[Samba] Samba AD Best Practice (DNS)

Pat Suwalski pat at suwalski.net
Fri Oct 20 16:28:58 UTC 2017 

On 2017-10-13 06:09 PM, Jon Gerdes via samba wrote:
> There's no such thing as "best practice" - there's good and bad
> practice and I hope that here (Samba ML) you will get some good advice,
> in return for a good question.

Thanks for this very thoughtful reply.

> The environment you describe, to me, implies that it would be best if
> you simply "fit in". You can but it will take a bit of work (not too
> much).  It does not matter where DNS comes from, provided it gives the
> correct answers to client queries.  So, you will have to get your new
> Samba DC's DNS records set up on the dnsmasq system.  I don't think
> that dnsmasq can do dynamic DNS apart from perhaps registering DHCP
> leases as DNS entries.  You will also have to set the gateway as your
> Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the
> Samba DNS implementation.

That is correct. dnsmasq registers all of the DNS leases it hands out, 
so that part is basically in-line with what the AD server's DNS does for 
the Windows clients.

The part about the DNS server is the sticky point. It's currently set to 
itself (the Samba DNS server). I'm worried that changing that might 
break something in Samba itself.

> The whole point of this is that is is generally a good (may be not the
> best in all cases) idea to have all systems on one network to have a
> single view of DNS.  Your colleagues seem to have already stipulated
> dnsmasq and I would roll with that - fit in.  Its not my preferred
> solution but will work fine with some care.

Well, whether it be dnsmasq or bind, we need more functionality than the 
Samba DNS server provides. The goal at this point. as you surmised, is 
to fit in to the existing system.

> Before you get going with Samba, the box must have time in sync with
> the other DCs and be able to DNS resolve all the relevent addresses.
> 
> # ntpq -p

We run NTP everywhere, so that's in sync.

> $ dig example.co.uk
> 
> Should return DC IPs
> 
> You'll need this lot:
> 
> https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha
> t-are-required-for-proper-functionality-of-active-directory/

Interesting. I had built up my list by trial and error and it's quite 
different than what is listed there. I don't have an A record at all, 
and my SRV records are not the same at all:

_gc._tcp.Default-First-Site-Name._sites.domain.ca
_gc._tcp.domain.ca
_ldap._tcp.Default-First-Site-Name._sites.domain.ca
_ldap._tcp.dc._msdcs.domain.ca
_ldap._tcp.domain.ca
_kerberos._udp.DOMAIN.CA
_kerberos._tcp.DOMAIN.CA
_kpasswd._tcp.DOMAIN.CA
_kpasswd._udp.DOMAIN.CA

Then again, I'm only dealing with a single DC, so my entries are aimed 
strictly at clients, and this list seems to work. I might need to add 
these entries if I set my Samba server to use the main DNS server 
(dnsmasq) as well.

Thanks for all the advice. I guess my big takeaway from this is that I 
should, in fact, make my Samba server use the main DNS server, so that 
everything is in-line.

--Pat

More information about the samba mailing list