Rowland Penny
2021-Nov-05 10:28 UTC
[Samba] DNS forwarding. WAS: disable automatic creation of computer accounts
On Fri, 2021-11-05 at 11:21 +0100, Angel Bosch Mora via samba wrote:> > DON'T, JUST DON'T > > Your AD DC's have to be authoritative for the AD dns domain, by all > > means let your clients use another dns server, but that dns server > > should forward anything for the AD dns domain (you are using a > > subdomain, aren't you) to a DC. > > > > just to confirm: is enough with forwarding AD subdomain resolution to > DC in my current DNS server? > > there's a lot of docs saying that you should always point to DC > directly. > > and what about SRV entry? > I guess I must create something similar to > _ldap._tcp.samdom.example.com in my DNS server, right?No, everything must be in AD, you forward everything to do with 'AD' from your external dns server to a DC. Rowland
mj
2021-Nov-05 11:17 UTC
[Samba] DNS forwarding. WAS: disable automatic creation of computer accounts
Hi Angel, Not sure if this is what you are asking, but just to give you some feedback: We have an internal dns resolver, that is provided to our internal clients through the dhcp. This internal resolver uses external resolvers (9.9.9.9) for everything, except for the samba zone ad.company.com. For everything in that specific zone, it talks to our samba DCs. Our product (sophos XG) called this "dns route" and it works for us. Our clients never talk DNS (as fas as I know) directly to the samba DCs. MJ Op 05-11-2021 om 11:28 schreef Rowland Penny via samba:> On Fri, 2021-11-05 at 11:21 +0100, Angel Bosch Mora via samba wrote: >>> DON'T, JUST DON'T >>> Your AD DC's have to be authoritative for the AD dns domain, by all >>> means let your clients use another dns server, but that dns server >>> should forward anything for the AD dns domain (you are using a >>> subdomain, aren't you) to a DC. >>> >> >> just to confirm: is enough with forwarding AD subdomain resolution to >> DC in my current DNS server? >> >> there's a lot of docs saying that you should always point to DC >> directly. >> >> and what about SRV entry? >> I guess I must create something similar to >> _ldap._tcp.samdom.example.com in my DNS server, right? > > No, everything must be in AD, you forward everything to do with 'AD' > from your external dns server to a DC. > > Rowland > > >