[Samba] DNS issues after FSMO seize

lingpanda101 at gmail.com lingpanda101 at gmail.com
Tue Apr 5 12:48:51 UTC 2016

On 4/5/2016 8:17 AM, mathias dufresne wrote:
> For me:
> - SOA means where updates can be sent.
> - SOA can be one or several.
> - NS is a record to help non-authoritative name servers to find a valid
> name server for the zone they receive a request and they don't know
> anything about that zone.
> - SOA is often declared as NS, I agree. I explained this is not mandatory.
> There is no link between these two notions except they share a zone.
> You are two to tell that's absurd. What I want is to understand things,
> things includes DNS protocol and its usage into an AD. So if you have
> anything to _*explain*_ me why these concepts are really linked, please
> tell me. Develop your argumentation because I'm really thick.
> Then we could go back to define the role of SOA and NS.
> For me, again:
> - SOA where to write
> - NS where to ask
> Again, if you do not agree with that, explain, develop, be clear, I'm still
> thick.
> And please don't come back to tell me NS stands for name server and SOA
> stands for Start of authority. If I wouldn't be able to find these
> information I would have nothing to do in IT world, not designing an AD for
> a large company at least.
> And please accept my apologizes about the tone, I really hate people who do
> not explain. We are here to understand, to grow up together. Telling
> someone "you're wrong" and stop there is a non-sense, that won't help the
> guy to understand his error, where not what he misunderstood.
> 2016-04-05 12:01 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
I'll throw my two cents in. I noted this from a Mircosoft technet 
article for a 2003 server I jotted down.

"The SOA RR identifies a primary DNS name server for the zone as the 
best source of information for the data within that zone and as an 
entity processing the updates for the zone. "

"A name within a zone can also be delegated to a different zone that is 
hosted on a different DNS server. Delegation is a process of assigning 
responsibility for a portion of a DNS namespace to a DNS server owned by 
a separate entity. This separate entity could be another organization, 
department or workgroup within your company. Such delegation is 
represented by the NS resource record that specifies the delegated zone 
and the DNS name of the server authoritative for that zone."

"The name server (NS) RRs facilitate delegation by identifying DNS 
servers for each zone and the NS RRs appear in all zones. Whenever a DNS 
server needs to cross a delegation in order to resolve a name, it will 
refer to the NS RRs for DNS servers in the target zone."

"If multiple NS records exist for a delegated zone identifying multiple 
DNS servers available for querying, the Windows Server 2003 DNS Server 
service will be able to select the closest DNS server based on the round 
trip intervals measured over time for every DNS server."

The above is how I view the SOA and NS RR's. This is difficult for many, 
due to users using Samba Internal DNS or Bind. Both exhibit different 
behavior with respect to the SOA and NS records. With that said, the 
above is how the SOA and NS RR's records should behave (if things have 
changed, please advise).

The biggest issue facing the Samba Internal DNS, is it only reports one 
server as SOA. Bind does not have this limitation, as Rowland has 
attested to with several threads showing his findings. Each server 
should report itself as SOA.

  When I had to seize FSMO roles, I had to update the SOA to a different 
DC, as it still pointed to the removed DC. This is using internal DNS. 
I'm not sure if using bind, if when seizing you still need to do this.


More information about the samba mailing list