Sorry, i'm getting a bit confused about my new Samba/AD domain, related
to the 'short' name resolving.
I was clearly (ab)used to Samba/NT, where WINS make, on LAN,
''flat''
resolving very simple.
I'm moving now from my old NT domains to my new AD domain, and to
prevent massive change i've decided to keep name resolution and DHCP
address assigment out of the AD domain, at least for now.
So, now i've the ''old'' DNS/DHCP on the phisical network
name (eg,
'sv.lnf.it' for my network, 'pp.lnf.it' for other) and setup a
different domain, 'ad.fvg.lnf.it', for AD.
Note that i've not only windows client, so DHCP assign IP to every
device on the lan, also non-joined-to-domain hosts.
I'm suffering some ''strangeness'' that i'm not able to
''call by
name''.
a) windows hosts get in config as primary DNS suffix the AD domain
suffix (ad.fvg.lnf.it) and as search domains the AD domain and the
local domain, eg 'pp.lnf.it'.
This seems totally OK to me. I make only a note, because was the first
thing i've verified.
So, AFAI've understood DNS, if i search host 'domcobb', windows
client
will try 'domcobb.ad.fvg.lnd.it' first, and after that
'domcobb.pp.lnf.it'.
b) windows register them on the AD DNS backend seems to me only on join
phase, but does not update anymore IP. So after some time, DNS
registration in AD DNS start to ''diverge'' from the LAN
registration.
There's some way to force DNS AD registration on every boot?
I've tried google with some keyword but with no luck.
c) in the two main networks there's still the old Samba/NT servers with
the WINS server, server provided to client via DHCP.
But i've setup a new network, with only AD servers, and in this there's
no WINS.
I've was forced to create one, because short names resolution does not
work.
Probably i've done something wrong, but anyway seems that have a WINS
server in a AD domain to resolv local hostname does not hurt. ;-)
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 6 Jun 2018 18:29:26 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > Sorry, i'm getting a bit confused about my new Samba/AD domain, > related to the 'short' name resolving. > > > I was clearly (ab)used to Samba/NT, where WINS make, on LAN, ''flat'' > resolving very simple. > > I'm moving now from my old NT domains to my new AD domain, and to > prevent massive change i've decided to keep name resolution and DHCP > address assigment out of the AD domain, at least for now.This is probably where you are going wrong. AD lives and dies on DNS, your DC MUST be authoritative for the AD domain.> > So, now i've the ''old'' DNS/DHCP on the phisical network name (eg, > 'sv.lnf.it' for my network, 'pp.lnf.it' for other) and setup a > different domain, 'ad.fvg.lnf.it', for AD.Your AD clients should be using the DC as their nameserver and anything outside the AD dns domain, should be forwarded to to a DNS server outside the AD dns domain. This means that your DHCP server must send the AD dns domain to the AD machines.> > Note that i've not only windows client, so DHCP assign IP to every > device on the lan, also non-joined-to-domain hosts.This doesn't really matter, just so long as they are in the same dns domain.> > I'm suffering some ''strangeness'' that i'm not able to ''call by > name''. > > > a) windows hosts get in config as primary DNS suffix the AD domain > suffix (ad.fvg.lnf.it) and as search domains the AD domain and the > local domain, eg 'pp.lnf.it'. > This seems totally OK to me. I make only a note, because was the first > thing i've verified. > So, AFAI've understood DNS, if i search host 'domcobb', windows client > will try 'domcobb.ad.fvg.lnd.it' first, and after that > 'domcobb.pp.lnf.it'.I think you mean that something like this doesn't work: rowland at devstation:~$ ping -c1 dc4 PING dc4.samdom.example.com (192.168.0.6) 56(84) bytes of data. 64 bytes from 192.168.0.6: icmp_seq=1 ttl=64 time=0.750 ms --- dc4.samdom.example.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.750/0.750/0.750/0.000 ms> > b) windows register them on the AD DNS backend seems to me only on > join phase, but does not update anymore IP. So after some time, DNS > registration in AD DNS start to ''diverge'' from the LAN registration. > There's some way to force DNS AD registration on every boot? > I've tried google with some keyword but with no luck.This sort of points to misconfiguration and the AD DNS really having nothing to do with the lan> > c) in the two main networks there's still the old Samba/NT servers > with the WINS server, server provided to client via DHCP. > But i've setup a new network, with only AD servers, and in this > there's no WINS.Correct 'WINS' is old school.> I've was forced to create one, because short names resolution does not > work.Then you need to fix this.> > Probably i've done something wrong, but anyway seems that have a WINS > server in a AD domain to resolv local hostname does not hurt. ;-)It doesn't hurt, but, in a correctly set up AD domain, it isn't required ;-) Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> This is probably where you are going wrong. AD lives and dies on DNS, > your DC MUST be authoritative for the AD domain....but *is* authoritative! Simply DHCP server assign the ''old'' DNS, where all resolution fr the AD (sub)domain are forwarded to AD DNS...> Your AD clients should be using the DC as their nameserver and anything > outside the AD dns domain, should be forwarded to to a DNS server > outside the AD dns domain. This means that your DHCP server must send > the AD dns domain to the AD machines.You are meaning here, literally: windows client try to register/update DNS using ONLY the dns provided by DHCP? Or, speaking differently the same thing, windows client suppose blindly that DNS got by DHCP ARE AD DCs? Oh, my god... seems to me so stupid... And, afterall, why when the machine account get created, the IP address are correctly added?> I think you mean that something like this doesn't work: > rowland at devstation:~$ ping -c1 dc4No, i've narrowed down a bit... DNS works in this way, as expected. Touble arise in windows client accessing server aliases; I'm used to define some aliases for servers (so i use \\FILEPP\). I define aliases with: a) cname in AD DNS, and work: root at vdmtms1:~# host filepp filepp.ad.fvg.lnf.it is an alias for vdmpp1.ad.fvg.lnf.it. vdmpp1.ad.fvg.lnf.it has address 10.27.1.22 b) 'netbios aliases' in smb.conf: netbios aliases = CUPSPP FILEPP HOMEPP c) SPN aliases: samba-tool spn add HOST/filepp.ad.fvg.lnf.it vdmpp1$ samba-tool spn add HOST/FILEPP vdmpp1$ but still windows client cannot access '\\FILEPP' in network where there's no a WINS server. I've to dig better this, could be caused by a ''temporary mistakes'' that i've then fixed, but... seems strange to me.> > Probably i've done something wrong, but anyway seems that have a WINS > > server in a AD domain to resolv local hostname does not hurt. ;-) > It doesn't hurt, but, in a correctly set up AD domain, it isn't > required ;-)Ok, i'll keep for now a local WINS server, and i will try to fix/understand all that stuff... Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)