On Fri, 2016-03-18 at 16:59 -0700, Robert Moulton wrote:> Andrew Bartlett wrote on 3/18/16 4:22 PM: > > On Fri, 2016-03-18 at 21:01 +0000, Rowland penny wrote: > > > On 18/03/16 20:38, Robert Moulton wrote: > > > > > > > > > > > > It's a production domain. We run our own DNS and tried > > > > BIND9_DLZ > > > > but > > > > our DNS setup is complicated enough that we ended up resorting > > > > to > > > > flatfile, manually updating our BIND zone files as needed. We > > > > know > > > > it > > > > isn't ideal but we haven't encountered any problems until now. > > > > > > > > Couldn't we simply add the missing DNs (along with > > > > corresponding > > > > DNS > > > > records, if necessary)? > > > > > > Thinking about it, if you do not have the dns zones in AD, you > > > probably > > > don't need the dns fsmo roles. > > > > > > I don't understand why you think storing DNS is AD is > > > complicated, as > > > long as you don't use your normal dns domain for AD and use > > > something > > > like 'internal. your.domain.com' for AD, the Samba DNS would deal > > > with > > > anything for the AD domain and forward anything it doesn't know > > > about > > > to > > > your normal DNS server. It is however your AD and you can do as > > > you > > > please. > > > > > > Rowland > > > > Very well put Rowland. I guess we need a patch to catch those > > exceptions. > > > > Thanks, > > > > Andrew Bartlett > > > > Rowland, Andrew - Thanks for your help and advice. I appreciate it. > > We're doing split-horizon DNS and couldn't get bind9_dlz fully > working > for our needs. After doing the classicupgrade we added AD DNS records > from the samba-tool auto-generated (by provision.pl) zone file to our > own BIND zone files; that has been working fine for us. I just became > aware of the absence of DomainDnsZones and ForestDnsZones stuff when > I > added a second DC today.Just be aware that you will be on your own, a snowflake, with regards to support for this. I have patches to our samba_dnsupdate script that will use RPC against our db-backed DNS management server to fix the required records, and I plan on making our domain join code attempt to add the first DNS records via that same interface. Either way, adding a new DC is unlikely to work right unless you manually or otherwise add the right DNS records, which normally means having it accept GSS-TSIG updates. Likewise clients will be wishing to update their own DNS records, and if that you want to work you will need to make the correct allowances. The option remains in the script, and I don't currently plan to remove it, but consider it in a little bit of a limbo land, between fully supported and unsupported-due-to-be-removed.> Can we add missing DomainDnsZones and ForestDnsZones records to AD > and > DNS manually? If so, how?If DNS is not in AD, then these roles have no meaning, and there should be no such partitions. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Fri, Mar 18, 2016 at 5:48 PM, Andrew Bartlett <abartlet at samba.org> wrote:> On Fri, 2016-03-18 at 16:59 -0700, Robert Moulton wrote: >> Andrew Bartlett wrote on 3/18/16 4:22 PM: >> > On Fri, 2016-03-18 at 21:01 +0000, Rowland penny wrote: >> > > On 18/03/16 20:38, Robert Moulton wrote: >> > > > >> > > > >> > > > It's a production domain. We run our own DNS and tried >> > > > BIND9_DLZ >> > > > but >> > > > our DNS setup is complicated enough that we ended up resorting >> > > > to >> > > > flatfile, manually updating our BIND zone files as needed. We >> > > > know >> > > > it >> > > > isn't ideal but we haven't encountered any problems until now. >> > > > >> > > > Couldn't we simply add the missing DNs (along with >> > > > corresponding >> > > > DNS >> > > > records, if necessary)? >> > > >> > > Thinking about it, if you do not have the dns zones in AD, you >> > > probably >> > > don't need the dns fsmo roles. >> > > >> > > I don't understand why you think storing DNS is AD is >> > > complicated, as >> > > long as you don't use your normal dns domain for AD and use >> > > something >> > > like 'internal. your.domain.com' for AD, the Samba DNS would deal >> > > with >> > > anything for the AD domain and forward anything it doesn't know >> > > about >> > > to >> > > your normal DNS server. It is however your AD and you can do as >> > > you >> > > please. >> > > >> > > Rowland >> > >> > Very well put Rowland. I guess we need a patch to catch those >> > exceptions. >> > >> > Thanks, >> > >> > Andrew Bartlett >> > >> >> Rowland, Andrew - Thanks for your help and advice. I appreciate it. >> >> We're doing split-horizon DNS and couldn't get bind9_dlz fully >> working >> for our needs. After doing the classicupgrade we added AD DNS records >> from the samba-tool auto-generated (by provision.pl) zone file to our >> own BIND zone files; that has been working fine for us. I just became >> aware of the absence of DomainDnsZones and ForestDnsZones stuff when >> I >> added a second DC today. > > Just be aware that you will be on your own, a snowflake, with regards > to support for this. > > I have patches to our samba_dnsupdate script that will use RPC against > our db-backed DNS management server to fix the required records, and I > plan on making our domain join code attempt to add the first DNS > records via that same interface. > > Either way, adding a new DC is unlikely to work right unless you > manually or otherwise add the right DNS records, which normally means > having it accept GSS-TSIG updates. Likewise clients will be wishing to > update their own DNS records, and if that you want to work you will > need to make the correct allowances. > > The option remains in the script, and I don't currently plan to remove > it, but consider it in a little bit of a limbo land, between fully > supported and unsupported-due-to-be-removed. > >> Can we add missing DomainDnsZones and ForestDnsZones records to AD >> and >> DNS manually? If so, how? > > If DNS is not in AD, then these roles have no meaning, and there should > be no such partitions.We didn't encounter any problems adding the new DC, albeit with '--dns-backend=NONE' specified, and replication is working fine, evidently. Are you saying that we might be able to use samba_dnsupdate to patch things up somehow? At the moment we don't need dynamic updates for clients, but it would be nice to get that capability in place. Ultimately, we'd be perfectly happy to switch to bind9_dlz, if we can figure out how to address some issues we encountered when we tested it in our environment.
On Fri, 2016-03-18 at 18:46 -0700, r moulton wrote:> We didn't encounter any problems adding the new DC, albeit with > '--dns-backend=NONE' specified, and replication is working fine, > evidently. Are you saying that we might be able to use > samba_dnsupdate > to patch things up somehow?No, not unless your DNS server accepts GSS-TSIG updates, or you arrange the 'nsupdate command' not to require them (eg provide a key file and the right options). Just be aware that while we originally intended flexibility in this area, any you continue to find remain there entirely by accident. (We already have too many choices on DNS, we need less not more). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba