[Samba] DNS issues after FSMO seize

Rowland penny rpenny at samba.org
Tue Apr 5 13:11:33 UTC 2016

On 05/04/16 13:48, lingpanda101 at gmail.com wrote:
> On 4/5/2016 8:17 AM, mathias dufresne wrote:
>> For me:
>> - SOA means where updates can be sent.
>> - SOA can be one or several.
>> - NS is a record to help non-authoritative name servers to find a valid
>> name server for the zone they receive a request and they don't know
>> anything about that zone.
>> - SOA is often declared as NS, I agree. I explained this is not 
>> mandatory.
>> There is no link between these two notions except they share a zone.
>> You are two to tell that's absurd. What I want is to understand things,
>> things includes DNS protocol and its usage into an AD. So if you have
>> anything to _*explain*_ me why these concepts are really linked, please
>> tell me. Develop your argumentation because I'm really thick.
>> Then we could go back to define the role of SOA and NS.
>> For me, again:
>> - SOA where to write
>> - NS where to ask
>> Again, if you do not agree with that, explain, develop, be clear, I'm 
>> still
>> thick.
>> And please don't come back to tell me NS stands for name server and SOA
>> stands for Start of authority. If I wouldn't be able to find these
>> information I would have nothing to do in IT world, not designing an 
>> AD for
>> a large company at least.
>> And please accept my apologizes about the tone, I really hate people 
>> who do
>> not explain. We are here to understand, to grow up together. Telling
>> someone "you're wrong" and stop there is a non-sense, that won't help 
>> the
>> guy to understand his error, where not what he misunderstood.
>> 2016-04-05 12:01 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
> I'll throw my two cents in. I noted this from a Mircosoft technet 
> article for a 2003 server I jotted down.
> "The SOA RR identifies a primary DNS name server for the zone as the 
> best source of information for the data within that zone and as an 
> entity processing the updates for the zone. "
> "A name within a zone can also be delegated to a different zone that 
> is hosted on a different DNS server. Delegation is a process of 
> assigning responsibility for a portion of a DNS namespace to a DNS 
> server owned by a separate entity. This separate entity could be 
> another organization, department or workgroup within your company. 
> Such delegation is represented by the NS resource record that 
> specifies the delegated zone and the DNS name of the server 
> authoritative for that zone."
> "The name server (NS) RRs facilitate delegation by identifying DNS 
> servers for each zone and the NS RRs appear in all zones. Whenever a 
> DNS server needs to cross a delegation in order to resolve a name, it 
> will refer to the NS RRs for DNS servers in the target zone."
> "If multiple NS records exist for a delegated zone identifying 
> multiple DNS servers available for querying, the Windows Server 2003 
> DNS Server service will be able to select the closest DNS server based 
> on the round trip intervals measured over time for every DNS server."
> The above is how I view the SOA and NS RR's. This is difficult for 
> many, due to users using Samba Internal DNS or Bind. Both exhibit 
> different behavior with respect to the SOA and NS records. With that 
> said, the above is how the SOA and NS RR's records should behave (if 
> things have changed, please advise).
> The biggest issue facing the Samba Internal DNS, is it only reports 
> one server as SOA. Bind does not have this limitation, as Rowland has 
> attested to with several threads showing his findings. Each server 
> should report itself as SOA.
>  When I had to seize FSMO roles, I had to update the SOA to a 
> different DC, as it still pointed to the removed DC. This is using 
> internal DNS. I'm not sure if using bind, if when seizing you still 
> need to do this.

This is the problem I found with the internal dns, you only get one SOA 
record, even if you add other DC NS & A records to the SOA. Bind works 
differently, you still have to add DC NS & A records to the SOA, but 
then every DC claims to have a SOA.


More information about the samba mailing list