On Fri, 2016-03-18 at 16:59 -0700, Robert Moulton wrote:> Andrew Bartlett wrote on 3/18/16 4:22 PM:
> > On Fri, 2016-03-18 at 21:01 +0000, Rowland penny wrote:
> > > On 18/03/16 20:38, Robert Moulton wrote:
> > > >
> > > >
> > > > It's a production domain. We run our own DNS and tried
> > > > BIND9_DLZ
> > > > but
> > > > our DNS setup is complicated enough that we ended up
resorting
> > > > to
> > > > flatfile, manually updating our BIND zone files as needed.
We
> > > > know
> > > > it
> > > > isn't ideal but we haven't encountered any problems
until now.
> > > >
> > > > Couldn't we simply add the missing DNs (along with
> > > > corresponding
> > > > DNS
> > > > records, if necessary)?
> > >
> > > Thinking about it, if you do not have the dns zones in AD, you
> > > probably
> > > don't need the dns fsmo roles.
> > >
> > > I don't understand why you think storing DNS is AD is
> > > complicated, as
> > > long as you don't use your normal dns domain for AD and use
> > > something
> > > like 'internal. your.domain.com' for AD, the Samba DNS
would deal
> > > with
> > > anything for the AD domain and forward anything it doesn't
know
> > > about
> > > to
> > > your normal DNS server. It is however your AD and you can do as
> > > you
> > > please.
> > >
> > > Rowland
> >
> > Very well put Rowland. I guess we need a patch to catch those
> > exceptions.
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
>
> Rowland, Andrew - Thanks for your help and advice. I appreciate it.
>
> We're doing split-horizon DNS and couldn't get bind9_dlz fully
> working
> for our needs. After doing the classicupgrade we added AD DNS records
> from the samba-tool auto-generated (by provision.pl) zone file to our
> own BIND zone files; that has been working fine for us. I just became
> aware of the absence of DomainDnsZones and ForestDnsZones stuff when
> I
> added a second DC today.
Just be aware that you will be on your own, a snowflake, with regards
to support for this.
I have patches to our samba_dnsupdate script that will use RPC against
our db-backed DNS management server to fix the required records, and I
plan on making our domain join code attempt to add the first DNS
records via that same interface.
Either way, adding a new DC is unlikely to work right unless you
manually or otherwise add the right DNS records, which normally means
having it accept GSS-TSIG updates. Likewise clients will be wishing to
update their own DNS records, and if that you want to work you will
need to make the correct allowances.
The option remains in the script, and I don't currently plan to remove
it, but consider it in a little bit of a limbo land, between fully
supported and unsupported-due-to-be-removed.
> Can we add missing DomainDnsZones and ForestDnsZones records to AD
> and
> DNS manually? If so, how?
If DNS is not in AD, then these roles have no meaning, and there should
be no such partitions.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba