[Samba] AD, multiple DC, some DC without DNS at all

Thu Mar 3 09:52:23 UTC 2016

On 03/03/16 09:31, mathias dufresne wrote:
> Hi all,
>
> Thank you Mark for these precisions.
>
> I did switch a DC to --dns-backend=NONE using samba-tool domain join. This
> removed dns-<DCname> user for this DC and associated keytab.
>
> We changed /etc/resolv.conf to use another DC - one with Bind running - as
> nameserver.
>
> Stopping there, running samba_dnsupdate gave error "NOTAUTH".
>
> As we want our DC being able to push into DNS database some changes (when
> we move our DC from Site to Site at least) I tried to find out what is
> needed to replace that user in a way this user can be used by several DC to
> modify AD DNS database.
>
> What was done to get nsupdate -g working from non-DNS-DC pushing
> modification to bind-dlz-DC:
> - copy of private/dns.keytab from bind-dlz-DC to non-DNS-DC
> - generate a Kerberos ticket for user account dns-<bind-dlz-DC>
> - run samba_dnsupdate
> If I remember correctlly error was "NOTAUTH" too.
>
> - add SPN to user account dns-<bind-dlz-DC>, new SPN added were:
> + DNS/<non-DNS-DC>.ad.domain.tld
> + DNS/<non-DNS-DC>.ad.domain.tld at AD.DOMAIN.TLD
>
> - add dns-<bind-dlz-DC> user account into dnsAdmins built-in group
>
> Now I am able to modify AD DNS zone AD.DOMAIN.TLD using temporary files
> generated by samba_dnsupdate (samba_dnsupdate was modified around line 408
> to comment tmp file deletion, the unlink() function).
> Trying to modify _msdcs.AD.DOMAIN.TLD is not working, I get error: "update
> failed: REFUSED".
>
> Trying to push modification using nsupdate -g is working on both AD zones
> when the Kerberos ticket for my session is a ticket belonging to
> "administrator" account.
>
> In résumé nsupdate -g works pushing modification from non-DNS-DC to
> bind-dlz-DC:
> with Administrator kerberos ticket: on both DNS zones ad.domain.tld and
> _msdcs.ad.domain.tld
> with dns-<bind-dlz-DC> Kerberos ticket: only on DNS zone ad.domain.tl;
> _msdcs.ad.domain.tld modification gives "update failed: REFUSED".
>
> So I miss something to be able to use non-administrator account to modify
> _msdcs DNS zone. Any idea would be welcomed.
>
> Best regards,
>
> mathias
>
>
>
> 2016-03-01 20:02 GMT+01:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>
>> Hello Mathias,
>>
>> Am 01.03.2016 um 11:59 schrieb mathias dufresne:
>>> I thought there was an option for samba_dnsupgrade command to tell
>> "remove
>>> all DNS service from current DC" but I don't find it anymore.
>> I think there's no such option (yet), but would be worth a feature
>> request. :-)
>>
>>
>>
>>
>>> This question is because we are about to deploy an AD with 20 or more DC
>>> and there is no need they are all DNS servers. In fact having them all
>> DNS
>>> servers make design more complex and more risky. The point is to avoid
>>> risks.
>> You should deploy these DCs without DNS (--dns-backend=NONE), because
>> then they don't get
>>    DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>>    DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>> replicated at all.
>>
>>
>>
>>
>>> How I would proceed if samba_dnsupgrade is not able to remove DNS service
>>> automatically:
>>> - as for BIND9_DLZ backend, I will keep into smb.conf the "-dns" for
>>> runninf services.
>>> - stop Bind-DLZ service on non-DNS-DC
>>> - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
>>> remaining DNS servers.
>> I think this should work, beside that those DCs still get the DNS stuff
>> replicated.
>>
>> You can also switch to the internal DNS. If the IP of those DCs is not
>> used by clients in their DNS configuration, the DNS won't be used. And
>> if, then nothing bad should happen. :-)
>>
>>
>>
>> Regards,
>> Marc
>>

It may be because you are trying to run samba_dnsupdate instead of 
running nsupdate directly.
I run Samba AD DC, Bind9 and DHCP on the same machine, DHCP gives out an 
ipaddress, then runs a script to update Bind9. This script runs nsupdate 
to update the records in AD. All that is required is a user (with 
password set to never expire), this user should be a member of 
DnsAdmins, you also need the users keytab.

Let me know if you need more info.

Rowland