On 2017-10-12 11:47 AM, Rowland Penny via samba wrote:> If you already have a domain, I would set up Active Directory as a > subdomain of this, e.g. instead of using 'network.ca', use > 'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC.Thanks for the reply. I think that ship's already sailed, the domain has been running as network.ca since Samba4 was in beta, and I can just imagine the headache of changing that over. I wouldn't have done it that way, but at the time "dns forwarder" to me suggested that *all* (unknown) DNS entries would be forwarded to the main DNS server. Obviously, it's clear now that isn't the case. I think I'm left with two options: - Don't point DNS at the AD server. - Allow some kind of zone copying. Not sure of samba's DNS server supports this. Neither seems ideal. --Pat
On Thu, 12 Oct 2017 12:07:17 -0400 Pat Suwalski via samba <samba at lists.samba.org> wrote:> On 2017-10-12 11:47 AM, Rowland Penny via samba wrote: > > If you already have a domain, I would set up Active Directory as a > > subdomain of this, e.g. instead of using 'network.ca', use > > 'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC. > > Thanks for the reply. > > I think that ship's already sailed, the domain has been running as > network.ca since Samba4 was in beta, and I can just imagine the > headache of changing that over.Not sure you could :-(> > I wouldn't have done it that way, but at the time "dns forwarder" to > me suggested that *all* (unknown) DNS entries would be forwarded to > the main DNS server. Obviously, it's clear now that isn't the case.To AD, 'unknown' usually means anything outside the AD domain.> > I think I'm left with two options: > > - Don't point DNS at the AD server. > - Allow some kind of zone copying. Not sure of samba's DNS server > supports this. > > Neither seems ideal.I don't think you will be able to do the second at all, even if you used BIND9 instead of the internal dns server. It might help if you described your network. Rowland
On 2017-10-12 12:30 PM, Rowland Penny via samba wrote:> It might help if you described your network.I thought I went into detail in the first message: For this example: - Network: 172.18.0.0/24 - Domain: network.ca - AD server: ad.network.ca, 172.18.0.20 - Gateway/DNS: 172.18.0.1 The gateway is running as the main DNS server, and has the various underscore ("_") entries required for Windows to find the Active Directory. It sends "172.18.0.1" as the DNS option over its DHCP server. The samba AD server has its DNS forwarder set to "172.18.0.1". The only thing to add is that 172.18.0.1 runs dnsmasq. samba is used with Windows Desktops for AD and home shares, and with Linux servers for AD with sssd (sambda's Winbind wasn't quite there when this was set up). Nothing really relies on DNS from samba; unless you know something about this point that I do not. I could also manually add the local entries to samba's DNS. Not crazy about this option. Thanks, --Pat