[Samba] NS records for a new AD DC

Rowland Penny rpenny at samba.org
Tue Oct 18 13:25:30 UTC 2016

On Tue, 18 Oct 2016 14:59:31 +0200
mathias dufresne via samba <samba at lists.samba.org> wrote:

> Anyway NS records are used when DNS server speak to DNS server, not by
> clients. So AD would work just fine without them.
> NS are used when a client ask something the configured resolver can't
> resolve by himself and when the resolver is not configured to forward
> request to relevant DNS server.
> IE: client search for toto.org and its resolver does not know anything
> about that zone.
> Resolver will ask ORG root servers for one of them send it NS for
> toto.org.
> It should be possible to have such behaviour on a LAN but I don't
> expect someone able to deploy such a configuration would ask about so
> knwon non-issue.

Yes, but what happens when a domain member searches for something in
its own domain ?

The domain member will ask its nameserver (which should be an AD DC),
this nameserver will ask its nameserver (which should be itself or
another DC), the DC will then ask its DNS server, which will search its
SOA for the name server (which should be itself), it will then search
for the required info and return this.

If you are running an AD domain you require any DC running a DNS server
to have a SOA record, this is one of the problems with the internal DNS
server, it ignores any extra SOA records.

Samba recommends that you run a DNS server on every DC and from my
experience, this means running Bind9 on multiple DCs.

What must be understood is, a Microsoft AD DNS server is different
from a normal DNS server.

More information about the samba mailing list