samba - Apr 2016 - NS Records for AD-Integrated Zones

Hello,

My domain was provisioned using a Windows 2008R2 server as the first DC,
and I then subsequently joined a Samba 4.4.2 DC running on Ubuntu 14.04.4
and using BIND 9.9.5 as the DNS backend. Everything seems to be working
properly after I added an NC replica for the zones as per the
troubleshooting page. All zones resolve and replicate properly, but I
noticed that there are no NS records corresponding to the Samba DC added to
the AD-Integrated DNS zones. I have manually added records for the DC to
all existing zones, but I also noticed that when creating a new AD
integrated zone using the Windows DNS manager, there are only NS records
for the domain controller that I am connected to in the zone by default.

Is this behavior expected? And is there any way to make sure that NS
records are added for all DCs? I could be remembering incorrectly, but I
recall that when our network was using an all Windows AD environment, the
AD zones had NS records for all DCs included by default.

Thanks,
Isaiah

On 4/25/2016 9:50 PM, Isaiah Olson wrote:
> Hello,
>
> My domain was provisioned using a Windows 2008R2 server as the first DC,
> and I then subsequently joined a Samba 4.4.2 DC running on Ubuntu 14.04.4
> and using BIND 9.9.5 as the DNS backend. Everything seems to be working
> properly after I added an NC replica for the zones as per the
> troubleshooting page. All zones resolve and replicate properly, but I
> noticed that there are no NS records corresponding to the Samba DC added to
> the AD-Integrated DNS zones. I have manually added records for the DC to
> all existing zones, but I also noticed that when creating a new AD
> integrated zone using the Windows DNS manager, there are only NS records
> for the domain controller that I am connected to in the zone by default.
>
> Is this behavior expected? And is there any way to make sure that NS
> records are added for all DCs? I could be remembering incorrectly, but I
> recall that when our network was using an all Windows AD environment, the
> AD zones had NS records for all DCs included by default.
>
> Thanks,
> Isaiah
In a samba only environment it's expected. I do believe at some point 
the devs. will update Samba to add all NS records for all DC's.



-- 
-James

On Tue, 2016-04-26 at 09:02 -0400, lingpanda101 at gmail.com
wrote:
> On 4/25/2016 9:50 PM, Isaiah Olson wrote:
> > Hello,
> > 
> > My domain was provisioned using a Windows 2008R2 server as the
> > first DC,
> > and I then subsequently joined a Samba 4.4.2 DC running on Ubuntu
> > 14.04.4
> > and using BIND 9.9.5 as the DNS backend. Everything seems to be
> > working
> > properly after I added an NC replica for the zones as per the
> > troubleshooting page. All zones resolve and replicate properly, but
> > I
> > noticed that there are no NS records corresponding to the Samba DC
> > added to
> > the AD-Integrated DNS zones. I have manually added records for the
> > DC to
> > all existing zones, but I also noticed that when creating a new AD
> > integrated zone using the Windows DNS manager, there are only NS
> > records
> > for the domain controller that I am connected to in the zone by
> > default.
> > 
> > Is this behavior expected? And is there any way to make sure that
> > NS
> > records are added for all DCs? I could be remembering incorrectly,
> > but I
> > recall that when our network was using an all Windows AD
> > environment, the
> > AD zones had NS records for all DCs included by default.
> > 
> > Thanks,
> > Isaiah
> In a samba only environment it's expected. I do believe at some point
> the devs. will update Samba to add all NS records for all DC's.
I have patches for this, but I didn't finish them (mostly trying to add
tests, which turns out to be harder than it should be).

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi,

As far as I have understood DNS protocol NS records are not necessarily
needed.

NS are used by name servers (ie by DNS servers) and not by client (ie by a
Linux or Windows box joined to AD).

A client use its own resolver (what is defined into /etc/resolv.conf for a
linux box) and send all queries to that resolver. Queries are for A, AAAA,
SRV, CNAME... because all of them are standard queries.

Aksing for NS should happen only when a resolver don't know how to reach a
zone. Client don't bother with zones. They deal with records. Only resolver
would bother with zone's NS in case that resolver don't know how to
resolve
some record on that zone.

In AD we usually configure AD DNS as resolver. As resolvers know the both
AD zones, they don't need NS for these zones.

Even if you prefer to use your company DNS servers, you can configure these
company-name-servers to know where to send DNS requests which concern AD
zones (for example: two zones with type = forward on the
company-name-server):

# needed
zone ad.domain.tld {
  type forward;
  forward only;
  forwarders {
    <IP for DC1>;
    <IP for DC2>;
  }
}
# optional because that's a sub-zone, it's part of the previous one.
zone _msdcs.ad.domain.tld {
  type forward;
  forward only;
  forwarders {
    <IP for DC1>;
    <IP for DC2>;
  }
}

Having NS auto-declared would be nice but, to me, that's not critical.



2016-04-26 3:50 GMT+02:00 Isaiah Olson <insignia96 at gmail.com>:
> Hello,
>
> My domain was provisioned using a Windows 2008R2 server as the first DC,
> and I then subsequently joined a Samba 4.4.2 DC running on Ubuntu 14.04.4
> and using BIND 9.9.5 as the DNS backend. Everything seems to be working
> properly after I added an NC replica for the zones as per the
> troubleshooting page. All zones resolve and replicate properly, but I
> noticed that there are no NS records corresponding to the Samba DC added to
> the AD-Integrated DNS zones. I have manually added records for the DC to
> all existing zones, but I also noticed that when creating a new AD
> integrated zone using the Windows DNS manager, there are only NS records
> for the domain controller that I am connected to in the zone by default.
>
> Is this behavior expected? And is there any way to make sure that NS
> records are added for all DCs? I could be remembering incorrectly, but I
> recall that when our network was using an all Windows AD environment, the
> AD zones had NS records for all DCs included by default.
>
> Thanks,
> Isaiah
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>