First off, thanks to Rowland Penny for his patience in working through my thread "Joining a new Samba AD DC". I first attempted to upgrade my old Samba 4.8.2 AD/DC to a more recent version, but that effort failed due to too many differences with the Samba version and the latest Slackware OS version. Next I tried to join a 2nd Samba DC to the existing domain with the intent of promoting it, but that also ran into version compatibility problems, including with BIND. Now I'm taking the "nuclear" option. I will create a new AD/DC with my distro's latest versions of everything. I will then un-join all the Windows workstations from the current domain and re-join them to the new domain. This is what I did 13 years ago when migrating from Windows SBS 2008 to Samba for AD/DC in the first place, so no reason that shouldn't work. I will join a single dummy Wondows workstations to this domain for testing. I am going through the wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller. First question ... according to https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ, Using e.g. samdom.local is not recommded for several reasons. My current domain is hprs.local. So, as long as I'm starting from scratch I would like to take the opportunity to get this right. In wiki section "Using Your external Domain Name", it says I could simply use the external domain name, e.g. ohprs.org. Here's where I'm confused. If I use ohprs.org as the AD domain and e.g. DC1.ohprs.org is my AD/DC, how does name resolution work with other domain members? For example, webserver.ohprs.org is a current, public FDQN which resolves to 98.102.63.106. Inernally this host's IP within the domain is 192.168.0.3. This host also has an SSL certificate for external access to webpages (https). If I am on domain member "joe" how will accessing host "webserver" resolve? Will it refer to the public IP (98.102.63.106) or the local domain IP (192.168.0.3)? If local, the SSL cert won't be valid. Does this magically work via DNS? Should I pick some other AD domain name? Thanks --Mark
Add a subdomain, such as "ad." in front of your external domain name. It should only be resolvable inside your local network. So in your case, use " ad.ohprs.org" for the domain name. Your domain computers will be " pc1.ad.ohprs.org", "dc1.ad.ohprs.org", etc. Your webserver can have multiple DNS names resolving to it, as can other computers, both inside and/or outside your local network On Mon, Aug 7, 2023, 8:30 p.m. Mark Foley via samba <samba at lists.samba.org> wrote:> First off, thanks to Rowland Penny for his patience in working through my > thread > "Joining a new Samba AD DC". > > I first attempted to upgrade my old Samba 4.8.2 AD/DC to a more recent > version, > but that effort failed due to too many differences with the Samba version > and > the latest Slackware OS version. Next I tried to join a 2nd Samba DC to > the > existing domain with the intent of promoting it, but that also ran into > version > compatibility problems, including with BIND. > > Now I'm taking the "nuclear" option. I will create a new AD/DC with my > distro's > latest versions of everything. I will then un-join all the Windows > workstations > from the current domain and re-join them to the new domain. This is what > I did > 13 years ago when migrating from Windows SBS 2008 to Samba for AD/DC in the > first place, so no reason that shouldn't work. I will join a single dummy > Wondows workstations to this domain for testing. > > I am going through the wiki > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > . > > First question ... according to > https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ, > Using e.g. samdom.local is not recommded for several reasons. My current > domain > is hprs.local. So, as long as I'm starting from scratch I would like to > take the > opportunity to get this right. > > In wiki section "Using Your external Domain Name", it says I could simply > use > the external domain name, e.g. ohprs.org. > > Here's where I'm confused. If I use ohprs.org as the AD domain and e.g. > DC1.ohprs.org is my AD/DC, how does name resolution work with other domain > members? For example, webserver.ohprs.org is a current, public FDQN which > resolves to 98.102.63.106. Inernally this host's IP within the domain is > 192.168.0.3. This host also has an SSL certificate for external access to > webpages (https). > > If I am on domain member "joe" how will accessing host "webserver" resolve? > Will it refer to the public IP (98.102.63.106) or the local domain IP > (192.168.0.3)? If local, the SSL cert won't be valid. > > Does this magically work via DNS? > > Should I pick some other AD domain name? > > Thanks --Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 08/08/2023 01:43, Mark Foley via samba wrote:> First off, thanks to Rowland Penny for his patience in working through my thread > "Joining a new Samba AD DC". > > I first attempted to upgrade my old Samba 4.8.2 AD/DC to a more recent version, > but that effort failed due to too many differences with the Samba version and > the latest Slackware OS version. Next I tried to join a 2nd Samba DC to the > existing domain with the intent of promoting it, but that also ran into version > compatibility problems, including with BIND. > > Now I'm taking the "nuclear" option. I will create a new AD/DC with my distro's > latest versions of everything. I will then un-join all the Windows workstations > from the current domain and re-join them to the new domain. This is what I did > 13 years ago when migrating from Windows SBS 2008 to Samba for AD/DC in the > first place, so no reason that shouldn't work. I will join a single dummy > Wondows workstations to this domain for testing. > > I am going through the wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller. > > First question ... according to https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ, > Using e.g. samdom.local is not recommded for several reasons. My current domain > is hprs.local. So, as long as I'm starting from scratch I would like to take the > opportunity to get this right. > > In wiki section "Using Your external Domain Name", it says I could simply use > the external domain name, e.g. ohprs.org. > > Here's where I'm confused. If I use ohprs.org as the AD domain and e.g. > DC1.ohprs.org is my AD/DC, how does name resolution work with other domain > members? For example, webserver.ohprs.org is a current, public FDQN which > resolves to 98.102.63.106. Inernally this host's IP within the domain is > 192.168.0.3. This host also has an SSL certificate for external access to > webpages (https). >Not surprised you are confused, that section of the wikipage seemed to say it was okay to use your external dns name, it isn't and never has been. I have rewritten that part to say basically, do not use your external dns domain for AD, use a subdomain. Rowland