bentunx
2016-Aug-08 06:20 UTC
[Samba] BIND as DNS Slave of SAMBA 4 Internal DNS and Windows 2008
hi guys i need some advice for my case that i faced here.. i have Two AD with two different domain, platform and network : i expect all user in different domain can resolve the other domain dns let say 1. domainwin.com >> windows 2008 AD >> 172.16.1.2 2. domainnux.com >> Samba 4 AD >> 172.16.2.2 is it possible if i create 1 new BIND DNS Server in 172.16.3.2 (different network) that work as slave DNS of domainwin.com/172.16.1.2 and domainnuxcom/172.16.2.2 then i make new DNS BIND SERVER (172.16.3.2) as DNS forwarder in AD domainwin.com and AD domainnux.com ? TIA Zhia Chandra
bentunx
2016-Aug-08 06:39 UTC
[Samba] BIND as DNS Slave of SAMBA 4 Internal DNS and Windows 2008
hi all after i browsing around i found this /Managing zone transfers is not implemented yet. //Bug report #9951:DNS MMC: Enabling DNS zone transfers in MMC fails <https://bugzilla.samba.org/show_bug.cgi?id=9951>/ is this bug aready resolve in samba 4.1 or earlier ? btw im using samba 4.4.4 in domainnux.com AD On 08/08/2016 13:20, bentunx wrote:> hi guys > > i need some advice for my case that i faced here.. > > i have Two AD with two different domain, platform and network : > > i expect all user in different domain can resolve the other domain dns > > > let say > 1. domainwin.com >> windows 2008 AD >> 172.16.1.2 > > 2. domainnux.com >> Samba 4 AD >> 172.16.2.2 > > is it possible if i create 1 new BIND DNS Server in 172.16.3.2 > (different network) that work as slave DNS of domainwin.com/172.16.1.2 > and domainnuxcom/172.16.2.2 then i make new DNS BIND SERVER > (172.16.3.2) as DNS forwarder in AD domainwin.com and AD domainnux.com ? > > > TIA > > Zhia Chandra > > >
Stefan Kania
2016-Aug-08 09:49 UTC
[Samba] BIND as DNS Slave of SAMBA 4 Internal DNS and Windows 2008
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 you should set up a dns-proxy and use this proxy as forwarder in your domains Am 08.08.2016 um 08:20 schrieb bentunx:> hi guys > > i need some advice for my case that i faced here.. > > i have Two AD with two different domain, platform and network : > > i expect all user in different domain can resolve the other domain > dns > > > let say 1. domainwin.com >> windows 2008 AD >> 172.16.1.2 > > 2. domainnux.com >> Samba 4 AD >> 172.16.2.2 > > is it possible if i create 1 new BIND DNS Server in 172.16.3.2 > (different network) that work as slave DNS of > domainwin.com/172.16.1.2 and domainnuxcom/172.16.2.2 then i make > new DNS BIND SERVER (172.16.3.2) as DNS forwarder in AD > domainwin.com and AD domainnux.com ? > > > TIA > > Zhia Chandra > > > >- -- Stefan Kania -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAleoVbcACgkQ2JOGcNAHDTYmwQCgzQ4vIEF1TyZRhnEdBd+5vlFI sVIAn0stMmE2rPpNQPsDIoPNlZl+uIGZ =Q2cS -----END PGP SIGNATURE-----
Nico Kadel-Garcia
2016-Aug-09 11:40 UTC
[Samba] BIND as DNS Slave of SAMBA 4 Internal DNS and Windows 2008
On Mon, Aug 8, 2016 at 5:49 AM, Stefan Kania <stefan at kania-online.de> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > you should set up a dns-proxy and use this proxy as forwarder in your > domainsReally, really not the same thing as a DNS slave. If your DNS master, such as your Samba or AD server, goes toes up for whatever reason, the DNS slave can continue to serve the same domains until the DNS zones expire. Most admins I've encountered set that SOA record to be roughly a day, or 86400 seconds, to allow time for recovery or maintenance. A DNS forwarder is basically a proxy on port 57, possibly with some local tweaks to the DNS. And if I run into *one more so-called DNS forwarder" that is used to write internal IP addresses instead of external IP addresses for the same hostname when seen from inside a network, instead of doing DNS view properly, I'm going to be very cross indeed. DNS slaves have big advantages for security: they can host only the DNS, without any LDAP or Kerberos access, and be installed much more safely in a de-militarized zone to serve specific needs without any need for anything but port 53 access to the relevant Samba server. They also provide the opportunity to take copies of the slaved zones, run them through "mkrdns" to publish and verify reverse DNS records, run them though "named-compilezone" for completely consistent format, and store them in source control to be able to track changes. In this case, you could set up the slaves with NS records for the relevant domains, just for clarity of provenance, and point the local hosts to the *slaves* instead of directly to AD or Samba servers. This avoids the integration complexities of AD or Samba "forests" and making the servers talk to each other in any way but as DNS services. And if your Samba environment is under active development, or your AD server is getting regular updates that require reboots, you're reliant on a much less expensive and much more easily maintained 24x7 service on slave DNS servers. Been there, done that, published my notes on getting this kind of setup into source control under Subversion at SVNDay in Berlin some years back. The title was "Subverting Masters and Slaves, Putthing Them in Cages, and Making Them Report Names and Addresses". The title reflected that the setup was also in chroot cages and using BIND and Subversion. The approach is still useful, even with git and Samba based DNS servers.> Am 08.08.2016 um 08:20 schrieb bentunx: >> hi guys >> >> i need some advice for my case that i faced here.. >> >> i have Two AD with two different domain, platform and network : >> >> i expect all user in different domain can resolve the other domain >> dns >> >> >> let say 1. domainwin.com >> windows 2008 AD >> 172.16.1.2 >> >> 2. domainnux.com >> Samba 4 AD >> 172.16.2.2 >> >> is it possible if i create 1 new BIND DNS Server in 172.16.3.2 >> (different network) that work as slave DNS of >> domainwin.com/172.16.1.2 and domainnuxcom/172.16.2.2 then i make >> new DNS BIND SERVER (172.16.3.2) as DNS forwarder in AD >> domainwin.com and AD domainnux.com ? >> >> >> TIA >> >> Zhia Chandra >> >> >> >> > > - -- > Stefan Kania > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iEYEARECAAYFAleoVbcACgkQ2JOGcNAHDTYmwQCgzQ4vIEF1TyZRhnEdBd+5vlFI > sVIAn0stMmE2rPpNQPsDIoPNlZl+uIGZ > =Q2cS > -----END PGP SIGNATURE----- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba