[Samba] specify alternative port for samba internal dns server

Ben Cohen cohen.ben at gmail.com
Thu Feb 26 18:13:03 MST 2015

I read that page -- but I'm not seeing anything that makes me think my dns
strategy is inappropriate ...

The article does describe the possible deployment strategies in what I
believe to be an overly constrained manner:

>From the wiki:


You can use either the internal DNS server that is built into the samba4
binary, or an external bind DNS server. Default is to use the internal
server, and it is highly recommended that when you start using Samba4 as
AD-DC for the first time, you install it this way. You can later switch
between the two variants if needed. If you do use an external bind DNS
server, it must use the DLZ backend and run on the Samba AD DC.


In my opinion this should be augmented to explain that its simple to use
the internal samba dns in combination with an external dns server.

Something like:


You can use the samba internal dns in combination with any other dns server
so long as that external dns server resolves queries for your active
directory domain via the samba dns server.

For example, suppose you've configured a samba domain to use the internal
dns as like this:

# *samba-tool domain provision --use-rfc2307 --interactive*
 Domain [SAMDOM]: *SAMDOM*

The above configures samba with and sets the internal samba-dns as the
authoritative dns server for samdom.example.com.  To ensure clients find
the necessary active directory information for samdom.example.com, ensure
the dns server on your network resolves all queries for samdom.example.com
via the samba internal dns server.

For example to configure a dnsmasq server to resolve queries for
samdom.example.com via the samba internal dns server -- include in your
dnsmasq configuration:


where in the above is the ip address of the server running


This third strategy uses the samba internal dns for all dns behavior that
samba/ad depends on, while still allowing use of another dns server than.
The source of truth for samdom.example.com is the samba-dns which is
tightly (and correctly) integrated with the semantics of the active
directory domain.  This setup does not require use of BIND and does not
require clients on the network use the samba dns for name resolution.

On Thu, Feb 26, 2015 at 4:24 PM, Rowland Penny <rowlandpenny at googlemail.com>

> On 27/02/15 00:10, Ben Cohen wrote:
>> Whoops - sorry for responding to you directly rather than via the list --
>> I
>> only use gmail for extremely high-volume mailing lists, and usually that's
>> just to skim-read them -- so I don't know the gmail web-ui very well (and
>> it seems to change all the time) -- apologies.  (Also i have no idea how
>> to
>> not top-post with gmail ...  I'll figure that out for next time)
>> You seem to have strong opinions regarding the default port for the dns
>> server - I disagree with you but I'm not going to try to change your
>> deeply
>> held beliefs.
>> While expressing your opinions earlier in the thread, the idea was raised
>> that it is somehow _REQUIRED_ for clients to use the samba internal dns
>> directly rather than receive dns responses via an intermediary dns server
>> -- can someone confirm whether or not this is the case?
> Try reading this samba wiki page: https://wiki.samba.org/index.
> php/DNS#Which_DNS_backend_should_I_choose.3F
> Especially the bit at the top.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list