[Samba] standalone ADDC with samba_internal dns backend - windows client do not register in dns

mathias dufresne infractory at gmail.com
Mon May 23 14:42:34 UTC 2016

In short: BIND9_DLZ to avoid issues.

Regarding your issue with internal DNS and client updates, I don't know if
Windows client rely on DNS
I would check SOA record of root zone to verify it is set up correctly (ie
it is aiming a valid DC, up and well running) with:
dig -t SOA your.domain.tld (on linux)
nslookup -type=soa your.domain.tld (on windows)

You must receive a reply. The reply must be a valid DC with working DNS
service because SOA is "where to write updates", if no SOA is available, no
update can work.

Another point which could help (rather than ill speaking about internal
DNS) is the fact the DNS root zone security tab (available running MS DNS
console from RSAT, then right click on the root zone to get "properties"
then "security tab") there is a line granting to "authenticated users" the
right to "create all child objects".
For me, this security configuration is meant to grant any authenticated
user (a computer is also a user) to update the zone to create new entry, so
for machines can create their own DNS entry.

Regarding deletion of DNS entry as the user who creates this entry is the
host itself (my-machine.ad.domain.tld is created by computer-user named
"my-machine$"), the host is owner of the object and as "full control" on
the entry.

2016-05-14 12:19 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:

> On Thu, 2016-05-05 at 16:52 +0800, David STIEVENARD wrote:
> > good lords of Kobol, that solved my problem !
> > thank you very much !
> >
> > As we can consider this as an official workaround, should it be in
> > the
> > wiki ? (this is definitively in my docs now :)
> >
> Turning off DNS update security really should not be recommended at
> all.
> I realise this is a difficult situation, and we hope to address this
> regression soon.
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list