Rowland, Can I use AD bind as slave for some zones of our bind master server? On Wed, May 17, 2017 at 1:00 PM, Rowland Penny <rpenny at samba.org> wrote:> On Wed, 17 May 2017 11:59:21 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > > Is anything else listening on port 53 ? > > > > > > I don't think so. > > > > # netstat -npl |grep 53 > > tcp 0 0 0.0.0.0:53 0.0.0.0:* > > LISTEN 27882/samba > > tcp6 0 0 :::53 :::* > > LISTEN 27882/samba > > udp 0 0 0.0.0.0:53 0.0.0.0:* > > 27882/samba > > udp6 0 0 :::53 :::* > > 27882/samba > > > > If I use a public DNS, for example, "dns forwarder = 8.8.8.8" > > necessarily must work, right? > > > > It should work if you forward anything outside the AD domain to your > other dns server, as long as your other dns server doesn't contain > anything of your AD records and is setup to forward anything unknown to > another dns server i.e. 8.8.8.8. So, using Googles dns server instead > of your other dns server should work. > > Rowland >-- Elias Pereira
On Wed, 17 May 2017 15:54:20 -0300 Elias Pereira via samba <samba at lists.samba.org> wrote:> Rowland, > > Can I use AD bind as slave for some zones of our bind master server? >Not sure I 100% understand what you are trying to say ;-) I will try to explain how Samba, when running as an AD DC, supports DNS. If you have a registered dns domain (we will use 'example.com'), you should set the AD domain to a subdomain of this, for instance: ad.example.com. You should then ensure that any computers that will be joined to the AD domain use this subdomain. When an AD domain member needs to find another computer (whether this is another domain computer or not), it should ask one of the domain DCs. If the DC does not know who the computer is, it should ask its forwarder. If a domain client (client1) needs to connect to another domain client (client2), the DC should be able to return the data for client2.ad.example.com If a domain client needs to connect to Google, the DC will not know who this is and so, should ask its forwarder and then return this data to the domain client. So, to put it in a nutshell, an AD DC running a dns server must be authoritative for the AD dns domain, it cannot be a slave of another dns server, but the dns server can hold zones that are not part of the AD domain, you would just have to find a way of updating the non-domain zone records. Rowland
Ok. I understood your explanations, but I do not know where else I can get information about it. I thought that this functionality between an existing dns server and the dns server that samba provided was not so complicated! On Wed, May 17, 2017 at 4:35 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 17 May 2017 15:54:20 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > Rowland, > > > > Can I use AD bind as slave for some zones of our bind master server? > > > > Not sure I 100% understand what you are trying to say ;-) > > I will try to explain how Samba, when running as an AD DC, supports DNS. > > If you have a registered dns domain (we will use 'example.com'), you > should set the AD domain to a subdomain of this, for instance: > ad.example.com. You should then ensure that any computers that will be > joined to the AD domain use this subdomain. > > When an AD domain member needs to find another computer (whether this > is another domain computer or not), it should ask one of the domain > DCs. If the DC does not know who the computer is, it should ask its > forwarder. > > If a domain client (client1) needs to connect to another domain client > (client2), the DC should be able to return the data for > client2.ad.example.com > > If a domain client needs to connect to Google, the DC will not know who > this is and so, should ask its forwarder and then return this data > to the domain client. > > So, to put it in a nutshell, an AD DC running a dns server must be > authoritative for the AD dns domain, it cannot be a slave of another > dns server, but the dns server can hold zones that are not part of > the AD domain, you would just have to find a way of updating the > non-domain zone records. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira