[Samba] Secondary DNS on active directory possible?

Rowland Penny rpenny at samba.org
Mon Dec 19 19:27:25 UTC 2022 


On 19/12/2022 18:50, Markus Mueller via samba wrote:
> Hi Samba community
> 
> first post on this list, so apologies in advance for mistakes.
> 
> I run a Samba AD domain (let's call it myAD.mydomain.net) with DLZ DNS 
> backend (Ubuntu 20.04, vanilla Samba install) which I migrated from an 
> NT-style domain. Not all machines in my network participate in the AD 
> (some Linux only machines and guests), which is why I have a separate 
> 'master' DHCPD/bind9 server (let's call it master.mydomain.net) serving 
> zone mydomain.net. The AD host (nameserver.myAD.mydomain.net) serves 
> zone myAD.mydomain.net.
> 
> Ideally, I would like to have the Samba-DNS serving the requests from 
> myAD.mydomain.net and the DHCPD/bind9 machine serving mydomain.net 
> (which they do). But: the samba AD should forward all requests for 
> mydomain.net to the master nameserver (which it does not, even though I 
> set the dns forwarder to master.mydomain.net in smb.conf). It should be 
> possible (in my opinion) by creating a secondary DNS zone on the Samba 
> AD (nameserver.myAD.mydomain.net). But that doesn't seem allowed. 
> samba-tool allows me to create that zone, but I couldn't figure out how 
> to do the slave config (e.g. setting the master server). The Microsoft 
> DNS tool does not allow me to create a secondary zone at all.
> 
> Why do I try so complicated? My general nameserver failed recently from 
> a segmentation fault and my whole intranet went down (because my dhcpd 
> relies on client identification via DNS, mainly for historical reasons). 
> I would like to have a backup nameserver, but I prefer not to install 
> yet another instance.
> 
> Cheers
> Markus
> 
> 

If your AD DC is using Bind9, then you do not set the forwarder in 
smb.conf (that is for the internal dns server), you set it the Bind9 
conf files.

You usually do it the other way around, you point your AD clients at the 
main dns server and this forwards everything for the AD domain 
(myAD.mydomain.net) to the dns server on the DC.

Why not join your Linux machines to the domain ? they work well.

Rowland

More information about the samba mailing list