Would prefer to continue to use my NSD/Unbound installs for most DNS (if not all) services. NSD is the authoritative server for the domain, and Unbound is the cache/resolver that the clients connect to. I'd like to not disturb this setup but I'll need the SRV records so that AD works. If the SRV records are fixed I suppose I could host them using NSD, then Samba wouldn't have to be authoritative for any records - just forward to the Unbound cache. I don't need hosts registering themselves in DNS, the only hosts that need to be in DNS are those doing server duties and already have A records (the DHCP server relies on them for lease reservations). On Wed, Apr 6, 2016 at 4:23 PM, Rowland penny <rpenny at samba.org> wrote:> On 06/04/16 21:15, Sonic wrote: >> >> Can the Samba internal DNS be set as authoritative only (not a resolver)? >> >> Can the Samba DNS server be set as authoritative only for the SRV >> zones (_tcp, _udp _msdcs, _sites) and not the parent zone? >> >> Thanks, >> >> Chris >> > > Can you explain what you are trying to do > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 06/04/16 21:58, Sonic wrote:> Would prefer to continue to use my NSD/Unbound installs for most DNS > (if not all) services. NSD is the authoritative server for the domain, > and Unbound is the cache/resolver that the clients connect to. I'd > like to not disturb this setup but I'll need the SRV records so that > AD works. If the SRV records are fixed I suppose I could host them > using NSD, then Samba wouldn't have to be authoritative for any > records - just forward to the Unbound cache. I don't need hosts > registering themselves in DNS, the only hosts that need to be in DNS > are those doing server duties and already have A records (the DHCP > server relies on them for lease reservations). > > >Your DC needs to be authoritative for your AD domain, this is *not* a Samba thing, it is an AD thing. What you can do, is to do what is recommended, make your AD domain a subdomain of your domain i.e. if your domain name is 'domain.tld', use 'internal.domain.tld' for your AD domain. Your AD DC will then be authoritative for the AD domain and will then forward anything it doesn't know to your unbound machine. Rowland
On Wed, 6 Apr 2016, Rowland penny wrote:> Your DC needs to be authoritative for your AD domain, this is *not* a Samba > thing, it is an AD thing. What you can do, is to do what is recommended, make > your AD domain a subdomain of your domain i.e. if your domain name is > 'domain.tld', use 'internal.domain.tld' for your AD domain. > > Your AD DC will then be authoritative for the AD domain and will then forward > anything it doesn't know to your unbound machine.Or vice versa. Point unbound at the AD DNS server for lookups to internal.domain.tld, and let it continue handle other lookups as it already does. There's no need to repoint clients to AD DNS servers if you don't want dynamic DNS registration.
On Wed, Apr 6, 2016 at 5:13 PM, Rowland penny <rpenny at samba.org> wrote:> Your DC needs to be authoritative for your AD domain, this is *not* a Samba > thing, it is an AD thing.What about: http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/ ?
On 2016.04.06, at 4:13 PM, Rowland penny <rpenny at samba.org> wrote:> > On 06/04/16 21:58, Sonic wrote: >> Would prefer to continue to use my NSD/Unbound installs for most DNS >> (if not all) services. NSD is the authoritative server for the domain, >> and Unbound is the cache/resolver that the clients connect to. I'd >> like to not disturb this setup but I'll need the SRV records so that >> AD works. If the SRV records are fixed I suppose I could host them >> using NSD, then Samba wouldn't have to be authoritative for any >> records - just forward to the Unbound cache. I don't need hosts >> registering themselves in DNS, the only hosts that need to be in DNS >> are those doing server duties and already have A records (the DHCP >> server relies on them for lease reservations). >> >> >> > > Your DC needs to be authoritative for your AD domain, this is *not* a Samba thing, it is an AD thing. What you can do, is to do what is recommended, make your AD domain a subdomain of your domain i.e. if your domain name is 'domain.tld', use 'internal.domain.tld' for your AD domain. > > Your AD DC will then be authoritative for the AD domain and will then forward anything it doesn't know to your unbound machine. