On 23/06/2019 14:34, Stefan Froehlich via samba wrote:> No need to be sorry - most likely I'll the whole setup from scratch. > But just to be sure and to avoid new mistakes, after re-reading the > samba wiki: > > I understand that they use the same SAMDOM.EXAMPLE.COM as DNS *and* > Windows domain which is (for legacy reasons and for a smoother > transition) something I'd rather like to avoid.'SAMDOM.EXAMPLE.COM' is an example Realm name, you can use whatever you like. However, whatever you use for the DNS domain, MUST be used for the Realm name, but the Realm name must be in uppercase.> > There is the existing DNS domain synth.intern (driven by bind and > generally in a rather good shape) and I want to create the new AD > domain SYNTHESIS *below* and independent from that.So far, this was a good idea.> That's why I created an NS record for synthesis.synth.intern delegating it to the > DC and proceeded from there following the wiki with my AD DNS domain > being SYNTHESIS.SYNTH.INTERN.That is where you went wrong ;-) You should have used the subdomain 'synthesis.synth.intern'? for your AD, totally unconnected to your other DNS server. Your AD DC's are all authoritative for the DNS domain and your AD clients must use the DC's as their nameservers, anything the DC's do not know (anything outside the AD domain) should be forwarded to another DNS server.> Is this possible at all or am I just begging for trouble with such a > setup?No and Yes ;-) Rowland
On Sun, Jun 23, 2019 at 03:18:40PM +0100, Rowland penny via samba wrote:> On 23/06/2019 14:34, Stefan Froehlich via samba wrote: > > That's why I created an NS record for synthesis.synth.intern > > delegating it to the DC and proceeded from there following the > > wiki with my AD DNS domain being SYNTHESIS.SYNTH.INTERN. > > That is where you went wrong ;-) > > You should have used the subdomain 'synthesis.synth.intern'? for > your AD, totally unconnected to your other DNS server. Your AD > DC's are all authoritative for the DNS domain and your AD clients > must use the DC's as their nameservers, anything the DC's do not > know (anything outside the AD domain) should be forwarded to > another DNS server.Ok, than most likely that's one of the key issues. Right now all clients use ns.synth.intern. As the subdomain synthesis.synth.intern is delegated to the DC I thought that's enough for them, but obviousley it is not. Thanks for all your efforts! Bye, Stefan -- Der Grund, den man braucht, oder warum Stefan so griffig jodelt! Sloganizer, https://www.poetron-zone.de/
On Sun, 2019-06-23 at 15:18 +0100, Rowland penny via samba wrote:> On 23/06/2019 14:34, Stefan Froehlich via samba wrote: > > No need to be sorry - most likely I'll the whole setup from > > scratch. > > But just to be sure and to avoid new mistakes, after re-reading the > > samba wiki: > > > > I understand that they use the same SAMDOM.EXAMPLE.COM as DNS *and* > > Windows domain which is (for legacy reasons and for a smoother > > transition) something I'd rather like to avoid. > > 'SAMDOM.EXAMPLE.COM' is an example Realm name, you can use whatever > you > like. However, whatever you use for the DNS domain, MUST be used for > the > Realm name, but the Realm name must be in uppercase. > > > > There is the existing DNS domain synth.intern (driven by bind and > > generally in a rather good shape) and I want to create the new AD > > domain SYNTHESIS *below* and independent from that. > > So far, this was a good idea. > > That's why I created an NS record for synthesis.synth.intern > > delegating it to the > > DC and proceeded from there following the wiki with my AD DNS > > domain > > being SYNTHESIS.SYNTH.INTERN. > > That is where you went wrong ;-)No, that should be fine. We normally suggest just setting up a zone type of 'forward' in BIND but glue records should work.> You should have used the subdomain 'synthesis.synth.intern' for > your > AD, totally unconnected to your other DNS server. Your AD DC's are > all > authoritative for the DNS domain and your AD clients must use the > DC's > as their nameservers, anything the DC's do not know (anything > outside > the AD domain) should be forwarded to another DNS server.Rowland, We actually suggest the reverse, due to issues with the forwarding capacity of both of our DNS options. We suggest a 'normal' DNS server that delegates the Samba zone (only) to Samba: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture In the past this wasn't possible, but that was due to bugs now fixed in how we script nsupdate. I hope this helps clarify things. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On 24/06/2019 07:59, Andrew Bartlett wrote:> On Sun, 2019-06-23 at 15:18 +0100, Rowland penny via samba wrote: >> On 23/06/2019 14:34, Stefan Froehlich via samba wrote: >>> No need to be sorry - most likely I'll the whole setup from >>> scratch. >>> But just to be sure and to avoid new mistakes, after re-reading the >>> samba wiki: >>> >>> I understand that they use the same SAMDOM.EXAMPLE.COM as DNS *and* >>> Windows domain which is (for legacy reasons and for a smoother >>> transition) something I'd rather like to avoid. >> 'SAMDOM.EXAMPLE.COM' is an example Realm name, you can use whatever >> you >> like. However, whatever you use for the DNS domain, MUST be used for >> the >> Realm name, but the Realm name must be in uppercase. >>> There is the existing DNS domain synth.intern (driven by bind and >>> generally in a rather good shape) and I want to create the new AD >>> domain SYNTHESIS *below* and independent from that. >> So far, this was a good idea. >>> That's why I created an NS record for synthesis.synth.intern >>> delegating it to the >>> DC and proceeded from there following the wiki with my AD DNS >>> domain >>> being SYNTHESIS.SYNTH.INTERN. >> That is where you went wrong ;-) > No, that should be fine. We normally suggest just setting up a zone > type of 'forward' in BIND but glue records should work. > >> You should have used the subdomain 'synthesis.synth.intern' for >> your >> AD, totally unconnected to your other DNS server. Your AD DC's are >> all >> authoritative for the DNS domain and your AD clients must use the >> DC's >> as their nameservers, anything the DC's do not know (anything >> outside >> the AD domain) should be forwarded to another DNS server. > Rowland, > > We actually suggest the reverse, due to issues with the forwarding > capacity of both of our DNS options. We suggest a 'normal' DNS server > that delegates the Samba zone (only) to Samba: > > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture > > In the past this wasn't possible, but that was due to bugs now fixed in > how we script nsupdate. > > I hope this helps clarify things. > > Andrew Bartlett >Well yes, but it still wouldn't have helped this guy, his DC was in one DNS domain and his fileserver was in another and they both used the same realm. Rowland