[Samba] [samba] AD, multiple DC, some DC without DNS at all

mathias dufresne infractory at gmail.com
Mon Mar 7 11:03:40 UTC 2016

Hi Allen,

I have to use choice 1, not my own choice but that's a centralized scenario.

With Internal DNS I was facing update issue (records weren't always updated
after moving from site to site, I was advised not to continue with Internal
DNS backend as what I want to achieve was judged too complex for Internal
DNS. At least that's what I have understood : )

Now I'm happy with Bind9_DLZ backend. I could even keep Bind running on all
my DC and just don't use it (this means DC would continue to ask themselves
for DNS resolution and that clients will send DNS request to only a few DC
which will do only DNS.

At the end I'd like to have:

SITE A: no network associated
DC in that site: FSMO, two DNS, new DC waiting for synchronisation to
finish before moving to SITE B.

SITE B: All network used in that company (reminder: their choice is to have
all on same geographical site, so no point to split networks in multiple AD
DC in that site: DC dedicated to authentication (so DNS is not required).

What shown up last week:
Using nsupdate -g (so nsupdate + kerberos auth, based on perviously
generated ticket)
- account in dnsAdmins built in group can modify only root zone, not _msdcs
- administrator can modify everything.

Modifying rights in RSAT's DNS console I was able to use some nsupdate -g
to push also modification into _msdcs zone (account created especially for
that test). This modification was allowed only for DC modifying DNS using
locally running Bind service. When trying the same from remote DC with no
Bind pushing modification (with nsupdate -g) on remote server (the one
which worked previously), the modification was refused (error message =

Finally I expect all that has to do with servicePrincipalName into user's
configuration (plus RSAT's DNS console -> properties -> security tab to add
that user or some group he belong to).

But I'm still lost in MS SFU documentation.

2016-03-05 17:26 GMT+01:00 Allen Chen <achen at harbourfrontcentre.com>:

> On 3/1/2016 5:59 AM, mathias dufresne wrote:
>> Hi all,
>> How to configure Samba to remove DNS service from DC?
>> I thought there was an option for samba_dnsupgrade command to tell "remove
>> all DNS service from current DC" but I don't find it anymore.
>> This question is because we are about to deploy an AD with 20 or more DC
>> and there is no need they are all DNS servers. In fact having them all DNS
>> servers make design more complex and more risky. The point is to avoid
>> risks.
>> How I would proceed if samba_dnsupgrade is not able to remove DNS service
>> automatically:
>> - as for BIND9_DLZ backend, I will keep into smb.conf the "-dns" for
>> runninf services.
>> - stop Bind-DLZ service on non-DNS-DC
>> - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
>> remaining DNS servers.
>> This seems not too rough as a process but I'd like to have your opinion on
>> that subject, to verify that process and of course to get a better one if
>> possible : )
>> Best regards,
>> Mathias
> Hi Mathias, I have a question for you: How do you deploy your 20 DCs?
>  I think there are two scenarios:
> 1. deploy it within one site with +1000 client machines(large subnet);
> 2. deploy it with many many sites, like 5-10 sites(small subnet, each site
> has less than 250 machines).
> If you choose number 1, then your network design is not perfect.
> If you choose number 2, then DC+internal DNS is the simple way to deploy
> samba DC.
> I use #2 to deploy my DCs + internal DSN across sites, and it works
> perfect.
> I don't use any linux commands to update the internal DNS. It just works.
> The only change I made to the internal DNS is adding a NS record for a new
> added DC with windows tool.
> So what's wrong with the internal DNS?
> Does it cause high load on your server?
> Is it too hard for you to manage the internal DNS? (I don't manage it at
> all, it just works)
> Why do you do so hard to disable a working internal DNS service? Don't fix
> a working system.
> Allen
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list