[Samba] Samba AD Best Practice (DNS)

[Jon Gerdes]

Pat

There's no such thing as "best practice" - there's good and bad
practice and I hope that here (Samba ML) you will get some good advice,
in return for a good question.

The environment you describe, to me, implies that it would be best if
you simply "fit in". You can but it will take a bit of work (not too
much).  It does not matter where DNS comes from, provided it gives the
correct answers to client queries.  So, you will have to get your new
Samba DC's DNS records set up on the dnsmasq system.  I don't think
that dnsmasq can do dynamic DNS apart from perhaps registering DHCP
leases as DNS entries.  You will also have to set the gateway as your
Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the
Samba DNS implementation.

The whole point of this is that is is generally a good (may be not the
best in all cases) idea to have all systems on one network to have a
single view of DNS.  Your colleagues seem to have already stipulated
dnsmasq and I would roll with that - fit in.  Its not my preferred
solution but will work fine with some care.

Before you get going with Samba, the box must have time in sync with
the other DCs and be able to DNS resolve all the relevent addresses.

# ntpq -p

$ dig example.co.uk

Should return DC IPs

You'll need this lot:

https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha
t-are-required-for-proper-functionality-of-active-directory/

Test with eg:

$ dig _ldap._tcp.pdc._msdcs.example.co.uk SRV

That should return the IP address of the box with the PDC emulator
role.  That box probably should also be your preferred ntp host unless
everything is virtual and you have a well designed ntp setup on
physical hosts with decent clocks and ntp sync.  Don't get too hung up
on this bit though - a second or two either way is good enough for now.

# net ads info

This should imply that things are good to go before based on your
smb.conf, resolv.conf and probably krb5.conf before you do any AD
fiddling.

Now, for my money, I'd be content with being a domin member first
before adding another DC unless you are doing it for redundancy
reasons.

Cheers
Jon


On Thu, 2017-10-12 at 14:00 -0400, Pat Suwalski via samba wrote:
> On 2017-10-12 12:30 PM, Rowland Penny via samba wrote:
> > It might help if you described your network.
> 
> I thought I went into detail in the first message:
> 
> 
> For this example:
> - Network: 172.18.0.0/24
> - Domain: network.ca
> - AD server: ad.network.ca, 172.18.0.20
> - Gateway/DNS: 172.18.0.1
> 
> The gateway is running as the main DNS server, and has the various 
> underscore ("_") entries required for Windows to find the Active 
> Directory. It sends "172.18.0.1" as the DNS option over its DHCP
> server. 
> The samba AD server has its DNS forwarder set to "172.18.0.1".
> 
> 
> The only thing to add is that 172.18.0.1 runs dnsmasq. samba is used 
> with Windows Desktops for AD and home shares, and with Linux servers
> for 
> AD with sssd (sambda's Winbind wasn't quite there when this was set
> up). 
> Nothing really relies on DNS from samba; unless you know something
> about 
> this point that I do not.
> 
> I could also manually add the local entries to samba's DNS. Not
> crazy 
> about this option.
> 
> Thanks,
> --Pat
>