MS AD.
> My understanding of Unbound is that designed as a caching nameserver, not an
> authoratative nameserver. It's supposed to serve DNS to clients from
> another server, such as BIND or Samba's internal DNS server. Pointing it to
> your domain's authoratative Samba/BIND9_DLZ DNS servers seems like the
> proper way to set it up to me.
The point was the possibility, at another location, to continue to use
NSD, an authoritative server, which currently contains all the needed
DNS records except the new ones necessary to host an AD, in the same
manner BIND was used in some of given links to replace the MS DNS in
the MS AD environment.
Rowland penny
Apr 13, 2016, 11:30:04 AM4/13/16
to
On 13/04/16 15:49, Sonic wrote:
> On Wed, Apr 13, 2016 at 10:29 AM, Sketch <smb...@rednsx.org> wrote:
>> My understanding of Unbound is that designed as a caching nameserver, not an
>> authoratative nameserver. It's supposed to serve DNS to clients from
>> another server, such as BIND or Samba's internal DNS server. Pointing it to
>> your domain's authoratative Samba/BIND9_DLZ DNS servers seems like the
>> proper way to set it up to me.
> Have been using Unbound in this way for well over a year with an MS AD.
> The point was the possibility, at another location, to continue to use
> NSD, an authoritative server, which currently contains all the needed
> DNS records except the new ones necessary to host an AD, in the same
> manner BIND was used in some of given links to replace the MS DNS in
> the MS AD environment.
>
OK, having never used NSD (oh look, it is DNS mixed up), I did a bit of
> On Wed, Apr 13, 2016 at 10:29 AM, Sketch <smb...@rednsx.org> wrote:
>> My understanding of Unbound is that designed as a caching nameserver, not an
>> authoratative nameserver. It's supposed to serve DNS to clients from
>> another server, such as BIND or Samba's internal DNS server. Pointing it to
>> your domain's authoratative Samba/BIND9_DLZ DNS servers seems like the
>> proper way to set it up to me.
> Have been using Unbound in this way for well over a year with an MS AD.
> The point was the possibility, at another location, to continue to use
> NSD, an authoritative server, which currently contains all the needed
> DNS records except the new ones necessary to host an AD, in the same
> manner BIND was used in some of given links to replace the MS DNS in
> the MS AD environment.
>
research and it seems to work somewhat like Bind with flatfiles, but in
this case, the flatfile is a database.
So, you are proposing to use something that very few (if any) other
Samba users use, that stores its data in a database, this set up will be
totally unsupported by Samba. This is instead of using something that a
lot of people use and also stores its data in a database, though in the
case of Bind dlz, the database is AD and *is* supported by Samba.
It is your AD domain and you can do what you like with it, but if
something does go wrong, how are you going to know if it is something
wrong with your Samba 4 AD, or if it is something wrong with your custom
DNS setup ??
Or to put it another way, it is very unlikely that anybody will be able
help you with any potential problems.
Rowland
0 new messages