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI’m feeling like this stuff is always assumed to be common knowledge. Everyone starts talking about samdom.example.com <http://samdom.example.com/> before first stating, "Here’s why you want to use a 'samdom' or whatever name you like, for a subdomain on your network." Even here: https://wiki.samba.org/index.php/DNS <https://wiki.samba.org/index.php/DNS> it’s at the very bottom. Why not have it at the very top? A really high-level question here… Say I have awesomecompany.loc as my domain, with existing BIND 9 servers handling all of our DNS. Here I have many servers and clients that would be connecting to my AD, which have addresses like... "server.awesomecompany.loc" "0245imac.awesomecompany.loc" Then I decide to put in a trio of AD DCs running Samba in a new domain of "samdom.awesomecompany.loc." I make it a subdomain of by BIND 9-managed "awesomecompany.loc" and let the Samba DCs be authoritative over "samdom.awesomecompany.loc." My question is, would I have to give new DNS A records to all the machines that would be binding to that domain in samdom.awesomecompany.loc? Like… "server.samdom.awesomecompany.loc" "0245imac.samdom.awesomecompany.loc" (Assume I’m not doing dynamic DNS, by the way.) Or is there really no good reason to do that, as the previously-used addresses should work fine? If I can use the previously-used addresses, what sorts of records do I want to put in samdom.awesomecompany.loc? Just the AD DCs and all the particular records that AD populates it with? Thanks in advance! Matthew ©2016 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
What i would do, is setup a unbound server as slave dns of the samba dns zone. (Best is to use bind_dlz on the samba servers.) I dont know unbound, but i would surprise me if its not possible to setup a slave. I do simular but then with Bind Dns. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Matthew Delfino > Verzonden: dinsdag 12 april 2016 17:49 > Aan: Rowland penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] samba dns > > On 2016.04.06, at 4:13 PM, Rowland penny <rpenny at samba.org> wrote: > > > > On 06/04/16 21:58, Sonic wrote: > >> Would prefer to continue to use my NSD/Unbound installs for most DNS > >> (if not all) services. NSD is the authoritative server for the domain, > >> and Unbound is the cache/resolver that the clients connect to. I'd > >> like to not disturb this setup but I'll need the SRV records so that > >> AD works. If the SRV records are fixed I suppose I could host them > >> using NSD, then Samba wouldn't have to be authoritative for any > >> records - just forward to the Unbound cache. I don't need hosts > >> registering themselves in DNS, the only hosts that need to be in DNS > >> are those doing server duties and already have A records (the DHCP > >> server relies on them for lease reservations). > >> > >> > >> > > > > Your DC needs to be authoritative for your AD domain, this is *not* a > Samba thing, it is an AD thing. What you can do, is to do what is > recommended, make your AD domain a subdomain of your domain i.e. if your > domain name is 'domain.tld', use 'internal.domain.tld' for your AD domain. > > > > Your AD DC will then be authoritative for the AD domain and will then > forward anything it doesn't know to your unbound machine. > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > I?m feeling like this stuff is always assumed to be common knowledge. > Everyone starts talking about samdom.example.com > <http://samdom.example.com/> before first stating, "Here?s why you want to > use a 'samdom' or whatever name you like, for a subdomain on your > network." Even here: https://wiki.samba.org/index.php/DNS > <https://wiki.samba.org/index.php/DNS> it?s at the very bottom. Why not > have it at the very top? > > A really high-level question here? > > Say I have awesomecompany.loc as my domain, with existing BIND 9 servers > handling all of our DNS. Here I have many servers and clients that would > be connecting to my AD, which have addresses like... > > "server.awesomecompany.loc" > "0245imac.awesomecompany.loc" > > Then I decide to put in a trio of AD DCs running Samba in a new domain of > "samdom.awesomecompany.loc." I make it a subdomain of by BIND 9-managed > "awesomecompany.loc" and let the Samba DCs be authoritative over > "samdom.awesomecompany.loc." > > My question is, would I have to give new DNS A records to all the machines > that would be binding to that domain in samdom.awesomecompany.loc? Like? > > "server.samdom.awesomecompany.loc" > "0245imac.samdom.awesomecompany.loc" > > (Assume I?m not doing dynamic DNS, by the way.) Or is there really no good > reason to do that, as the previously-used addresses should work fine? > > If I can use the previously-used addresses, what sorts of records do I > want to put in samdom.awesomecompany.loc? Just the AD DCs and all the > particular records that AD populates it with? > > Thanks in advance! > > Matthew > > > > ©2016 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of > KNOCK, inc. This message and any attachments contain information, which is > confidential and/or privileged. If you are not the intended recipient, > please refrain from any disclosure, copying, distribution or use of this > information. Please be aware that such actions are prohibited. If you > have received this transmission in error, kindly notify the sender by e- > mail. Your cooperation is appreciated. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba