Hi all, I am preparing a migration from Samba NT-Domain to Samba AD. The migration itself is all fine, but I have a general problem in understanding the network architecture of an active directory domain. Right now (Samba NT style), each client gets its IP address from a DHCP server (isc-dhcp-server). The DHCP server in turn updates the DNS (bind9) via dynamic DNS updates. This way, every client (and more important in terms of DNS: several servers with dynamic IPs) can be found in the DNS - forward and reverse. Now with Samba AD, the Samba server has full and exclusive control over the DNS zone. Windows clients and Linux clients, which have joined the domain, update the DNS zone with an entry (apparently only forward but not reverse). But what should I do with clients and other servers, which are not in the AD domain? Clients are not so important, but the servers have to be reached via DNS :-) I could deliver a fixed IP address via DHCP to the servers and manually create a DNS entry in the AD. Or I could put them into a different DNS domain, which is not controlled by Samba, but by isc-dhcp-server and bind. But then the clients would need two different domain search suffixes (not so nice with Windows). How do you solve this problem with DHCP and DNS entries for non-AD members? Regards, Martin
On Thu, 23 Nov 2017 15:20:45 +0100 Martin Renner via samba <samba at lists.samba.org> wrote:> Hi all, > > I am preparing a migration from Samba NT-Domain to Samba AD. The > migration itself is all fine, but I have a general problem in > understanding the network architecture of an active directory domain. > > Right now (Samba NT style), each client gets its IP address from a > DHCP server (isc-dhcp-server). The DHCP server in turn updates the > DNS (bind9) via dynamic DNS updates. This way, every client (and more > important in terms of DNS: several servers with dynamic IPs) can be > found in the DNS - forward and reverse.This sounds very like my AD domain ;-)> > Now with Samba AD, the Samba server has full and exclusive control > over the DNS zone. Windows clients and Linux clients, which have > joined the domain, update the DNS zone with an entry (apparently only > forward but not reverse). But what should I do with clients and other > servers, which are not in the AD domain? Clients are not so > important, but the servers have to be reached via DNS :-)As long as your servers are in the same dns domain, this should work as before, If you think about it, every DHCP client before it is joined to the domain works this way. Just because a computer (or printer etc) gets its IP from a DHCP server running on an AD DC, doesn't mean it has to be joined to the domain. Rowland
Hi Rowland, my problem is, how to get the non-AD members into the DNS? Especially, if they are servers and have dynamic IPs from a DHCP server? As far as I understand, only AD members will update the DNS inside of the AD. So do I have to deliver fixed IP addresses via DHCP to servers and put a manual entry into the AD DNS? Regards, Martin Am 23.11.2017 um 16:28 schrieb Rowland Penny via samba:> On Thu, 23 Nov 2017 15:20:45 +0100 > Martin Renner via samba <samba at lists.samba.org> wrote: > >> Hi all, >> >> I am preparing a migration from Samba NT-Domain to Samba AD. The >> migration itself is all fine, but I have a general problem in >> understanding the network architecture of an active directory domain. >> >> Right now (Samba NT style), each client gets its IP address from a >> DHCP server (isc-dhcp-server). The DHCP server in turn updates the >> DNS (bind9) via dynamic DNS updates. This way, every client (and more >> important in terms of DNS: several servers with dynamic IPs) can be >> found in the DNS - forward and reverse. > This sounds very like my AD domain ;-) > >> Now with Samba AD, the Samba server has full and exclusive control >> over the DNS zone. Windows clients and Linux clients, which have >> joined the domain, update the DNS zone with an entry (apparently only >> forward but not reverse). But what should I do with clients and other >> servers, which are not in the AD domain? Clients are not so >> important, but the servers have to be reached via DNS :-) > As long as your servers are in the same dns domain, this should work as > before, If you think about it, every DHCP client before it is joined to > the domain works this way. > > Just because a computer (or printer etc) gets its IP from a DHCP > server running on an AD DC, doesn't mean it has to be joined to the > domain. > > Rowland >