[Samba] Samba AD Best Practice (DNS)

Fri Oct 20 17:25:04 UTC 2017

What do you need that the internal samba DNS server can't do?

On Oct 20, 2017 9:32 AM, "Pat Suwalski via samba" <samba at lists.samba.org>
wrote:

> On 2017-10-13 06:09 PM, Jon Gerdes via samba wrote:
>
>> There's no such thing as "best practice" - there's good and bad
>> practice and I hope that here (Samba ML) you will get some good advice,
>> in return for a good question.
>>
>
> Thanks for this very thoughtful reply.
>
> The environment you describe, to me, implies that it would be best if
>> you simply "fit in". You can but it will take a bit of work (not too
>> much).  It does not matter where DNS comes from, provided it gives the
>> correct answers to client queries.  So, you will have to get your new
>> Samba DC's DNS records set up on the dnsmasq system.  I don't think
>> that dnsmasq can do dynamic DNS apart from perhaps registering DHCP
>> leases as DNS entries.  You will also have to set the gateway as your
>> Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the
>> Samba DNS implementation.
>>
>
> That is correct. dnsmasq registers all of the DNS leases it hands out, so
> that part is basically in-line with what the AD server's DNS does for the
> Windows clients.
>
> The part about the DNS server is the sticky point. It's currently set to
> itself (the Samba DNS server). I'm worried that changing that might break
> something in Samba itself.
>
> The whole point of this is that is is generally a good (may be not the
>> best in all cases) idea to have all systems on one network to have a
>> single view of DNS.  Your colleagues seem to have already stipulated
>> dnsmasq and I would roll with that - fit in.  Its not my preferred
>> solution but will work fine with some care.
>>
>
> Well, whether it be dnsmasq or bind, we need more functionality than the
> Samba DNS server provides. The goal at this point. as you surmised, is to
> fit in to the existing system.
>
> Before you get going with Samba, the box must have time in sync with
>> the other DCs and be able to DNS resolve all the relevent addresses.
>>
>> # ntpq -p
>>
>
> We run NTP everywhere, so that's in sync.
>
> $ dig example.co.uk
>>
>> Should return DC IPs
>>
>> You'll need this lot:
>>
>> https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha
>> t-are-required-for-proper-functionality-of-active-directory/
>>
>
> Interesting. I had built up my list by trial and error and it's quite
> different than what is listed there. I don't have an A record at all, and
> my SRV records are not the same at all:
>
> _gc._tcp.Default-First-Site-Name._sites.domain.ca
> _gc._tcp.domain.ca
> _ldap._tcp.Default-First-Site-Name._sites.domain.ca
> _ldap._tcp.dc._msdcs.domain.ca
> _ldap._tcp.domain.ca
> _kerberos._udp.DOMAIN.CA
> _kerberos._tcp.DOMAIN.CA
> _kpasswd._tcp.DOMAIN.CA
> _kpasswd._udp.DOMAIN.CA
>
> Then again, I'm only dealing with a single DC, so my entries are aimed
> strictly at clients, and this list seems to work. I might need to add these
> entries if I set my Samba server to use the main DNS server (dnsmasq) as
> well.
>
> Thanks for all the advice. I guess my big takeaway from this is that I
> should, in fact, make my Samba server use the main DNS server, so that
> everything is in-line.
>
> --Pat
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba