[Samba] DNS backend

mathias dufresne infractory at gmail.com
Wed Jun 15 15:02:35 UTC 2016


2016-06-14 19:17 GMT+02:00 Felipe_G0NZÁLEZ_SANTIAG0 <
fgonzalez at estudiantes.uci.cu>:

> Hello.
> which are the main differences between Samba_Internal and BIND9_DLZ ?
>

Bind9 is quiet simple once you would have managed rights inside private
directory (there are hard links in private/dns/sam.ldb.d pointing to
private/sam.ldb.d files and some files must be readable by Bind in order to
make it work).
Bind9 with DLZ patches act fully as multi-master, each DC (with
dns-backend=BIND9_DLZ) consider itself as SOA which makes each DC able to
receive DNS updates from client, and you get failover.
Internal DNS is not multi-master yet, so client can push updates only on
the DC declared as SOA in LDAP DB, there is one DC declared as SOA in LDAP
DB so you don't have failover: DC which is SOA is down, no DC would accept
DNS updates.
With Internal DNS and several DC you can also face issues when some DC
(which is not SOA) has to push updates: some work is in progress I believe
but for now it should not be ready and you could face issues to updates DC
CNAMEs.


> I refer to the differences about functionality such as zone transfers and
> automatic updates.
> Which others functionalities offers BIND9, that Samba_Internal doesn't
> support ?
>

Bind+DLZ is Bind, it comes with all that Bind can do + dynamic load zones
stuffs. You can fully manage your DNS configuration, even in complex
environments.
Internal DNS is, for what I have understood and tested months ago, only
able to have one and only one DNS forwarder to forward requests which can't
be resolved locally. No other option for what I know.


>
> Is it possible to use a DNS Server (Bind9) separate of the DC Samba4? I
> mean, in other server.
>

Yes it should be. You would have to deal by yourself with SPN
(servicePrincipalName) to get your Bind authenticating correctly into AD.
You will have also to deal by yourself with DLZ libraries and how to
configure them to access your AD database. Samba ships a library which do
not need configuration: you load it and Bind can access (db) files locally.

I failed to achieve that and unfortunately I have no more time to spend on
that subject.

We will finally keep DNS service on all DC and use AD site to get 2 DC
dedicated to DNS. The other site contains most of our DC and has CIDR
associated to it for client authentications are sent to DC in this second
site.

Hoping this helps,

Mathias Dufresne


>
> Thanks for reply,
> FelipeGS6 .
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list