[Samba] NS Records for AD-Integrated Zones

mathias dufresne infractory at gmail.com
Mon May 2 10:02:15 UTC 2016 

Hi,

As far as I have understood DNS protocol NS records are not necessarily
needed.

NS are used by name servers (ie by DNS servers) and not by client (ie by a
Linux or Windows box joined to AD).

A client use its own resolver (what is defined into /etc/resolv.conf for a
linux box) and send all queries to that resolver. Queries are for A, AAAA,
SRV, CNAME... because all of them are standard queries.

Aksing for NS should happen only when a resolver don't know how to reach a
zone. Client don't bother with zones. They deal with records. Only resolver
would bother with zone's NS in case that resolver don't know how to resolve
some record on that zone.

In AD we usually configure AD DNS as resolver. As resolvers know the both
AD zones, they don't need NS for these zones.

Even if you prefer to use your company DNS servers, you can configure these
company-name-servers to know where to send DNS requests which concern AD
zones (for example: two zones with type = forward on the
company-name-server):

# needed
zone ad.domain.tld {
  type forward;
  forward only;
  forwarders {
    <IP for DC1>;
    <IP for DC2>;
  }
}
# optional because that's a sub-zone, it's part of the previous one.
zone _msdcs.ad.domain.tld {
  type forward;
  forward only;
  forwarders {
    <IP for DC1>;
    <IP for DC2>;
  }
}

Having NS auto-declared would be nice but, to me, that's not critical.



2016-04-26 3:50 GMT+02:00 Isaiah Olson <insignia96 at gmail.com>:

> Hello,
>
> My domain was provisioned using a Windows 2008R2 server as the first DC,
> and I then subsequently joined a Samba 4.4.2 DC running on Ubuntu 14.04.4
> and using BIND 9.9.5 as the DNS backend. Everything seems to be working
> properly after I added an NC replica for the zones as per the
> troubleshooting page. All zones resolve and replicate properly, but I
> noticed that there are no NS records corresponding to the Samba DC added to
> the AD-Integrated DNS zones. I have manually added records for the DC to
> all existing zones, but I also noticed that when creating a new AD
> integrated zone using the Windows DNS manager, there are only NS records
> for the domain controller that I am connected to in the zone by default.
>
> Is this behavior expected? And is there any way to make sure that NS
> records are added for all DCs? I could be remembering incorrectly, but I
> recall that when our network was using an all Windows AD environment, the
> AD zones had NS records for all DCs included by default.
>
> Thanks,
> Isaiah
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list