samba - Nov 2021 - DNS forwarding. WAS: disable automatic creation of computer accounts

> DON'T, JUST DON'T
> Your AD DC's have to be authoritative for the AD dns domain, by all
> means let your clients use another dns server, but that dns server
> should forward anything for the AD dns domain (you are using a
> subdomain, aren't you) to a DC.
>
just to confirm: is enough with forwarding AD subdomain resolution to DC in my
current DNS server?

there's a lot of docs saying that you should always point to DC directly.

and what about SRV entry?
I guess I must create something similar to _ldap._tcp.samdom.example.com in my
DNS server, right?

abosch

-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es
destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar
aquest missatge ni lliurar-lo a terceres persones sense permis expres de
l'IMAS. Si no sou la persona destinataria que s'hi indica (o la
responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a
l'adreca electronica de la persona remitent. Abans d'imprimir aquest
missatge, pensau si es realment necessari.

On Fri, 2021-11-05 at 11:21 +0100, Angel Bosch Mora via samba
wrote:
> > DON'T, JUST DON'T
> > Your AD DC's have to be authoritative for the AD dns domain, by
all
> > means let your clients use another dns server, but that dns server
> > should forward anything for the AD dns domain (you are using a
> > subdomain, aren't you) to a DC.
> > 
> 
> just to confirm: is enough with forwarding AD subdomain resolution to
> DC in my current DNS server?
> 
> there's a lot of docs saying that you should always point to DC
> directly.
> 
> and what about SRV entry?
> I guess I must create something similar to
> _ldap._tcp.samdom.example.com in my DNS server, right?
No, everything must be in AD, you forward everything to do with 'AD'
from your external dns server to a DC.

Rowland