On Thu, 18 Aug 2016 16:59:51 +0200 mathias dufresne via samba <samba at lists.samba.org> wrote:> Hi, > > I never had a look on MS AD regarding that, to check if NS record is > created for each DC running DNS service or not.I couldn't find anything that explicitly says that each DC should have its own SOA in AD. What I could find was that each AD-integrated zone on a DC is expected to have a SOA record containing the DCs ipaddress. this indicates that the DC hosts a writable copy of the zone. The SOA should also contain an NS record for the DC. Whilst I do not know how windows does this, the only way I have found to do all this, is to add the DCs A & NS records to the SOA record, only problem is, it only seems (for me) to work with Bind9 as the DNS server.> Anyway Samba AD does not create them and that's not an issue as long > as you don't plan to make your AD DNS zones public (available on the > Internet).It is a problem and needs fixing, but only if you use the internal DNS server with more than one DC, my advice, if you have more than one DC, use Bind9.> > As far as I understood DNS, during DNS resolution, NS is used only > when client's resolver does not know how to resolve some request. In > that case the resolver will ask for NS to know to which other DNS > server it has to forward the request in order to forward received > reply to the client. Client does not care about NS, you can set up > any DNS server (AD or not) as resolver. These DNS server do not need > to be declared as NS because clients send their request to the > resolver without asking for NS.That is all well and good, but what if you are running multiple DCs with the internal DNS server and the only NS record they know about goes offline?> > If the AD zones are meant to be public (most of cases I expect) there > is no need to have each AD DNS server declared as NS. > > If you need or prefer have clients using your company's official DNS > servers rather AD DNS server you can set up forward zone on your > company's official DNS servers for they forward any AD related > request o your AD DNS servers (those declared as forwarders in the > forward zone). >The easiest way if you have more than one DC, is to use Bind9 on each DC and set them to forward anything not known to another nameserver outside the domain. Rowland
On 19/08/16 04:17, Rowland Penny via samba wrote:> I couldn't find anything that explicitly says that each DC should have > its own SOA in AD. What I could find was that each AD-integrated zone on > a DC is expected to have a SOA record containing the DCs ipaddress. > this indicates that the DC hosts a writable copy of the zone. The SOA > should also contain an NS record for the DC. Whilst I do not know how > windows does this, the only way I have found to do all this, is to > add the DCs A & NS records to the SOA record, only problem is, it > only seems (for me) to work with Bind9 as the DNS server. >I think Windows just clobbers the SOA on the way out. I don't think I've seen any documentation describe the behaviour in detail either. As for the missing record, Samba 4.5 should fix the immediate problem of the actual missing NS record, but currently only using BIND9 DLZ actually ensures it is used as a useful nameserver. Cheers, Garming
Yes I shut down the original DC, and noticed most of the AD relient services were hanging, and I think the culprit was DNS on the new DC. Would you guys recommend waiting for 4.5, or switching to the BIND backend? The only reason that I chose the internal DNS server in the first place was that I thought Kai said the BIND side wasn't getting as much love these days. On Thu, Aug 18, 2016 at 6:38 PM, Garming Sam <garming at catalyst.net.nz> wrote:> On 19/08/16 04:17, Rowland Penny via samba wrote: > > I couldn't find anything that explicitly says that each DC should have > > its own SOA in AD. What I could find was that each AD-integrated zone on > > a DC is expected to have a SOA record containing the DCs ipaddress. > > this indicates that the DC hosts a writable copy of the zone. The SOA > > should also contain an NS record for the DC. Whilst I do not know how > > windows does this, the only way I have found to do all this, is to > > add the DCs A & NS records to the SOA record, only problem is, it > > only seems (for me) to work with Bind9 as the DNS server. > > > > I think Windows just clobbers the SOA on the way out. I don't think I've > seen any documentation describe the behaviour in detail either. > > As for the missing record, Samba 4.5 should fix the immediate problem of > the actual missing NS record, but currently only using BIND9 DLZ > actually ensures it is used as a useful nameserver. > > > Cheers, > > Garming >