[Samba] AXFR transfer: SRV for DC missing
Jakob Curdes
jc at info-systems.de
Tue Oct 28 21:33:35 UTC 2025
Am 28.10.2025 um 10:18 schrieb Rowland Penny via samba:
> On Tue, 28 Oct 2025 03:02:34 +0100
> Markus Gschwendt via samba<samba at lists.samba.org> wrote:
>
> We really don't want the Samba server to be our central DNS system.
>
> It doesn't have to be, but as AD lives and dies on DNS, the DC(s) need
> to be 'central' for your AD domain clients. The DC(s) need to be the
> first port of contact for the domain clients, anything unknown e.g.
> www.google.com is forwarded to an external DNS server.
>> Separating services is the main reason. (Security, debugging, ...)
>> Maybe a discussion for another thread.
What we do is to have two separate nameservers apart from the DC's.
These serve everything that is not AD, and they are the servers
configured in AD as forwarders where the non-AD requests go (and vice
versa). In this way we keep our AD DNS restricted to the AD members, but
at the same time get full DNS resolution for all systems without doing
any transfers. You could even run these nameservers on the AD systems on
a separate IP, if you do not want to waste 4 systems doing almost
nothing in a small environment.
I completely agree with Rowland that you absolutely need to configure
the AD servers, and nothing else, as nameservers for all domain members,
or you will be in big trouble soon.
HTH, Jakob
More information about the samba
mailing list