[Samba] which DNS backend ?
mathias dufresne
infractory at gmail.com
Tue Mar 1 10:17:14 UTC 2016
2016-02-28 23:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 28/02/16 22:42, Reindl Harald wrote:
>
>>
>>
>> Am 28.02.2016 um 23:10 schrieb Rowland penny:
>>
>>> On 28/02/16 21:56, Reindl Harald wrote:
>>>
>>>>
>>>>
>>>> Am 28.02.2016 um 22:22 schrieb John Gardeniers:
>>>>
>>>>> Thanks Rowland. Perhaps because I expected these basic issues to have
>>>>> been resolved long ago I never thought to check the SOA records. You
>>>>> are
>>>>> perfectly correct - the second DC is not listed
>>>>>
>>>>
>>>> since when is more than one NS listed in the SOA?
>>>>
>>>> http://rscott.org/dns/soa.html
>>>>
>>>> MNAME ("Primary NS") - This entry is the domain name of the name
>>>> server that was the original source of the data (this entry MUST be
>>>> your primary nameserver). This is your primary nameserver, and MUST be
>>>> the one and only server that you ever update. You must not update the
>>>> secondary server(s) -- they will update automatically, based on this
>>>> the SOA record. Problem? This should be a fully qualified domain name .
>>>>
>>>> OK, I see where you are coming from, but, this is referring to a normal
>>> dns server that replicates to other secondary dns servers. AD dns works
>>> a little differently, all AD dns servers replicate dns records to each
>>> other and each AD DC is supposed to be authoritative for the dns domain,
>>> this does not happen if your first DC goes down when you are using the
>>> internal dns server. As an aside, my first DC shutdown for some reason,
>>> I didn't notice for a couple of hours, until I tried to 'ssh' into it, I
>>> didn't notice because *everything* else just kept working on my second DC
>>>
>>
>> well, that's not the business of the SOA record
>> it's a matter of NS-records
>>
>>
>>
>>
> If you only have one Authoritative nameserver (which is what you have with
> the internal dns) and it disappears, then you don't have *anything* that
> will respond to a request for info about AD dns domain.
>
>
You can have several DC running Samba with Internal DNS backend. They are
all authoritative. They are authoritative for answering as they are name
servers. They could be authoritative for modifying zone as there is no
master/slave notion with AD DNS server which are not using one flat file as
source but they are using a shared database (LDAP).
I did have several Samba DC in my AD domain using all internal DNS backend
with failover working. What wasn't working was samba_dnsupdate and so
auto-modification of AD DNS when needed (this because of nsupdate -g by
default in smb.conf and because nsupdate -g implies users dns-<DCname> are
created with needed keytab. This user is deleted by Samba when switching to
internal DNS backend and so nsupdate -g can't work).
More information about the samba
mailing list