samba - Mar 2021 - Understanding internal DNS usage on Samba 4

On 25/03/2021 22:07, Lou via samba wrote:
> Hello,
>
> I'm currently studying migration from Samba 3 to Samba 4 (NT4 to AD).? 
> Using classic upgrade [1].
>
> Currently (alongside with our Samba 3 PDC), we have a heterogeus 
> environment with external DNS servers:
>
> ns1.example.com
> ns2.example.com
> ns3.example.com
> ns4.example.com
>
> Currently, our DHCP server supplies the IPs of these servers for 
> clients.? We have all servers (and PDC) correctly registered on these 
> servers. They are four so we can keep up with the load and for 
> geographic reasons.

You can still use your DHCP servers, your Windows clients can update 
their own records in AD, your DC's should have fixed IP's, your only 
problem would be Unix clients and you can script around them.
>
> Why, in Samba 4, are clients required to use Samba DNS resolver?

Because every AD DC running a dns server is authoritative for AD dns 
domain and holds all the AD dns records (they are in AD)
>
>
> It seems Samba 4 uses DNS while Samba 3 does not, and requires that 
> all clients to use it, but that would break our architecture because 
> there would be a single point of failure (unless we setup more than 
> one PDC).

No, you do not even set up one PDC, that is what you have now, AD uses 
DC's which are all equal except for the FSMO roles (and they can be on 
any DC) and yes, it is recommended to install multiple DC's
>
> We can configure the PDC to forward queries to them with smb.conf 
> option "dns forwarder" [2] and use several PDC to mimic the 
> architecture we have today, but I was wondering why are clients 
> required to use Samba 4 DNS.

Do it the other way, continue to use your existing dns servers and get 
them to forward the AD dns domain searches to AD DC's. I would also 
suggest using Bind9 if you do run multiple DC's? (I would also suggest 
running multiple DC's)

Rowland

On Thu, Mar 25, 2021 at 6:30 PM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 25/03/2021 22:07, Lou via samba wrote:
> > Hello,
> >
> > I'm currently studying migration from Samba 3 to Samba 4 (NT4 to
AD).
> > Using classic upgrade [1].
> >
> > Currently (alongside with our Samba 3 PDC), we have a heterogeus
> > environment with external DNS servers:
> >
> > ns1.example.com
> > ns2.example.com
> > ns3.example.com
> > ns4.example.com
> >
> > Currently, our DHCP server supplies the IPs of these servers for
> > clients.  We have all servers (and PDC) correctly registered on these
> > servers. They are four so we can keep up with the load and for
> > geographic reasons.
>
>
> You can still use your DHCP servers, your Windows clients can update
> their own records in AD, your DC's should have fixed IP's, your
only
> problem would be Unix clients and you can script around them.
And put the Samba managed DNS in a subdomain or in a set of
subdomains. *DO NOT* ty to play the "split view" game of "oh, all
are
hosts are in company.com in one flat namespace.
> > Why, in Samba 4, are clients required to use Samba DNS resolver?
>
>
> Because every AD DC running a dns server is authoritative for AD dns
> domain and holds all the AD dns records (they are in AD)
Don't *mix* them with non-Samba or non-AD DNS domains for merged
domains, that way lies contorted madness. Segregate them by subdomain
if they need to share a DNS top level domain.
> No, you do not even set up one PDC, that is what you have now, AD uses
> DC's which are all equal except for the FSMO roles (and they can be on
> any DC) and yes, it is recommended to install multiple DC's
Sadly, Samba does not currently support zone transfers, so they need
to be multiple domain controllers, not merely slave DNS servers which
could cache the other subdomains.