[Samba] Samba4 with external bind - best practices?

Jeff Sadowski jeff.sadowski at gmail.com
Wed Jul 27 19:02:54 UTC 2016 

Looking over this thread it got me thinking of multiple domains and then
thinking maybe it would be better to setup the external DNS as a slave to
the AD domain?

Then you could have it resolve from the external DNS for multiple AD
domains.

On Wed, Jul 27, 2016 at 9:32 AM, Elias Pereira <empbilly at gmail.com> wrote:

> I found this article about separate samba4 and bind.
>
> https://quercerjanath.wordpress.com/samba-active-directory-with-bind9-on-separate-machines-ubuntu-14-04/
>
> Em 27/07/2016 9:39 AM, "mathias dufresne" <infractory at gmail.com> escreveu:
>
> > 2016-07-26 13:16 GMT+02:00 Rowland penny <rpenny at samba.org>:
> >
> > > On 26/07/16 09:31, mathias dufresne wrote:
> > >
> > >> Hi Elias,
> > >>
> > >> Separating DNS and AD services:
> > >> It should be possible to have AD DNS server hosted on a non-DC server.
> > >> Samba Wiki explain we just have to include
> > >> "/var/lib/samba/private/named.conf" in Bind configuration. This
> library
> > >> can
> > >> be replaced be one of those shipped with Bind, this library will need
> > >> configuration for it can deal with remote DC(s).
> > >> Please note I never tried that, 'cause I'm a lazy guy, but that should
> > be
> > >> possible: Bind+DLZ seems to me to be meant for that kind of job.
> > >>
> > >> One (or more) non-DC DNS server dealing with AD DNS servers:
> > >> That is more simple to achieve:
> > >> - just configure AD DNS service as you want (please note that few
> weeks
> > >> ago
> > >> Samba's internal DNS server was still not able to work as
> multi-masters
> > >> which is needed to avoid SPOF in AD, so IMHO the only valid DNS
> backend
> > is
> > >> bind+DLZ if you want high availability)
> > >> - add a new zone to your existing DNS server (the one which is not AD
> > DC)
> > >> like that one:
> > >>
> > >>
> >
> ----------------------------------------------------------------------------------------------
> > >> zone "ad.domain.tld" IN {
> > >>    type forward;
> > >>    forward only;
> > >>    forwarders {
> > >>      <ip of 1st DC>;
> > >>      <ip of 2nd DC>;
> > >>      ....
> > >>      <ip of Nth DC>;
> > >>    };
> > >> };
> > >>
> > >>
> >
> ----------------------------------------------------------------------------------------------
> > >> Restart your external non-DC Bind service and it should be able to
> > resolve
> > >> one more zone: the one from your AD.
> > >> What is nice in that is you don't need to take in account _msdcs zone
> as
> > >> it
> > >> is a sub zone of "ad.domain.tld", your external Bind will also forward
> > >> requests regarding _msdcs to AD servers.
> > >>
> > >> I did not played with that for a relatively long time and I'm just
> > coming
> > >> back from vacations, so I'm not sure if you would need to allow
> > forwarding
> > >> and recursion on that non-DC DNS server. It could be necessary...
> Anyway
> > >> as
> > >> this DNS should be meant to resolve Internet addresses in addition of
> > your
> > >> local domain(s) recursion and forwarding should be accepted already...
> > >>
> > >> Hoping this clarify DNS management a little bit and that helps you,
> > >>
> > >> Mathias
> > >>
> > >>
> > >>
> > >>
> > > The Samba wiki page:
> > >
> https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
> > >
> > > Has these lines:
> > >
> > >  * Since the BIND DLZ module accesses the AD database directly, BIND
> > >    for AD zones must be on the same machine.
> > >
> >
> > This, for me, means: as long as we use the BIND DLZ module provided by
> > Samba, Bind must run on same host as Samba AD DC".
> > In other words, you should be able to move Bind to another host if, as I
> > said yesterday, you accept to use standard module (so not Samba's Bind
> > module) and configure it correctly. Of course this is more complicated to
> > achieve, especially compared to the forward zone I described also
> > yesterday.
> >
> >
> > >  * Because the BIND DLZ module uses the information already stored in
> > >    AD, you do not need to create any extra databases.
> > >
> > > Or to put it another way, if you want to use bind_dlz, you must run
> Bind9
> > > on the DC and you do not need to create any zones (except the reverse
> > zone
> > > and you have to do this anyway)
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list