[Samba] Samba4 AD DNS -- AD Subdomain vs Clients accessing on different subdomain

Fri May 6 07:39:05 UTC 2016

On 05/05/16 21:46, Thomas Maerz wrote:
> Hello,
>
> We have an issue we’ve been struggling with for quite some time since we rolled out 10 Samba4 domain controllers at our main office and all remote sites about 3 years ago.
>
> Simplified Current Configuration:
>
> 2 DCs at main site with internal DNS using subdomain ad.companyname.com
> 2 BIND CentOS servers serving all intranet DNS requests — main zone: companyname.com
> 2 BIND CentOS servers serving all external site DNS requests — main zone: companyname.com
>
> In this configuration, we have configured the internal BIND servers to have the S4 AD DCs internal DNS as authoritative for ad.companyname.com, so clients connected to the BIND servers can resolve anything Samba needs them to. This allows all client machines on the LAN to resolve any dynamic DNS address AD creates, join the domain, etc, and it’s easy to configure when provisioning new DCs. (This is important with so many DCs).
>
> When we provision servers which are bound to the domain, clients access them via DNS entries configured on the main BIND DNS servers, so they have addresses like hostname.companyname.com, which clients use to connect to the servers/services. They also have ad.companyname.com hostnames created by S4 internal DNS, but we don’t point clients at those names.
>
> The problem:
>
> Some services (mostly OS X server that we’ve noticed so far) when bound to AD don’t seem to like having the clients pointed at a different DNS name than the samba subdomain. For example:
>
> OS X Server, bound to AD, running SMB file server:
>
> When connecting to fileserver.companyname.com
> The user must authenticate as ad.companyname.com\shortname OR
> The user must authenticate as shortname at ad.brewerscience.com
> Using AD\shortname does not work
> When connecting to fileserver.ad.brewerscience.com
> The user can authenticate as just short name
>
> Another example:
>
> OS X Server, bound to AD, running Profile Manager:
>
> Users can authenticate to the PHP web interface
> Users can’t authenticate during device enrollment on the iOS device with their AD credentials
>
> Notes:
>
> In the first example, one solution is to simply point the clients at fileserver.ad.companyname.com, but management is resistant to this idea. In the second example for the profile manager MDM, The server lives on the DMZ so that off-campus clients still connect to the MDM and it has both internal and external DNS entries, so having a public facing ad.companyname.com address is not a great option.
>
> Questions:
>
> Would setting up a WINS server help with this?

Probably not

> Would setting a default search domain from DHCP help with this?

Possibly

> Is there some way to have a Samba4 AD-Joined host have a domain name on the base domain (actually, not just a separate record on BIND pointing to the same IP)?
> If so, is it possible to do this with the internal DNS?
> Is there some way to integrate Samba4 AD DNS directly with my intranet BIND DNS setup so that domain-joined hosts get DNS names not the base DNS domain (companyname.com)?

Your main problem is that your DCs dns servers are not authoritative for 
the AD domain. Make the DCs authoritative for the AD domain, with 10 DCs 
you will probably be better off running Bind on the DCs. Once the DCs 
are authoritative, make them forward anything they do not know i.e. 
internet etc to your intranet DNS servers.

Rowland