Hello, This question is about best practice of introducing sambda-ad-dc to an organization that already has networking, and being minimally disruptive about it. I guess this question applies equally to adding a Windows AD server, but most people with that setup would let it be the primary DNS, etc. For this example: - Network: 172.18.0.0/24 - Domain: network.ca - AD server: ad.network.ca, 172.18.0.20 - Gateway/DNS: 172.18.0.1 The gateway is running as the main DNS server, and has the various underscore ("_") entries required for Windows to find the Active Directory. It sends "172.18.0.1" as the DNS option over its DHCP server. The samba AD server has its DNS forwarder set to "172.18.0.1". Now, the question: To be able to take full advantage of AD, should DHCP provide the Windows clients with "172.18.0.20" as the DNS server? I know it dynamically adds the computers that are on the Active Directory, and possible other things that help make Windows services run smoothly. That said, the samba forwarder only seems to forward zones it is not familiar with. Since the samba server serves up "network.ca", when asked, it does not resolve "gitlab.network.ca" that the main DNS server knows how to resolve. This has forced me to just provide 172.18.0.1 as the DNS. What is the best practice to solve this. Is there actually any benefit to having the AD server serve up DNS? I'm sure others have been wondering this, and it would probably be a decent question to put in the DNS section of the Wiki, as I'm sure there are many samba mixed-network environments. Thanks, --Pat
On Thu, 12 Oct 2017 11:00:35 -0400 Pat Suwalski via samba <samba at lists.samba.org> wrote:> Hello, > > This question is about best practice of introducing sambda-ad-dc to > an organization that already has networking, and being minimally > disruptive about it. I guess this question applies equally to adding > a Windows AD server, but most people with that setup would let it be > the primary DNS, etc. > > For this example: > - Network: 172.18.0.0/24 > - Domain: network.ca > - AD server: ad.network.ca, 172.18.0.20 > - Gateway/DNS: 172.18.0.1 > > The gateway is running as the main DNS server, and has the various > underscore ("_") entries required for Windows to find the Active > Directory. It sends "172.18.0.1" as the DNS option over its DHCP > server. The samba AD server has its DNS forwarder set to "172.18.0.1". > > Now, the question: > > To be able to take full advantage of AD, should DHCP provide the > Windows clients with "172.18.0.20" as the DNS server? I know it > dynamically adds the computers that are on the Active Directory, and > possible other things that help make Windows services run smoothly. > That said, the samba forwarder only seems to forward zones it is not > familiar with. Since the samba server serves up "network.ca", when > asked, it does not resolve "gitlab.network.ca" that the main DNS > server knows how to resolve. This has forced me to just provide > 172.18.0.1 as the DNS. > > What is the best practice to solve this. Is there actually any > benefit to having the AD server serve up DNS? > > I'm sure others have been wondering this, and it would probably be a > decent question to put in the DNS section of the Wiki, as I'm sure > there are many samba mixed-network environments. > > Thanks, > --Pat >If you already have a domain, I would set up Active Directory as a subdomain of this, e.g. instead of using 'network.ca', use 'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC. Point the clients at this for domain DNS and forward anything unknown to the gateway or other DNS server. There isn't really any point in using an external server as the DNS server, all the DNS records are in AD anyway. You can, if you wish, run a DHCP server on the DC. See here for AD best practice: http://www.dell.com/support/article/uk/en/ukbsdt1/sln155801/best-practices-for-dns-configuration-in-an-active-directory-domain?lang=en Rowland
On 2017-10-12 11:47 AM, Rowland Penny via samba wrote:> If you already have a domain, I would set up Active Directory as a > subdomain of this, e.g. instead of using 'network.ca', use > 'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC.Thanks for the reply. I think that ship's already sailed, the domain has been running as network.ca since Samba4 was in beta, and I can just imagine the headache of changing that over. I wouldn't have done it that way, but at the time "dns forwarder" to me suggested that *all* (unknown) DNS entries would be forwarded to the main DNS server. Obviously, it's clear now that isn't the case. I think I'm left with two options: - Don't point DNS at the AD server. - Allow some kind of zone copying. Not sure of samba's DNS server supports this. Neither seems ideal. --Pat
On 2017-10-12 11:47 AM, Rowland Penny via samba wrote:> If you already have a domain, I would set up Active Directory as a > subdomain of this, e.g. instead of using 'network.ca', use > 'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC.Thanks for the reply. I think that ship's already sailed, the domain has been running as network.ca since Samba4 was in beta, and I can just imagine the headache of changing that over. I wouldn't have done it that way, but at the time "dns forwarder" to me suggested that *all* (unknown) DNS entries would be forwarded to the main DNS server. Obviously, it's clear now that isn't the case. I think I'm left with two options: - Don't point DNS at the AD server. - Allow some kind of zone copying. Not sure of samba's DNS server supports this. Neither seems ideal. --Pat