[Samba] Secondary DNS on active directory possible?

Rowland Penny rpenny at samba.org
Tue Dec 20 13:47:47 UTC 2022

On 20/12/2022 10:19, Markus Mueller via samba wrote:
> Am 19.12.2022 um 20:27 schrieb Rowland Penny via samba:
>> On 19/12/2022 18:50, Markus Mueller via samba wrote:
>>> I run a Samba AD domain (let's call it myAD.mydomain.net) with DLZ 
>>> DNS backend (Ubuntu 20.04, vanilla Samba install) which I migrated 
>>> from an NT-style domain. Not all machines in my network participate 
>>> in the AD (some Linux only machines and guests), which is why I have 
>>> a separate 'master' DHCPD/bind9 server (let's call it 
>>> master.mydomain.net) serving zone mydomain.net. The AD host 
>>> (nameserver.myAD.mydomain.net) serves zone myAD.mydomain.net.
>>> Ideally, I would like to have the Samba-DNS serving the requests from 
>>> myAD.mydomain.net and the DHCPD/bind9 machine serving mydomain.net 
>>> (which they do). But: the samba AD should forward all requests for 
>>> mydomain.net to the master nameserver (which it does not, even though 
>>> I set the dns forwarder to master.mydomain.net in smb.conf). It 
>>> should be possible (in my opinion) by creating a secondary DNS zone 
>>> on the Samba AD (nameserver.myAD.mydomain.net). But that doesn't seem 
>>> allowed. samba-tool allows me to create that zone, but I couldn't 
>>> figure out how to do the slave config (e.g. setting the master 
>>> server). The Microsoft DNS tool does not allow me to create a 
>>> secondary zone at all.
>>> Why do I try so complicated? My general nameserver failed recently 
>>> from a segmentation fault and my whole intranet went down (because my 
>>> dhcpd relies on client identification via DNS, mainly for historical 
>>> reasons). I would like to have a backup nameserver, but I prefer not 
>>> to install yet another instance.
>>> Cheers
>>> Markus
> Dear Rowland
> thanks a lot for your reply.You really helped me to optimize my settings.
>> If your AD DC is using Bind9, then you do not set the forwarder in 
>> smb.conf (that is for the internal dns server), you set it the Bind9 
>> conf files.
> I have not thought about this yet. Always tried to leave the bind9 
> config alone and tried to use the samba-tool or Windows DNS only. I did 
> set the forwarder in /etc/bind named.conf.options to my master DNS now, 
> but it didn't resolve any hosts of mydomain.net. I had to also change 
> /etc/resolv.conf to that address and it worked.
>> You usually do it the other way around, you point your AD clients at 
>> the main dns server and this forwards everything for the AD domain 
>> (myAD.mydomain.net) to the dns server on the DC.
> Sorry, I was unspecific. I actually did it that way. Nevertheless, I 
> would like the Samba AD DC to also serve the master domain in case of a 
> failure.
> This is the zone config on my master DNS:
> zone "mydomain.net" in {
>          allow-transfer { any; };
>          allow-update { AD-DC; };
>          also-notify { AD-DC; };
>          file "/var/lib/bind/mydomain.net";
>          type master;
> };
> zone "myAD.mydomain.net" in {
>          type forward;
>          forwarders { AD-DC; };
>          forward only;
> };
> Inspired by your suggestion to modify the config files directly I did so 
> and it works! My AD-DC Bind is now serving mydomain.net:)
> zone "mydomain.net" in {
>        type slave;
>        file "/var/lib/bind/mydomain.net";
>        masters {myMasterDNS; };
> };

I think you might want to read this:



More information about the samba mailing list