On Wed, 6 Apr 2016, Rowland penny wrote:> Your DC needs to be authoritative for your AD domain, this is *not* a Samba > thing, it is an AD thing. What you can do, is to do what is recommended, make > your AD domain a subdomain of your domain i.e. if your domain name is > 'domain.tld', use 'internal.domain.tld' for your AD domain. > > Your AD DC will then be authoritative for the AD domain and will then forward > anything it doesn't know to your unbound machine.Or vice versa. Point unbound at the AD DNS server for lookups to internal.domain.tld, and let it continue handle other lookups as it already does. There's no need to repoint clients to AD DNS servers if you don't want dynamic DNS registration.
On Wed, Apr 6, 2016 at 5:29 PM, Sketch <smblist at rednsx.org> wrote:> There's no need to repoint clients to AD DNS servers if you don't want > dynamic DNS registration.Dynamic DNS registration works with the clients pointing to the Unbound cache (at an account with a Windows AD server). The clients must be determining what system to register with via DNS records even though they don't point to the Windows AD server for DNS resolution. Which is why I think this entry in the Wiki is not wholly correct: "Whichever DNS server you use, you must configure the AD DC so that it uses 127.0.0.1 or its own IP address as DNS server, and all clients must be configured to use the IP address of the AD DC as DNS. This server will usually only be able to answer queries regarding servers and clients that are members of the domain. If you want your server and clients to be able to also see the rest of the world, you must configure the DNS server to forward all queries that it cannot answer itself, to another DNS server which can resolve the rest of the world." The part I believe to be incorrect is: "...all clients must be configured to use the IP address of the AD DC as DNS" as at least in my experience with a Windows installation this is not a requirement - even for dynamic registration. As long as the clients can resolve the AD's records they do work just fine.
On Thu, 7 Apr 2016, Sonic wrote:> On Wed, Apr 6, 2016 at 5:29 PM, Sketch <smblist at rednsx.org> wrote: >> There's no need to repoint clients to AD DNS servers if you don't want >> dynamic DNS registration. > > Dynamic DNS registration works with the clients pointing to the > Unbound cache (at an account with a Windows AD server). The clients > must be determining what system to register with via DNS records even > though they don't point to the Windows AD server for DNS resolution.I'm surprised that works, I always just assumed it dyndns'd to it's DNS server. Maybe Windows is looking up what server to register with in DNS (under _msdcs), or via LDAP?
On Thu, Apr 7, 2016 at 10:16 AM, Sonic <sonicsmith at gmail.com> wrote:> Dynamic DNS registration works with the clients pointing to the > Unbound cache (at an account with a Windows AD server). The clients > must be determining what system to register with via DNS records even > though they don't point to the Windows AD server for DNS resolution.Works just as well with a Samba AD. Just tested - client points to Unbound but still registers itself in the AD.