[Samba] Samba4 AD DNS -- AD Subdomain vs Clients accessing on different subdomain

Thu May 5 20:46:07 UTC 2016

Hello,

We have an issue we’ve been struggling with for quite some time since we rolled out 10 Samba4 domain controllers at our main office and all remote sites about 3 years ago.

Simplified Current Configuration:

2 DCs at main site with internal DNS using subdomain ad.companyname.com
2 BIND CentOS servers serving all intranet DNS requests — main zone: companyname.com
2 BIND CentOS servers serving all external site DNS requests — main zone: companyname.com

In this configuration, we have configured the internal BIND servers to have the S4 AD DCs internal DNS as authoritative for ad.companyname.com, so clients connected to the BIND servers can resolve anything Samba needs them to. This allows all client machines on the LAN to resolve any dynamic DNS address AD creates, join the domain, etc, and it’s easy to configure when provisioning new DCs. (This is important with so many DCs).

When we provision servers which are bound to the domain, clients access them via DNS entries configured on the main BIND DNS servers, so they have addresses like hostname.companyname.com, which clients use to connect to the servers/services. They also have ad.companyname.com hostnames created by S4 internal DNS, but we don’t point clients at those names.

The problem:

Some services (mostly OS X server that we’ve noticed so far) when bound to AD don’t seem to like having the clients pointed at a different DNS name than the samba subdomain. For example:

OS X Server, bound to AD, running SMB file server:

When connecting to fileserver.companyname.com
The user must authenticate as ad.companyname.com\shortname OR
The user must authenticate as shortname at ad.brewerscience.com
Using AD\shortname does not work
When connecting to fileserver.ad.brewerscience.com
The user can authenticate as just short name

Another example:

OS X Server, bound to AD, running Profile Manager:

Users can authenticate to the PHP web interface
Users can’t authenticate during device enrollment on the iOS device with their AD credentials

Notes:

In the first example, one solution is to simply point the clients at fileserver.ad.companyname.com, but management is resistant to this idea. In the second example for the profile manager MDM, The server lives on the DMZ so that off-campus clients still connect to the MDM and it has both internal and external DNS entries, so having a public facing ad.companyname.com address is not a great option.

Questions:

Would setting up a WINS server help with this?
Would setting a default search domain from DHCP help with this?
Is there some way to have a Samba4 AD-Joined host have a domain name on the base domain (actually, not just a separate record on BIND pointing to the same IP)?
If so, is it possible to do this with the internal DNS?
Is there some way to integrate Samba4 AD DNS directly with my intranet BIND DNS setup so that domain-joined hosts get DNS names not the base DNS domain (companyname.com)?