Adding a Forwarding Zone (Bind 9.9.2)

Amitay Isaacs amitay at
Wed Dec 5 15:22:14 MST 2012

Hi Charles,

On Thu, Dec 6, 2012 at 5:51 AM, Charles Tryon <charles.tryon at>wrote:

> I am trying to set up the DNS on my Samba4 system to forward requests for a
> different zone to another server.  I can create the empty zone, but then
> can't figure out how to create a SOA record in the zone.  This is on a
> fairly new CentOS base server, running the latest version (9.9.2) of Bind,
> with the original tables set up using the Samba3/Samba4 migration process
> (as of maybe 6 months ago, back in the Beta releases).  I'm running a
> recent version of Samba4 from Git Version (4.1.0pre1-GIT-2ad5620)
> The main zone for this domain is  I have another DNS server
> (running on a different Win2008R2 AD controller) which is authoritative for
> the domain "global.local".  I would like to forward requests which come
> into my Bind server referencing the global.local domain to get forwarded to
> the other controller.
> I'm no DNS wizard so I'm not even sure I have the terminology right, but my
> understanding is that the old way to do it would be to add a zone
> definition (of type "forward") into the named.conf file, and then supply a
> forward to IP.

Yes. That's the easiest option. You can add following entry in your

zone "global.local" IN {
    type "forward";
    forwarders { ip.address.of.dns-server; };

This should tell BIND to forward all the queries for domain global.local to

> I've looked through posts in this group, and what I've seen so far is that
> you either use the "Windows Way" and use the MS RSA tools and the DNS "Add
> Domain" wizard, or you do it on the command line with the samba-tool dns
> commands, first creating an empty domain and then adding an "@" record or
> SOA.
> The MS DNS tool, running on a Win7 client added to the domain (logged in
> with a user in the DnsAdmins group) lets me get up to the point where I
> create a "Secondary zone", and then add the IP address for the DNS server.
>  However, when I enter the IP (and it comes back with the correct FQDN), it
> tells me:
>       Validation Error, please try later.
> If I hit Next, it gives me the error:
>       The zone cannot be created.
>       This function is not supported on this system.
> Does this sound like an incompatibility between the MS tools and the Bind
> 9.9 tools?  Or, is there something that needs to be changed on the other MS
> Windows DNS controller to allow forwarded queries?
I will have to check why this doesn't work. May be it's using some
additional RPC call which is not implemented. When you try to add secondary
zone via MS DNS tool, can you check if there is anything in the logs that
would give indication of why it's not working?

> Approaching from the command line (where I'm always more comfortable
> anyway...), I can create the empty zone with the samba-tool dns zoneadd
> command, but I have not yet found any instructions on how to change that
> into a secondary zone, or point the SOA.
> Ideas?  Pointers to Wikis?

This has been reported by others. The code to add SOA record is currently
missing and needs to be added. Patches welcome. ;-)

> --
>     Charles Tryon
> _________________________________________________________________________
>   “Risks are not to be evaluated in terms of the probability of success,
> but in terms of the value of the goal.”
>                 - Ralph D. Winter


More information about the samba-technical mailing list