Re: [Samba] Samba AD Best Practice (DNS)
- Date: Thu, 12 Oct 2017 16:47:32 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba AD Best Practice (DNS)
On Thu, 12 Oct 2017 11:00:35 -0400
Pat Suwalski via samba <samba@xxxxxxxxxxxxxxx> wrote:
> This question is about best practice of introducing sambda-ad-dc to
> an organization that already has networking, and being minimally
> disruptive about it. I guess this question applies equally to adding
> a Windows AD server, but most people with that setup would let it be
> the primary DNS, etc.
> For this example:
> - Network: 172.18.0.0/24
> - Domain: network.ca
> - AD server: ad.network.ca, 172.18.0.20
> - Gateway/DNS: 172.18.0.1
> The gateway is running as the main DNS server, and has the various
> underscore ("_") entries required for Windows to find the Active
> Directory. It sends "172.18.0.1" as the DNS option over its DHCP
> server. The samba AD server has its DNS forwarder set to "172.18.0.1".
> Now, the question:
> To be able to take full advantage of AD, should DHCP provide the
> Windows clients with "172.18.0.20" as the DNS server? I know it
> dynamically adds the computers that are on the Active Directory, and
> possible other things that help make Windows services run smoothly.
> That said, the samba forwarder only seems to forward zones it is not
> familiar with. Since the samba server serves up "network.ca", when
> asked, it does not resolve "gitlab.network.ca" that the main DNS
> server knows how to resolve. This has forced me to just provide
> 172.18.0.1 as the DNS.
> What is the best practice to solve this. Is there actually any
> benefit to having the AD server serve up DNS?
> I'm sure others have been wondering this, and it would probably be a
> decent question to put in the DNS section of the Wiki, as I'm sure
> there are many samba mixed-network environments.
If you already have a domain, I would set up Active Directory as a
subdomain of this, e.g. instead of using 'network.ca', use
'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC.
Point the clients at this for domain DNS and forward anything unknown
to the gateway or other DNS server. There isn't really any point in
using an external server as the DNS server, all the DNS records are in
You can, if you wish, run a DHCP server on the DC.
See here for AD best practice:
To unsubscribe from this list go to the following URL and read the