Rowland, Seeing as BIND_DLZ uses the same info in AD as SAMBA_INTERNAL does,> then no, using the internal dns server will not make any difference.Ok. Which ever dns server you use, it must be authoritative for the AD> domain and if required it should be a subdomain of your registered > domain, see here: > > https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ > #Subdomain_of_a_Domain_You_Own > > From the sound of it, you are trying to do it incorrectly, it > sounds like you are using the same dns domain name for your AD > domain as your existing dns domain, this is not likely to work.I am using subdomains for this, so much that I posted in the other message. *Domain*: mydomain.edu *DNS Server*: ns.mydomain.edu *AD Server*: addc.mydomain.edu Is it mandatory to put the AD IP as primary dns in pcs? If not, can I configure the IP of the DNS server and create a zone like this below to be forwarded the requests? *named.conf.local* ... zone "addc.mydomain.edu" IN { type forward; forward only; forwarders { xxx.xxx.xxx.6; }; # IP of AD }; ... On Tue, May 16, 2017 at 5:50 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 16 May 2017 17:04:26 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > > Not so much forgetting but not understanding ;-) > > > > > > - Internal DNS that responds to our services (site, moodle, etc) - > > ns.myinstitution.edu (registered in registro.br) > > - Samba DNS answering for samba stuff - addc.myinstitution.edu > > > > Maybe it's better to use SAMBA_INTERNAL instead of BIND_DLZ? > > > > Seeing as BIND_DLZ uses the same info in AD as SAMBA_INTERNAL does, > then no, using the internal dns server will not make any difference. > > Which ever dns server you use, it must be authoritative for the AD > domain and if required it should be a subdomain of your registered > domain, see here: > > https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ > #Subdomain_of_a_Domain_You_Own > > From the sound of it, you are trying to do it incorrectly, it > sounds like you are using the same dns domain name for your AD > domain as your existing dns domain, this is not likely to work. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
On Tue, 16 May 2017 18:28:01 -0300 Elias Pereira via samba <samba at lists.samba.org> wrote:> > I am using subdomains for this, so much that I posted in the other > message. > > *Domain*: mydomain.edu > *DNS Server*: ns.mydomain.edu > *AD Server*: addc.mydomain.eduSorry, must have missed that. OK, your dns domain is 'mydomain.edu' and your AD dns domain is 'addc.mydomain.edu', so far so good, but is the AD REALM set to 'ADDC.MYDOMAIN.EDU' ?> > Is it mandatory to put the AD IP as primary dns in pcs?Yes, your AD DC should be the authoritative dns server for the AD dns domain.> If not, can I > configure the IP of the DNS server and create a zone like this below > to be forwarded the requests?No, all your AD clients etc should use the DC for their nameserver, anything it doesn't know about (anything outside the ad dns domain) it should ask the forwarder for (I think you are trying to do this the other way around)> > *named.conf.local* > ... > zone "addc.mydomain.edu" IN { > type forward; > forward only; > forwarders { xxx.xxx.xxx.6; }; # IP of AD > };There is another reason, the zone above should already exist on the AD DC and should only exist on the AD DC. There are those that say you can do something similar to what you are trying to do, but this is not supported by Samba. Rowland
> > Sorry, must have missed that.No problem! :D OK, your dns domain is 'mydomain.edu' and your AD dns domain is 'addc.mydomain.edu', so far so good, but is the AD REALM set to 'ADDC.MYDOMAIN.EDU <http://addc.mydomain.edu/>' ? Yes, my AD REALM is ADDC.MYDOMAIN.EDU Yes, your AD DC should be the authoritative dns server for the AD dns> domain.ok. No, all your AD clients etc should use the DC for their nameserver,> anything it doesn't know about (anything outside the ad dns domain) it > should ask the forwarder for (I think you are trying to do this the > other way around)ok. Now I migrate to SAMBA_INTERNAL and set on smb.conf, server services = ... dns dns forwarder = xxx.xxx.xxx.10 # DNS server allow dns updates = nonsecure and secure I can not see where I'm going wrong. Our DNS server is authoritative for our internal services, but on the machine I am testing, do not open any of the services. Any other site I can access. This machine is in the domain with the primary dns the IP of the AD. On Tue, May 16, 2017 at 6:58 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 16 May 2017 18:28:01 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > I am using subdomains for this, so much that I posted in the other > > message. > > > > *Domain*: mydomain.edu > > *DNS Server*: ns.mydomain.edu > > *AD Server*: addc.mydomain.edu > > Sorry, must have missed that. > > OK, your dns domain is 'mydomain.edu' and your AD dns domain is > 'addc.mydomain.edu', so far so good, but is the AD REALM set to > 'ADDC.MYDOMAIN.EDU' ? > > > > > Is it mandatory to put the AD IP as primary dns in pcs? > > Yes, your AD DC should be the authoritative dns server for the AD dns > domain. > > > If not, can I > > configure the IP of the DNS server and create a zone like this below > > to be forwarded the requests? > > No, all your AD clients etc should use the DC for their nameserver, > anything it doesn't know about (anything outside the ad dns domain) it > should ask the forwarder for (I think you are trying to do this the > other way around) > > > > > *named.conf.local* > > ... > > zone "addc.mydomain.edu" IN { > > type forward; > > forward only; > > forwarders { xxx.xxx.xxx.6; }; # IP of AD > > }; > > There is another reason, the zone above should already exist on the AD > DC and should only exist on the AD DC. > > There are those that say you can do something similar to what you are > trying to do, but this is not supported by Samba. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira