[Samba] Samba4 with external bind - best practices?
Elias Pereira
empbilly at gmail.com
Tue Jul 26 18:42:05 UTC 2016
Thanks Mathias and Rowland for the answers.
Rowland,
You said: “Use the sub domain for your AD domain and forward anything
outside the sub domain to your main DNS servers.”
This forward I do on the settings of the bind in Samba4?
Something like:
acl goodclients {
192.168.1.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
forwarders {
192.168.1.15; # EXTERNAL DNS SERVER
};
forward only;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
On Tue, Jul 26, 2016 at 8:16 AM, Rowland penny <rpenny at samba.org> wrote:
> On 26/07/16 09:31, mathias dufresne wrote:
>
>> Hi Elias,
>>
>> Separating DNS and AD services:
>> It should be possible to have AD DNS server hosted on a non-DC server.
>> Samba Wiki explain we just have to include
>> "/var/lib/samba/private/named.conf" in Bind configuration. This library
>> can
>> be replaced be one of those shipped with Bind, this library will need
>> configuration for it can deal with remote DC(s).
>> Please note I never tried that, 'cause I'm a lazy guy, but that should be
>> possible: Bind+DLZ seems to me to be meant for that kind of job.
>>
>> One (or more) non-DC DNS server dealing with AD DNS servers:
>> That is more simple to achieve:
>> - just configure AD DNS service as you want (please note that few weeks
>> ago
>> Samba's internal DNS server was still not able to work as multi-masters
>> which is needed to avoid SPOF in AD, so IMHO the only valid DNS backend is
>> bind+DLZ if you want high availability)
>> - add a new zone to your existing DNS server (the one which is not AD DC)
>> like that one:
>>
>> ----------------------------------------------------------------------------------------------
>> zone "ad.domain.tld" IN {
>> type forward;
>> forward only;
>> forwarders {
>> <ip of 1st DC>;
>> <ip of 2nd DC>;
>> ....
>> <ip of Nth DC>;
>> };
>> };
>>
>> ----------------------------------------------------------------------------------------------
>> Restart your external non-DC Bind service and it should be able to resolve
>> one more zone: the one from your AD.
>> What is nice in that is you don't need to take in account _msdcs zone as
>> it
>> is a sub zone of "ad.domain.tld", your external Bind will also forward
>> requests regarding _msdcs to AD servers.
>>
>> I did not played with that for a relatively long time and I'm just coming
>> back from vacations, so I'm not sure if you would need to allow forwarding
>> and recursion on that non-DC DNS server. It could be necessary... Anyway
>> as
>> this DNS should be meant to resolve Internet addresses in addition of your
>> local domain(s) recursion and forwarding should be accepted already...
>>
>> Hoping this clarify DNS management a little bit and that helps you,
>>
>> Mathias
>>
>>
>>
>>
> The Samba wiki page:
> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
>
> Has these lines:
>
> * Since the BIND DLZ module accesses the AD database directly, BIND
> for AD zones must be on the same machine.
> * Because the BIND DLZ module uses the information already stored in
> AD, you do not need to create any extra databases.
>
> Or to put it another way, if you want to use bind_dlz, you must run Bind9
> on the DC and you do not need to create any zones (except the reverse zone
> and you have to do this anyway)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Elias Pereira
More information about the samba
mailing list