[Samba] AD, multiple DC, some DC without DNS at all

mathias dufresne infractory at gmail.com
Thu Mar 3 09:31:23 UTC 2016

Hi all,

Thank you Mark for these precisions.

I did switch a DC to --dns-backend=NONE using samba-tool domain join. This
removed dns-<DCname> user for this DC and associated keytab.

We changed /etc/resolv.conf to use another DC - one with Bind running - as

Stopping there, running samba_dnsupdate gave error "NOTAUTH".

As we want our DC being able to push into DNS database some changes (when
we move our DC from Site to Site at least) I tried to find out what is
needed to replace that user in a way this user can be used by several DC to
modify AD DNS database.

What was done to get nsupdate -g working from non-DNS-DC pushing
modification to bind-dlz-DC:
- copy of private/dns.keytab from bind-dlz-DC to non-DNS-DC
- generate a Kerberos ticket for user account dns-<bind-dlz-DC>
- run samba_dnsupdate
If I remember correctlly error was "NOTAUTH" too.

- add SPN to user account dns-<bind-dlz-DC>, new SPN added were:
+ DNS/<non-DNS-DC>.ad.domain.tld
+ DNS/<non-DNS-DC>.ad.domain.tld at AD.DOMAIN.TLD

- add dns-<bind-dlz-DC> user account into dnsAdmins built-in group

Now I am able to modify AD DNS zone AD.DOMAIN.TLD using temporary files
generated by samba_dnsupdate (samba_dnsupdate was modified around line 408
to comment tmp file deletion, the unlink() function).
Trying to modify _msdcs.AD.DOMAIN.TLD is not working, I get error: "update
failed: REFUSED".

Trying to push modification using nsupdate -g is working on both AD zones
when the Kerberos ticket for my session is a ticket belonging to
"administrator" account.

In résumé nsupdate -g works pushing modification from non-DNS-DC to
with Administrator kerberos ticket: on both DNS zones ad.domain.tld and
with dns-<bind-dlz-DC> Kerberos ticket: only on DNS zone ad.domain.tl;
_msdcs.ad.domain.tld modification gives "update failed: REFUSED".

So I miss something to be able to use non-administrator account to modify
_msdcs DNS zone. Any idea would be welcomed.

Best regards,


2016-03-01 20:02 GMT+01:00 Marc Muehlfeld <mmuehlfeld at samba.org>:

> Hello Mathias,
> Am 01.03.2016 um 11:59 schrieb mathias dufresne:
> > I thought there was an option for samba_dnsupgrade command to tell
> "remove
> > all DNS service from current DC" but I don't find it anymore.
> I think there's no such option (yet), but would be worth a feature
> request. :-)
> > This question is because we are about to deploy an AD with 20 or more DC
> > and there is no need they are all DNS servers. In fact having them all
> > servers make design more complex and more risky. The point is to avoid
> > risks.
> You should deploy these DCs without DNS (--dns-backend=NONE), because
> then they don't get
>   DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>   DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> replicated at all.
> > How I would proceed if samba_dnsupgrade is not able to remove DNS service
> > automatically:
> > - as for BIND9_DLZ backend, I will keep into smb.conf the "-dns" for
> > runninf services.
> > - stop Bind-DLZ service on non-DNS-DC
> > - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
> > remaining DNS servers.
> I think this should work, beside that those DCs still get the DNS stuff
> replicated.
> You can also switch to the internal DNS. If the IP of those DCs is not
> used by clients in their DNS configuration, the DNS won't be used. And
> if, then nothing bad should happen. :-)
> Regards,
> Marc

More information about the samba mailing list