> > Sorry, must have missed that.No problem! :D OK, your dns domain is 'mydomain.edu' and your AD dns domain is 'addc.mydomain.edu', so far so good, but is the AD REALM set to 'ADDC.MYDOMAIN.EDU <http://addc.mydomain.edu/>' ? Yes, my AD REALM is ADDC.MYDOMAIN.EDU Yes, your AD DC should be the authoritative dns server for the AD dns> domain.ok. No, all your AD clients etc should use the DC for their nameserver,> anything it doesn't know about (anything outside the ad dns domain) it > should ask the forwarder for (I think you are trying to do this the > other way around)ok. Now I migrate to SAMBA_INTERNAL and set on smb.conf, server services = ... dns dns forwarder = xxx.xxx.xxx.10 # DNS server allow dns updates = nonsecure and secure I can not see where I'm going wrong. Our DNS server is authoritative for our internal services, but on the machine I am testing, do not open any of the services. Any other site I can access. This machine is in the domain with the primary dns the IP of the AD. On Tue, May 16, 2017 at 6:58 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 16 May 2017 18:28:01 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > I am using subdomains for this, so much that I posted in the other > > message. > > > > *Domain*: mydomain.edu > > *DNS Server*: ns.mydomain.edu > > *AD Server*: addc.mydomain.edu > > Sorry, must have missed that. > > OK, your dns domain is 'mydomain.edu' and your AD dns domain is > 'addc.mydomain.edu', so far so good, but is the AD REALM set to > 'ADDC.MYDOMAIN.EDU' ? > > > > > Is it mandatory to put the AD IP as primary dns in pcs? > > Yes, your AD DC should be the authoritative dns server for the AD dns > domain. > > > If not, can I > > configure the IP of the DNS server and create a zone like this below > > to be forwarded the requests? > > No, all your AD clients etc should use the DC for their nameserver, > anything it doesn't know about (anything outside the ad dns domain) it > should ask the forwarder for (I think you are trying to do this the > other way around) > > > > > *named.conf.local* > > ... > > zone "addc.mydomain.edu" IN { > > type forward; > > forward only; > > forwarders { xxx.xxx.xxx.6; }; # IP of AD > > }; > > There is another reason, the zone above should already exist on the AD > DC and should only exist on the AD DC. > > There are those that say you can do something similar to what you are > trying to do, but this is not supported by Samba. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
On Tue, 16 May 2017 19:27:33 -0300 Elias Pereira via samba <samba at lists.samba.org> wrote:> > > > Sorry, must have missed that. > > > No problem! :D > > OK, your dns domain is 'mydomain.edu' and your AD dns domain is > > 'addc.mydomain.edu', so far so good, but is the AD REALM set to > 'ADDC.MYDOMAIN.EDU <http://addc.mydomain.edu/>' ? > > Yes, my AD REALM is ADDC.MYDOMAIN.EDU > > Yes, your AD DC should be the authoritative dns server for the AD dns > > domain. > > > ok. > > No, all your AD clients etc should use the DC for their nameserver, > > anything it doesn't know about (anything outside the ad dns domain) > > it should ask the forwarder for (I think you are trying to do this > > the other way around) > > > ok. > > Now I migrate to SAMBA_INTERNAL and set on smb.conf, > > server services = ... dns > dns forwarder = xxx.xxx.xxx.10 # DNS server > allow dns updates = nonsecure and secure > > I can not see where I'm going wrong. Our DNS server is authoritative > for our internal services, but on the machine I am testing, do not > open any of the services. Any other site I can access. This machine > is in the domain with the primary dns the IP of the AD. >All I can say is that it should work and swapping the dns server shouldn't make any difference. As long as all your AD clients are in the AD dns and nowhere else, it should work. You can remove the 'server services' line you have added, not having one is the same as having one with all the servers listed. Is anything else listening on port 53 ? Rowland
> > Is anything else listening on port 53 ?I don't think so. # netstat -npl |grep 53 tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 27882/samba tcp6 0 0 :::53 :::* LISTEN 27882/samba udp 0 0 0.0.0.0:53 0.0.0.0:* 27882/samba udp6 0 0 :::53 :::* 27882/samba If I use a public DNS, for example, "dns forwarder = 8.8.8.8" necessarily must work, right? On Wed, May 17, 2017 at 4:52 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 16 May 2017 19:27:33 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > > Sorry, must have missed that. > > > > > > No problem! :D > > > > OK, your dns domain is 'mydomain.edu' and your AD dns domain is > > > > 'addc.mydomain.edu', so far so good, but is the AD REALM set to > > 'ADDC.MYDOMAIN.EDU <http://addc.mydomain.edu/>' ? > > > > Yes, my AD REALM is ADDC.MYDOMAIN.EDU > > > > Yes, your AD DC should be the authoritative dns server for the AD dns > > > domain. > > > > > > ok. > > > > No, all your AD clients etc should use the DC for their nameserver, > > > anything it doesn't know about (anything outside the ad dns domain) > > > it should ask the forwarder for (I think you are trying to do this > > > the other way around) > > > > > > ok. > > > > Now I migrate to SAMBA_INTERNAL and set on smb.conf, > > > > server services = ... dns > > dns forwarder = xxx.xxx.xxx.10 # DNS server > > allow dns updates = nonsecure and secure > > > > I can not see where I'm going wrong. Our DNS server is authoritative > > for our internal services, but on the machine I am testing, do not > > open any of the services. Any other site I can access. This machine > > is in the domain with the primary dns the IP of the AD. > > > > All I can say is that it should work and swapping the dns server > shouldn't make any difference. > > As long as all your AD clients are in the AD dns and nowhere else, it > should work. > > You can remove the 'server services' line you have added, not having > one is the same as having one with all the servers listed. > > Is anything else listening on port 53 ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira