[Samba] Secondary DNS on active directory possible?
Rowland Penny
rpenny at samba.org
Tue Dec 20 13:47:47 UTC 2022
On 20/12/2022 10:19, Markus Mueller via samba wrote:
> Am 19.12.2022 um 20:27 schrieb Rowland Penny via samba:
>>
>> On 19/12/2022 18:50, Markus Mueller via samba wrote:
>>>
>>> I run a Samba AD domain (let's call it myAD.mydomain.net) with DLZ
>>> DNS backend (Ubuntu 20.04, vanilla Samba install) which I migrated
>>> from an NT-style domain. Not all machines in my network participate
>>> in the AD (some Linux only machines and guests), which is why I have
>>> a separate 'master' DHCPD/bind9 server (let's call it
>>> master.mydomain.net) serving zone mydomain.net. The AD host
>>> (nameserver.myAD.mydomain.net) serves zone myAD.mydomain.net.
>>>
>>> Ideally, I would like to have the Samba-DNS serving the requests from
>>> myAD.mydomain.net and the DHCPD/bind9 machine serving mydomain.net
>>> (which they do). But: the samba AD should forward all requests for
>>> mydomain.net to the master nameserver (which it does not, even though
>>> I set the dns forwarder to master.mydomain.net in smb.conf). It
>>> should be possible (in my opinion) by creating a secondary DNS zone
>>> on the Samba AD (nameserver.myAD.mydomain.net). But that doesn't seem
>>> allowed. samba-tool allows me to create that zone, but I couldn't
>>> figure out how to do the slave config (e.g. setting the master
>>> server). The Microsoft DNS tool does not allow me to create a
>>> secondary zone at all.
>>>
>>> Why do I try so complicated? My general nameserver failed recently
>>> from a segmentation fault and my whole intranet went down (because my
>>> dhcpd relies on client identification via DNS, mainly for historical
>>> reasons). I would like to have a backup nameserver, but I prefer not
>>> to install yet another instance.
>>>
>>> Cheers
>>> Markus
>>>
> Dear Rowland
>
> thanks a lot for your reply.You really helped me to optimize my settings.
>
>> If your AD DC is using Bind9, then you do not set the forwarder in
>> smb.conf (that is for the internal dns server), you set it the Bind9
>> conf files.
> I have not thought about this yet. Always tried to leave the bind9
> config alone and tried to use the samba-tool or Windows DNS only. I did
> set the forwarder in /etc/bind named.conf.options to my master DNS now,
> but it didn't resolve any hosts of mydomain.net. I had to also change
> /etc/resolv.conf to that address and it worked.
>>
>> You usually do it the other way around, you point your AD clients at
>> the main dns server and this forwards everything for the AD domain
>> (myAD.mydomain.net) to the dns server on the DC.
>
> Sorry, I was unspecific. I actually did it that way. Nevertheless, I
> would like the Samba AD DC to also serve the master domain in case of a
> failure.
>
> This is the zone config on my master DNS:
>
> zone "mydomain.net" in {
> allow-transfer { any; };
> allow-update { AD-DC; };
> also-notify { AD-DC; };
> file "/var/lib/bind/mydomain.net";
> type master;
> };
> zone "myAD.mydomain.net" in {
> type forward;
> forwarders { AD-DC; };
> forward only;
> };
>
> Inspired by your suggestion to modify the config files directly I did so
> and it works! My AD-DC Bind is now serving mydomain.net:)
>
> zone "mydomain.net" in {
> type slave;
> file "/var/lib/bind/mydomain.net";
> masters {myMasterDNS; };
> };
>
>
I think you might want to read this:
https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
Rowland
More information about the samba
mailing list