Hey everyone. I've had an AD domain running on a samba server for years now. I recently decided to add a second samba DC. (both 4.4.5) I ran through all the DNS checks mentioned here... https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins All the entries were there! However, I noticed that the domain only has one NS record present. "host mydomain.com" returns both DCs "host -t NS mydomain.com" only returns the original DC. Is this a bug? and if so, can I simply add another NS record, or is this evidence of a much deeper problem?
Hi, I never had a look on MS AD regarding that, to check if NS record is created for each DC running DNS service or not. Anyway Samba AD does not create them and that's not an issue as long as you don't plan to make your AD DNS zones public (available on the Internet). As far as I understood DNS, during DNS resolution, NS is used only when client's resolver does not know how to resolve some request. In that case the resolver will ask for NS to know to which other DNS server it has to forward the request in order to forward received reply to the client. Client does not care about NS, you can set up any DNS server (AD or not) as resolver. These DNS server do not need to be declared as NS because clients send their request to the resolver without asking for NS. If the AD zones are meant to be public (most of cases I expect) there is no need to have each AD DNS server declared as NS. If you need or prefer have clients using your company's official DNS servers rather AD DNS server you can set up forward zone on your company's official DNS servers for they forward any AD related request o your AD DNS servers (those declared as forwarders in the forward zone). Cheers, mathias 2016-08-18 2:35 GMT+02:00 Zane Zakraisek via samba <samba at lists.samba.org>:> Hey everyone. > I've had an AD domain running on a samba server for years now. > I recently decided to add a second samba DC. (both 4.4.5) > > I ran through all the DNS checks mentioned here... > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins > All the entries were there! > > However, I noticed that the domain only has one NS record present. > "host mydomain.com" returns both DCs > "host -t NS mydomain.com" only returns the original DC. > > Is this a bug? > and if so, can I simply add another NS record, or is this evidence of a > much deeper problem? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, 18 Aug 2016 16:59:51 +0200 mathias dufresne via samba <samba at lists.samba.org> wrote:> Hi, > > I never had a look on MS AD regarding that, to check if NS record is > created for each DC running DNS service or not.I couldn't find anything that explicitly says that each DC should have its own SOA in AD. What I could find was that each AD-integrated zone on a DC is expected to have a SOA record containing the DCs ipaddress. this indicates that the DC hosts a writable copy of the zone. The SOA should also contain an NS record for the DC. Whilst I do not know how windows does this, the only way I have found to do all this, is to add the DCs A & NS records to the SOA record, only problem is, it only seems (for me) to work with Bind9 as the DNS server.> Anyway Samba AD does not create them and that's not an issue as long > as you don't plan to make your AD DNS zones public (available on the > Internet).It is a problem and needs fixing, but only if you use the internal DNS server with more than one DC, my advice, if you have more than one DC, use Bind9.> > As far as I understood DNS, during DNS resolution, NS is used only > when client's resolver does not know how to resolve some request. In > that case the resolver will ask for NS to know to which other DNS > server it has to forward the request in order to forward received > reply to the client. Client does not care about NS, you can set up > any DNS server (AD or not) as resolver. These DNS server do not need > to be declared as NS because clients send their request to the > resolver without asking for NS.That is all well and good, but what if you are running multiple DCs with the internal DNS server and the only NS record they know about goes offline?> > If the AD zones are meant to be public (most of cases I expect) there > is no need to have each AD DNS server declared as NS. > > If you need or prefer have clients using your company's official DNS > servers rather AD DNS server you can set up forward zone on your > company's official DNS servers for they forward any AD related > request o your AD DNS servers (those declared as forwarders in the > forward zone). >The easiest way if you have more than one DC, is to use Bind9 on each DC and set them to forward anything not known to another nameserver outside the domain. Rowland