Web lists-archives.com

Re: [Samba] Samba AD Best Practice (DNS)




On 2017-10-13 06:09 PM, Jon Gerdes via samba wrote:
There's no such thing as "best practice" - there's good and bad
practice and I hope that here (Samba ML) you will get some good advice,
in return for a good question.

Thanks for this very thoughtful reply.

The environment you describe, to me, implies that it would be best if
you simply "fit in". You can but it will take a bit of work (not too
much).  It does not matter where DNS comes from, provided it gives the
correct answers to client queries.  So, you will have to get your new
Samba DC's DNS records set up on the dnsmasq system.  I don't think
that dnsmasq can do dynamic DNS apart from perhaps registering DHCP
leases as DNS entries.  You will also have to set the gateway as your
Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the
Samba DNS implementation.

That is correct. dnsmasq registers all of the DNS leases it hands out, so that part is basically in-line with what the AD server's DNS does for the Windows clients.

The part about the DNS server is the sticky point. It's currently set to itself (the Samba DNS server). I'm worried that changing that might break something in Samba itself.

The whole point of this is that is is generally a good (may be not the
best in all cases) idea to have all systems on one network to have a
single view of DNS.  Your colleagues seem to have already stipulated
dnsmasq and I would roll with that - fit in.  Its not my preferred
solution but will work fine with some care.

Well, whether it be dnsmasq or bind, we need more functionality than the Samba DNS server provides. The goal at this point. as you surmised, is to fit in to the existing system.

Before you get going with Samba, the box must have time in sync with
the other DCs and be able to DNS resolve all the relevent addresses.

# ntpq -p

We run NTP everywhere, so that's in sync.

$ dig example.co.uk

Should return DC IPs

You'll need this lot:

https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha
t-are-required-for-proper-functionality-of-active-directory/

Interesting. I had built up my list by trial and error and it's quite different than what is listed there. I don't have an A record at all, and my SRV records are not the same at all:

_gc._tcp.Default-First-Site-Name._sites.domain.ca
_gc._tcp.domain.ca
_ldap._tcp.Default-First-Site-Name._sites.domain.ca
_ldap._tcp.dc._msdcs.domain.ca
_ldap._tcp.domain.ca
_kerberos._udp.DOMAIN.CA
_kerberos._tcp.DOMAIN.CA
_kpasswd._tcp.DOMAIN.CA
_kpasswd._udp.DOMAIN.CA

Then again, I'm only dealing with a single DC, so my entries are aimed strictly at clients, and this list seems to work. I might need to add these entries if I set my Samba server to use the main DNS server (dnsmasq) as well.

Thanks for all the advice. I guess my big takeaway from this is that I should, in fact, make my Samba server use the main DNS server, so that everything is in-line.

--Pat

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba