On 2017-10-13 06:09 PM, Jon Gerdes via samba wrote:> There's no such thing as "best practice" - there's good and bad > practice and I hope that here (Samba ML) you will get some good advice, > in return for a good question.Thanks for this very thoughtful reply.> The environment you describe, to me, implies that it would be best if > you simply "fit in". You can but it will take a bit of work (not too > much). It does not matter where DNS comes from, provided it gives the > correct answers to client queries. So, you will have to get your new > Samba DC's DNS records set up on the dnsmasq system. I don't think > that dnsmasq can do dynamic DNS apart from perhaps registering DHCP > leases as DNS entries. You will also have to set the gateway as your > Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the > Samba DNS implementation.That is correct. dnsmasq registers all of the DNS leases it hands out, so that part is basically in-line with what the AD server's DNS does for the Windows clients. The part about the DNS server is the sticky point. It's currently set to itself (the Samba DNS server). I'm worried that changing that might break something in Samba itself.> The whole point of this is that is is generally a good (may be not the > best in all cases) idea to have all systems on one network to have a > single view of DNS. Your colleagues seem to have already stipulated > dnsmasq and I would roll with that - fit in. Its not my preferred > solution but will work fine with some care.Well, whether it be dnsmasq or bind, we need more functionality than the Samba DNS server provides. The goal at this point. as you surmised, is to fit in to the existing system.> Before you get going with Samba, the box must have time in sync with > the other DCs and be able to DNS resolve all the relevent addresses. > > # ntpq -pWe run NTP everywhere, so that's in sync.> $ dig example.co.uk > > Should return DC IPs > > You'll need this lot: > > https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha > t-are-required-for-proper-functionality-of-active-directory/Interesting. I had built up my list by trial and error and it's quite different than what is listed there. I don't have an A record at all, and my SRV records are not the same at all: _gc._tcp.Default-First-Site-Name._sites.domain.ca _gc._tcp.domain.ca _ldap._tcp.Default-First-Site-Name._sites.domain.ca _ldap._tcp.dc._msdcs.domain.ca _ldap._tcp.domain.ca _kerberos._udp.DOMAIN.CA _kerberos._tcp.DOMAIN.CA _kpasswd._tcp.DOMAIN.CA _kpasswd._udp.DOMAIN.CA Then again, I'm only dealing with a single DC, so my entries are aimed strictly at clients, and this list seems to work. I might need to add these entries if I set my Samba server to use the main DNS server (dnsmasq) as well. Thanks for all the advice. I guess my big takeaway from this is that I should, in fact, make my Samba server use the main DNS server, so that everything is in-line. --Pat
What do you need that the internal samba DNS server can't do? On Oct 20, 2017 9:32 AM, "Pat Suwalski via samba" <samba at lists.samba.org> wrote:> On 2017-10-13 06:09 PM, Jon Gerdes via samba wrote: > >> There's no such thing as "best practice" - there's good and bad >> practice and I hope that here (Samba ML) you will get some good advice, >> in return for a good question. >> > > Thanks for this very thoughtful reply. > > The environment you describe, to me, implies that it would be best if >> you simply "fit in". You can but it will take a bit of work (not too >> much). It does not matter where DNS comes from, provided it gives the >> correct answers to client queries. So, you will have to get your new >> Samba DC's DNS records set up on the dnsmasq system. I don't think >> that dnsmasq can do dynamic DNS apart from perhaps registering DHCP >> leases as DNS entries. You will also have to set the gateway as your >> Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the >> Samba DNS implementation. >> > > That is correct. dnsmasq registers all of the DNS leases it hands out, so > that part is basically in-line with what the AD server's DNS does for the > Windows clients. > > The part about the DNS server is the sticky point. It's currently set to > itself (the Samba DNS server). I'm worried that changing that might break > something in Samba itself. > > The whole point of this is that is is generally a good (may be not the >> best in all cases) idea to have all systems on one network to have a >> single view of DNS. Your colleagues seem to have already stipulated >> dnsmasq and I would roll with that - fit in. Its not my preferred >> solution but will work fine with some care. >> > > Well, whether it be dnsmasq or bind, we need more functionality than the > Samba DNS server provides. The goal at this point. as you surmised, is to > fit in to the existing system. > > Before you get going with Samba, the box must have time in sync with >> the other DCs and be able to DNS resolve all the relevent addresses. >> >> # ntpq -p >> > > We run NTP everywhere, so that's in sync. > > $ dig example.co.uk >> >> Should return DC IPs >> >> You'll need this lot: >> >> https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha >> t-are-required-for-proper-functionality-of-active-directory/ >> > > Interesting. I had built up my list by trial and error and it's quite > different than what is listed there. I don't have an A record at all, and > my SRV records are not the same at all: > > _gc._tcp.Default-First-Site-Name._sites.domain.ca > _gc._tcp.domain.ca > _ldap._tcp.Default-First-Site-Name._sites.domain.ca > _ldap._tcp.dc._msdcs.domain.ca > _ldap._tcp.domain.ca > _kerberos._udp.DOMAIN.CA > _kerberos._tcp.DOMAIN.CA > _kpasswd._tcp.DOMAIN.CA > _kpasswd._udp.DOMAIN.CA > > Then again, I'm only dealing with a single DC, so my entries are aimed > strictly at clients, and this list seems to work. I might need to add these > entries if I set my Samba server to use the main DNS server (dnsmasq) as > well. > > Thanks for all the advice. I guess my big takeaway from this is that I > should, in fact, make my Samba server use the main DNS server, so that > everything is in-line. > > --Pat > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 2017-10-20 01:25 PM, Luke Barone via samba wrote:> What do you need that the internal samba DNS server can't do?There are two things that come to mind: 1) Register DHCP hostnames. As mentioned, we use these. 2) Override FQDNs that it is not a master for. So, if we want to point whatever.google.com at an internal server, that can be done without affecting the rest of *.google.com. We use this extensively for services that have external names/addresses but are mapped through internal VPN tunnels. For that second point to work, the forwarder would have to work as I presented in the original message, where it forwards unknown entries and not entire zones. --Pat