[Samba] Missing new NS record.

Rowland Penny rpenny at samba.org
Thu Aug 18 16:17:40 UTC 2016 

On Thu, 18 Aug 2016 16:59:51 +0200
mathias dufresne via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> I never had a look on MS AD regarding that, to check if NS record is
> created for each DC running DNS service or not.

I couldn't find anything that explicitly says that each DC should have
its own SOA in AD. What I could find was that each AD-integrated zone on
a DC is expected to have a SOA record containing the DCs ipaddress.
this indicates that the DC hosts a writable copy of the zone. The SOA
should also contain an NS record for the DC. Whilst I do not know how
windows does this, the only way I have found to do all this, is to
add the DCs A & NS records to the SOA record, only problem is, it
only seems (for me) to work with Bind9 as the DNS server.
   
> Anyway Samba AD does not create them and that's not an issue as long
> as you don't plan to make your AD DNS zones public (available on the
> Internet).

It is a problem and needs fixing, but only if you use the internal DNS
server with more than one DC, my advice, if you have more than one DC,
use Bind9.

> 
> As far as I understood DNS, during DNS resolution, NS is used only
> when client's resolver does not know how to resolve some request. In
> that case the resolver will ask for NS to know to which other DNS
> server it has to forward the request in order to forward received
> reply to the client. Client does not care about NS, you can set up
> any DNS server (AD or not) as resolver. These DNS server do not need
> to be declared as NS because clients send their request to the
> resolver without asking for NS.

That is all well and good, but what if you are running multiple DCs
with the internal DNS server and the only NS record they know about
goes offline?

> 
> If the AD zones are meant to be public (most of cases I expect) there
> is no need to have each AD DNS server declared as NS.
> 
> If you need or prefer have clients using your company's official DNS
> servers rather AD DNS server you can set up forward zone on your
> company's official DNS servers for they forward any AD related
> request  o your AD DNS servers (those declared as forwarders in the
> forward zone).
> 

The easiest way if you have more than one DC, is to use Bind9 on each
DC and set them to forward anything not known to another nameserver
outside the domain.

Rowland

More information about the samba mailing list