[Samba] setting up a new ADS infrastructure

Andrew Bartlett abartlet at samba.org
Mon Jun 24 06:59:35 UTC 2019 

On Sun, 2019-06-23 at 15:18 +0100, Rowland penny via samba wrote:
> On 23/06/2019 14:34, Stefan Froehlich via samba wrote:
> > No need to be sorry - most likely I'll the whole setup from
> > scratch.
> > But just to be sure and to avoid new mistakes, after re-reading the
> > samba wiki:
> > 
> > I understand that they use the same SAMDOM.EXAMPLE.COM as DNS *and*
> > Windows domain which is (for legacy reasons and for a smoother
> > transition) something I'd rather like to avoid.
> 
> 'SAMDOM.EXAMPLE.COM' is an example Realm name, you can use whatever
> you 
> like. However, whatever you use for the DNS domain, MUST be used for
> the 
> Realm name, but the Realm name must be in uppercase.
> > 
> > There is the existing DNS domain synth.intern (driven by bind and
> > generally in a rather good shape) and I want to create the new AD
> > domain SYNTHESIS *below* and independent from that.
> 
> So far, this was a good idea.
> >   That's why I created an NS record for synthesis.synth.intern
> > delegating it to the
> > DC and proceeded from there following the wiki with my AD DNS
> > domain
> > being SYNTHESIS.SYNTH.INTERN.
> 
> That is where you went wrong ;-)

No, that should be fine.  We normally suggest just setting up a zone
type of 'forward' in BIND but glue records should work. 

> You should have used the subdomain 'synthesis.synth.intern'  for
> your 
> AD, totally unconnected to your other DNS server. Your AD DC's are
> all 
> authoritative for the DNS domain and your AD clients must use the
> DC's 
> as their nameservers, anything the DC's do not know (anything
> outside 
> the AD domain) should be forwarded to another DNS server.

Rowland,

We actually suggest the reverse, due to issues with the forwarding
capacity of both of our DNS options.  We suggest a 'normal' DNS server
that delegates the Samba zone (only) to Samba:

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture

In the past this wasn't possible, but that was due to bugs now fixed in
how we script nsupdate.

I hope this helps clarify things.

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

More information about the samba mailing list