Anyway NS records are used when DNS server speak to DNS server, not by clients. So AD would work just fine without them. NS are used when a client ask something the configured resolver can't resolve by himself and when the resolver is not configured to forward request to relevant DNS server. IE: client search for toto.org and its resolver does not know anything about that zone. Resolver will ask ORG root servers for one of them send it NS for toto.org. It should be possible to have such behaviour on a LAN but I don't expect someone able to deploy such a configuration would ask about so knwon non-issue. 2016-10-18 12:30 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 18 Oct 2016 10:39:46 +0100 > Chris Hastie via samba <samba at lists.samba.org> wrote: > > > I have just joined a second DC to my Samba based AD, with Bind9_DLZ > > providing the DNS on DC2 (samba internal on DC1). I notice that the > > AD zone has not acquired an NS entry pointing to DC2. I presume that > > ideally such an entry should exist? > > > > I have tried to add something, but I cannot work out how to use > > samba-tool to add an RR for the root of a zone. If I miss the name > > argument out, or if I use and '@', it complains and reminds me of the > > correct usage. > > > > # samba-tool dns add dc1 ad.mydomain.com @ NS dc2.ad.mydomain.com > > -UAdministrator > > Usage: samba-tool dns add <server> <zone> <name> > > <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> > > > > If an NS record should exist, how best should I add it? > > > > Chris > > > > Yes it should exist and it should be added for you when Samba is > started (on later versions) by samba_dnsupdate. > > Perhaps you should check this: > > https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record > > The samba-tool format is this: > > samba-tool dns add dc1 ad.mydomain.com dc2 A <ip of dc2> -Uadministrator > > samba-tool dns add dc1 ad.mydomain.com @ NS dc2.ad.mydomain.com > -UAdministrator > > samba-tool dns add dc1 _msdcs.ad.mydomain.com @ NS dc2.ad.mydomain.com > -UAdministrator > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 18 Oct 2016 14:59:31 +0200 mathias dufresne via samba <samba at lists.samba.org> wrote:> Anyway NS records are used when DNS server speak to DNS server, not by > clients. So AD would work just fine without them. > > NS are used when a client ask something the configured resolver can't > resolve by himself and when the resolver is not configured to forward > request to relevant DNS server. > > IE: client search for toto.org and its resolver does not know anything > about that zone. > Resolver will ask ORG root servers for one of them send it NS for > toto.org. > > It should be possible to have such behaviour on a LAN but I don't > expect someone able to deploy such a configuration would ask about so > knwon non-issue. >Yes, but what happens when a domain member searches for something in its own domain ? The domain member will ask its nameserver (which should be an AD DC), this nameserver will ask its nameserver (which should be itself or another DC), the DC will then ask its DNS server, which will search its SOA for the name server (which should be itself), it will then search for the required info and return this. If you are running an AD domain you require any DC running a DNS server to have a SOA record, this is one of the problems with the internal DNS server, it ignores any extra SOA records. Samba recommends that you run a DNS server on every DC and from my experience, this means running Bind9 on multiple DCs. What must be understood is, a Microsoft AD DNS server is different from a normal DNS server. Rowland
2016-10-18 15:25 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 18 Oct 2016 14:59:31 +0200 > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > Anyway NS records are used when DNS server speak to DNS server, not by > > clients. So AD would work just fine without them. > > > > NS are used when a client ask something the configured resolver can't > > resolve by himself and when the resolver is not configured to forward > > request to relevant DNS server. > > > > IE: client search for toto.org and its resolver does not know anything > > about that zone. > > Resolver will ask ORG root servers for one of them send it NS for > > toto.org. > > > > It should be possible to have such behaviour on a LAN but I don't > > expect someone able to deploy such a configuration would ask about so > > knwon non-issue. > > > > Yes, but what happens when a domain member searches for something in > its own domain ? >I assume it is AD domain you refer as "its own domain", right?> > The domain member will ask its nameserver (which should be an AD DC), >The client send request to its resolver, which can be an AD DC but not necessarily (we don't use AD DC as resolver, we use the company's DNS which transfer request to AD DC when needed)> this nameserver will ask its nameserver (which should be itself or > another DC),the DC receiving the request receives it directly on port 53, Bind or internal DNS resolve the request, send it back. That's all, no NS nor SOA request in that. A Linux uses its resolver (what is configured into /etc/resolv.conf) to get answer to its own requests only. That is fortunate to avoid loops. Let's see what would be if Linux DNS server would use its resolver to resolve _external_ requests: - client send request to its resolver (called DC1) - DC1 receive the request, look into resolv.conf, send the request to DC2 - DC2 receives the request, look into resolv.conf, send the request to DC1 - DC1 receive the request, look into resolv.conf, send the request to DC2 .... But still, no SOA nor NS request in that.> the DC will then ask its DNS server, which will search its > SOA for the name server (which should be itself), it will then search > for the required info and return this. > > If you are running an AD domain you require any DC running a DNS server > to have a SOA record, this is one of the problems with the internal DNS > server, it ignores any extra SOA records. >Agreed, Internal DNS should behave as Bind and any DC acting as DNS server and beeing able to modify the zones (this is not the case of RODC) should reply as any Bind+DLZ "I am SOA". This because SOA means "a server able to write into the zone" (by opposition NS means "a trusty server which can be interrogated"). With only one DNS server able to act as SOA there is no fallback when SOA is down. In that case no update of AD zones can be done because update requests are all send to SOA because SOA is where to write. That's the issue with internal DNS.> > Samba recommends that you run a DNS server on every DC and from my > experience, this means running Bind9 on multiple DCs. >Agreed, with more than... one DC Bind seems the right choice to avoid DNS update can't be performed when the DC declared into LDAP as SOA is down. This because internal DNS is missing this little change for it can reply as Bind "I am SOA" when it can modify the zone.> > What must be understood is, a Microsoft AD DNS server is different > from a normal DNS server. >Who speak about them? Who seems to lack some understanding? I mean, in all I wrote there is NO request for NS because in these case all rely on configured resolvers. Cheers, M.> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 18/10/16 13:59, mathias dufresne via samba wrote:> Anyway NS records are used when DNS server speak to DNS server, not by > clients. So AD would work just fine without them.Surely only if the authoritative name servers for the AD zones are the same machines as the resolvers that the clients are configured to use. Which they are not on this network. Although in such a case it is probably more important that NS records for the AD zone exist in its parent zone than in the AD zone itself. An issue outside of Samba's control, and which I had addressed already anyway.> NS are used when a client ask something the configured resolver can't > resolve by himself and when the resolver is not configured to forward > request to relevant DNS server.As is the case here.> It should be possible to have such behaviour on a LAN but I don't expect > someone able to deploy such a configuration would ask about so knwon > non-issue.Your expectations are not always correct then. The question was about how to use samba-tool to add the NS records. Rowland's helpful response put me in the right direction. The long and the short of the problem I was having, in fact, was a typo.