[Samba] AD DC without integrated DNS
abartlet at samba.org
Mon May 4 20:39:06 UTC 2020
On Mon, 2020-05-04 at 22:06 +0200, Magnus Holmgren via samba wrote:
> måndag 4 maj 2020 kl. 21:17:13 CEST skrev Rowland penny via samba:
> > > samba_dnsupdate can insert all the records from dns_update_cache,
> > > *except*
> > > the NS record for the _msdcs zone
> > Not sure I understand that, by default a Samba AD DC has two zones:
> > samdom.example.com (DomainDnsZone)
> > _msdcs.samdom.example.com (ForestDnsZone)
> > Both of which can be updated by samba_dnsupdate
> Yes, samba_dnsupdate successfully injects all the necessary RRs, both
> for the
> domain and for the forest, except they don't get separated into two
> Exactly. I said we're hardly planning on joining any Windows machines
> to the
> domain, and they're mostly running Windows Home anyway (we could buy
> upgrades, though).
Just please don't. The main reason is that any time you have an issue,
and you come here, you will need to say 'btw, we ignored your advise
and run a strange DNS arrangement', and then Rowland (who does such an
amazing job at first-level triage here) will have to say 'we told you
not to do that', and then you will be stuck.
Even for my commercial support clients, who are smart folks and could
mostly pull this off, and who pay us not to just be triaged away for
things that probably don't matter in this particular case, I don't
Yes, DNS is the one part of AD that appears to have been designed to be
But still don't - just delegate a subdomain and let Samba handle it.
Additionally, Samba now assumes integrated DNS at DC join time, to make
it more reliable we set up our first DNS entires for the new DC over
RPC and LDAP.
While this in turn sometimes causes other trouble, it has made Samba DC
join much more reliable, even then Windows.
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
More information about the samba