[Samba] Picking a non-.local domain

Rowland Penny rpenny at samba.org
Tue Aug 8 08:35:43 UTC 2023

On 08/08/2023 01:43, Mark Foley via samba wrote:
> First off, thanks to Rowland Penny for his patience in working through my thread
> "Joining a new Samba AD DC".
> I first attempted to upgrade my old Samba 4.8.2 AD/DC to a more recent version,
> but that effort failed due to too many differences with the Samba version and
> the latest Slackware OS version.  Next I tried to join a 2nd Samba DC to the
> existing domain with the intent of promoting it, but that also ran into version
> compatibility problems, including with BIND.
> Now I'm taking the "nuclear" option.  I will create a new AD/DC with my distro's
> latest versions of everything.  I will then un-join all the Windows workstations
> from the current domain and re-join them to the new domain.  This is what I did
> 13 years ago when migrating from Windows SBS 2008 to Samba for AD/DC in the
> first place, so no reason that shouldn't work.  I will join a single dummy
> Wondows workstations to this domain for testing.
> I am going through the wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller.
> First question ... according to https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ,
> Using e.g. samdom.local is not recommded for several reasons. My current domain
> is hprs.local. So, as long as I'm starting from scratch I would like to take the
> opportunity to get this right.
> In wiki section "Using Your external Domain Name", it says I could simply use
> the external domain name, e.g. ohprs.org.
> Here's where I'm confused. If I use ohprs.org as the AD domain and e.g.
> DC1.ohprs.org is my AD/DC, how does name resolution work with other domain
> members? For example, webserver.ohprs.org is a current, public FDQN which
> resolves to Inernally this host's IP within the domain is
> This host also has an SSL certificate for external access to
> webpages (https).

Not surprised you are confused, that section of the wikipage seemed to 
say it was okay to use your external dns name, it isn't and never has 
been. I have rewritten that part to say basically, do not use your 
external dns domain for AD, use a subdomain.


More information about the samba mailing list