[Samba] missing DomainDnsZones and ForestDnsZones ?

Sat Mar 19 01:46:10 UTC 2016

On Fri, Mar 18, 2016 at 5:48 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2016-03-18 at 16:59 -0700, Robert Moulton wrote:
>> Andrew Bartlett wrote on 3/18/16 4:22 PM:
>> > On Fri, 2016-03-18 at 21:01 +0000, Rowland penny wrote:
>> > > On 18/03/16 20:38, Robert Moulton wrote:
>> > > >
>> > > >
>> > > > It's a production domain. We run our own DNS and tried
>> > > > BIND9_DLZ
>> > > > but
>> > > > our DNS setup is complicated enough that we ended up resorting
>> > > > to
>> > > > flatfile, manually updating our BIND zone files as needed. We
>> > > > know
>> > > > it
>> > > > isn't ideal but we haven't encountered any problems until now.
>> > > >
>> > > > Couldn't we simply add the missing DNs (along with
>> > > > corresponding
>> > > > DNS
>> > > > records, if necessary)?
>> > >
>> > > Thinking about it, if you do not have the dns zones in AD, you
>> > > probably
>> > > don't need the dns fsmo roles.
>> > >
>> > > I don't understand why you think storing DNS is AD is
>> > > complicated, as
>> > > long as you don't use your normal dns domain for AD and use
>> > > something
>> > > like 'internal. your.domain.com' for AD, the Samba DNS would deal
>> > > with
>> > > anything for the AD domain and forward anything it doesn't know
>> > > about
>> > > to
>> > > your normal DNS server. It is however your AD and you can do as
>> > > you
>> > > please.
>> > >
>> > > Rowland
>> >
>> > Very well put Rowland.  I guess we need a patch to catch those
>> > exceptions.
>> >
>> > Thanks,
>> >
>> > Andrew Bartlett
>> >
>>
>> Rowland, Andrew - Thanks for your help and advice. I appreciate it.
>>
>> We're doing split-horizon DNS and couldn't get bind9_dlz fully
>> working
>> for our needs. After doing the classicupgrade we added AD DNS records
>> from the samba-tool auto-generated (by provision.pl) zone file to our
>> own BIND zone files; that has been working fine for us. I just became
>> aware of the absence of DomainDnsZones and ForestDnsZones stuff when
>> I
>> added a second DC today.
>
> Just be aware that you will be on your own, a snowflake, with regards
> to support for this.
>
> I have patches to our samba_dnsupdate script that will use RPC against
> our db-backed DNS management server to fix the required records, and I
> plan on making our domain join code attempt to add the first DNS
> records via that same interface.
>
> Either way, adding a new DC is unlikely to work right unless you
> manually or otherwise add the right DNS records, which normally means
> having it accept GSS-TSIG updates.  Likewise clients will be wishing to
> update their own DNS records, and if that you want to work you will
> need to make the correct allowances.
>
> The option remains in the script, and I don't currently plan to remove
> it, but consider it in a little bit of a limbo land, between fully
> supported and unsupported-due-to-be-removed.
>
>> Can we add missing DomainDnsZones and ForestDnsZones records to AD
>> and
>> DNS manually? If so, how?
>
> If DNS is not in AD, then these roles have no meaning, and there should
> be no such partitions.

We didn't encounter any problems adding the new DC, albeit with
'--dns-backend=NONE' specified, and replication is working fine,
evidently. Are you saying that we might be able to use samba_dnsupdate
to patch things up somehow? At the moment we don't need dynamic
updates for clients, but it would be nice to get that capability in
place.

Ultimately, we'd be perfectly happy to switch to bind9_dlz, if we can
figure out how to address some issues we encountered when we tested it
in our environment.