[Samba] Realms: subdom or not subdom ?

Gregory Sloop gregs at sloop.net
Thu Jul 10 17:52:39 MDT 2014 

M?> Guys,

M?> Currently, I'm running the following configuration (@ lab, according to the
M?> recommendation for the Realm from Samba_AD_DC_HOWTO):

M?> ---
M?> AD DC Hostname:                    samba-ad-1

M?> AD DNS Domain Name:                samdom.example.com

M?> Kerberos Realm:                    SAMDOM.EXAMPLE.COM

M?> NT4 Domain Name/NetBIOS Name:      samdom

M?> IP Address:                        192.168.1.1

M?> Server Role:                       Domain Controller (DC)

M?> Domain Admin Password:             pa$$w0rd

M?> Forwarder DNS Server:              192.168.1.254
M?> ---

M?> But then, all my computers (servers and desktops), are being registered
M?> within "*.samdom.example.com", and I was expecting to see those machines at
M?> "*.example.com"...

M?> So, it is possible to use a recommended realm, like "SAMDOM.EXAMPLE.COM"
M?> just for the realm itself, while at the same time, registering the machines
M?> at *.example.com" ?

M?> If yes, can someone point a quick and dirty guide to do that?!

M?> Thanks!
M?> Thiago

The way we do it is like this:

I have a DHCP/DNS server in example.com - it hands out DHCP addresses and handles DNS for EXAMPLE.COM. [Actually we use a DHCP/DNS fail-over pair for redundancy.]
I create records, or have dynamic DNS records created for DHCP leases in the *.EXAMPLE.COM zone.

If you query any host *.EXAMPLE.COM the DHCP/DNS server handles this. 
[This will run easily in a VirtualBox or other VM. Other than disk I/O, DHCP/DNS is trivial work. And I/O only becomes a problem at very high volumes. Can't say exactly what "high" is - I suspect thousands of clients with very short lease times.]

I then setup a forward zone on the DHCP/DNS server for SAMDOM.EXAMPLE.COM and point it at the DC DNS server.

So, for any client, there are probably two lookups that can occur.

SOMESTATION.SAMDOM.EXAMPLE.COM
and
SOMESTATION.EXAMPLE.COM

Both will return the same IP. One is registered with the DHCP/DNS server, the other with the DC DNS server.

Point all stations at either the DC DNS or the DHCP/DNS servers. [IMO, pick one or the other - it will make troubleshooting a lot easier if it's consistent across the whole org.]

Point the DC for non local queries for DNS to the DHCP/DNS server.

One will get resolved by the DC [*.samdom.example.com] and the others [*.example.com, as well as all non local domains] will get resolved by the DHCP/DNS server.

This is a slightly more complicated setup, than running everything on the DC, but IMO, a more elegant solution, which is also more modular.
[I also thought there was an issue with the early DC's where running a DHCP server on the DC was a problem - I'm not sure if that's still an issue.]

-Greg

More information about the samba mailing list