[Samba] Picking a non-.local domain
Rowland Penny
rpenny at samba.org
Tue Aug 8 08:35:43 UTC 2023
On 08/08/2023 01:43, Mark Foley via samba wrote:
> First off, thanks to Rowland Penny for his patience in working through my thread
> "Joining a new Samba AD DC".
>
> I first attempted to upgrade my old Samba 4.8.2 AD/DC to a more recent version,
> but that effort failed due to too many differences with the Samba version and
> the latest Slackware OS version. Next I tried to join a 2nd Samba DC to the
> existing domain with the intent of promoting it, but that also ran into version
> compatibility problems, including with BIND.
>
> Now I'm taking the "nuclear" option. I will create a new AD/DC with my distro's
> latest versions of everything. I will then un-join all the Windows workstations
> from the current domain and re-join them to the new domain. This is what I did
> 13 years ago when migrating from Windows SBS 2008 to Samba for AD/DC in the
> first place, so no reason that shouldn't work. I will join a single dummy
> Wondows workstations to this domain for testing.
>
> I am going through the wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller.
>
> First question ... according to https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ,
> Using e.g. samdom.local is not recommded for several reasons. My current domain
> is hprs.local. So, as long as I'm starting from scratch I would like to take the
> opportunity to get this right.
>
> In wiki section "Using Your external Domain Name", it says I could simply use
> the external domain name, e.g. ohprs.org.
>
> Here's where I'm confused. If I use ohprs.org as the AD domain and e.g.
> DC1.ohprs.org is my AD/DC, how does name resolution work with other domain
> members? For example, webserver.ohprs.org is a current, public FDQN which
> resolves to 98.102.63.106. Inernally this host's IP within the domain is
> 192.168.0.3. This host also has an SSL certificate for external access to
> webpages (https).
>
Not surprised you are confused, that section of the wikipage seemed to
say it was okay to use your external dns name, it isn't and never has
been. I have rewritten that part to say basically, do not use your
external dns domain for AD, use a subdomain.
Rowland
More information about the samba
mailing list