[Samba] NS records for a new AD DC

mathias dufresne infractory at gmail.com
Wed Oct 19 06:47:25 UTC 2016

2016-10-18 15:25 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Tue, 18 Oct 2016 14:59:31 +0200
> mathias dufresne via samba <samba at lists.samba.org> wrote:
> > Anyway NS records are used when DNS server speak to DNS server, not by
> > clients. So AD would work just fine without them.
> >
> > NS are used when a client ask something the configured resolver can't
> > resolve by himself and when the resolver is not configured to forward
> > request to relevant DNS server.
> >
> > IE: client search for toto.org and its resolver does not know anything
> > about that zone.
> > Resolver will ask ORG root servers for one of them send it NS for
> > toto.org.
> >
> > It should be possible to have such behaviour on a LAN but I don't
> > expect someone able to deploy such a configuration would ask about so
> > knwon non-issue.
> >
> Yes, but what happens when a domain member searches for something in
> its own domain ?

I assume it is AD domain you refer as "its own domain", right?

> The domain member will ask its nameserver (which should be an AD DC),

The client send request to its resolver, which can be an AD DC but not
necessarily (we don't use AD DC as resolver, we use the company's DNS which
transfer request to AD DC when needed)

> this nameserver will ask its nameserver (which should be itself or
> another DC),

the DC receiving the request receives it directly on port 53, Bind or
internal DNS resolve the request, send it back. That's all, no NS nor SOA
request in that.

A Linux uses its resolver (what is configured into /etc/resolv.conf) to get
answer to its own requests only. That is fortunate to avoid loops.
Let's see what would be if Linux DNS server would use its resolver to
resolve _external_ requests:
- client send request to its resolver (called DC1)
- DC1 receive the request, look into resolv.conf, send the request to DC2
- DC2 receives the request, look into resolv.conf, send the request to DC1
- DC1 receive the request, look into resolv.conf, send the request to DC2

But still, no SOA nor NS request in that.

> the DC will then ask its DNS server, which will search its
> SOA for the name server (which should be itself), it will then search
> for the required info and return this.
> If you are running an AD domain you require any DC running a DNS server
> to have a SOA record, this is one of the problems with the internal DNS
> server, it ignores any extra SOA records.

Agreed, Internal DNS should behave as Bind and any DC acting as DNS server
and beeing able to modify the zones (this is not the case of RODC) should
reply as any Bind+DLZ "I am SOA". This because SOA means "a server able to
write into the zone" (by opposition NS means "a trusty server which can be

With only one DNS server able to act as SOA there is no fallback when SOA
is down. In that case no update of AD zones can be done because update
requests are all send to SOA because SOA is where to write. That's the
issue with internal DNS.

> Samba recommends that you run a DNS server on every DC and from my
> experience, this means running Bind9 on multiple DCs.

Agreed, with more than... one DC Bind seems the right choice to avoid DNS
update can't be performed when the DC declared into LDAP as SOA is down.
This because internal DNS is missing this little change for it can reply as
Bind "I am SOA" when it can modify the zone.

> What must be understood is, a Microsoft AD DNS server is different
> from a normal DNS server.

Who speak about them?
Who seems to lack some understanding? I mean, in all I wrote there is NO
request for NS because in these case all rely on configured resolvers.



> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list