[Samba] Making a Samba DC under a different domain

Rowland Penny rpenny at samba.org
Tue Nov 15 14:17:03 UTC 2016 

On Tue, 15 Nov 2016 12:34:52 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:

> I am trying to determine if it is mandatory for the domain
> controllers's host FQDN to be within the same DNS domain as the
> realm's DNS domain.
> 
> For example: let's say I want the DC to be called
> smb1.int.example.net but I want the realm to be AD.EXAMPLE.NET.
> 
> I set "smb1" in /etc/hostname and mapping to the FQDN in /etc/hosts,
> so that "hostname -f" shows the desired FQDN "smb1.int.example.net".
> 
> Then I run samba-tool domain provision --interactive, and change the 
> offered realm from INT.EXAMPLE.NET to AD.EXAMPLE.NET. I then end up
> with:
> 
> Server Role:           active directory domain controller
> Hostname:              smb1
> NetBIOS Domain:        AD
> DNS Domain:            ad.example.net
> DOMAIN SID: S-1-5-21-895328253-630460385-2547770178
> 
> And LDAP contains:
> 
> # SMB1, Domain Controllers, ad.example.net
> dn: CN=SMB1,OU=Domain Controllers,DC=ad,DC=example,DC=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> cn: SMB1
> ...
> name: SMB1
> ...
> dNSHostName: smb1.ad.example.net
> ...
> servicePrincipalName: HOST/smb1.ad.example.net
> servicePrincipalName: HOST/smb1.ad.example.net/AD
> servicePrincipalName: ldap/smb1.ad.example.net/AD
> ...
> 
> So it seems to have chosen smb1.ad.example.net (instead of 
> smb1.int.example.net) for its hostname. Is that a hard-and-fast rule
> or can it be bypassed, and if so how?
> 
> Thanks,
> 
> Brian.
> 
> 

AD relies on DNS, so if the hostname of the machine that will become a
DC is 'something.ad.example.net' then the realm needs to be
'AD.EXAMPLE.NET'. If your registered dns name is 'ad.example.net' and
you already have dns servers running in this domain, you could change
the dns domain of your DC (before provisioning) to
'int.ad.example.net' and then provision the AD Domain with the realm
name 'INT.AD.EXAMPLE.NET'. You could then forward anything unknown to
the AD dns server (i.e. anything not in 'int.ad.example.net') to your
existing dns servers.

Rowland

More information about the samba mailing list