thr3ads.net - samba - [Samba] Provisioning new AD Domain Controller [Dec 2023]

If this information is useful, please help other people find it:
Share via:

Mark Foley

2023-Dec-01 06:38 UTC

[Samba] Provisioning new AD Domain Controller

On Thu Nov 30 14:10:39 2023 Mark Foley via samba <samba at
lists.samba.org> wrote:>
> On Thu Nov 30 13:38:35 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> >
> > On Thu, 30 Nov 2023 13:05:08 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > The wiki
> > >
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone
> > > says, "For a DC with the FQDN of dc1.samdom.example.com and
the
> > > ipaddress of 10.99.0.1, to add a record to the
0.99.10.in-addr.arpa
> > > ..."
> > > 
> > > Is this correct or should the rDNS PTR be 1.99.10.in-addr.arpa? 
> > > 
> > > I just want to make sure this isn't a typeo.
> > > 
> > > Thanks --Mark
> > > 
> >
> > No it isn't a typo, but it is just an example which will give you
255
> > clients.
> >
> > From the given example '10.99.0.1', you would take the first
three
> > octets '10.99.0' and reverse them '0.99.10', add
'.in-addr.arpa' to get
> > '0.99.10.in-addr.arpa' and this would be the name for the
reversezone.
> >
> > If you require more clients, just take less octets e.g.
'10.99' would
> > give you '99.10.in-addr.arpa'
> >
> > Rowland
>
> OK, thanks. I didn't know that. I just wrote another email to Dave
questioning
> this. I'll move forward with the 3-octet version.
>
> Thanks --Mark
Following up on this, not understanding the 'three octets' principle as
described
by Rowland, I previouly did the zone create as:

samba-tool dns zonecreate 182.168.0.2   2.0.168.192.in-addr.arpa  (i.e. entire
IP address)

doing 'samba-tool dns zonelist 192.168.0.2' gives (plus others):

  pszZoneName                 : 2.0.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.hprs.locl

Should I delete this zone and recreate with "0.168.192.in-addr.arpa"?
If so, what
should I use for <Your-AD-DNS-Server-IP-or-hostname>? (my DC is
dc1.hprs.locl).
This template example says "or-hostname", so would that be just
"dc1" and not
the FQDN? If I'm interpreting this correctly,
"<Your-AD-DNS-Server-IP-or-hostname>" should be either
"182.168.9.2" or "dc1",
right? Which specification is preferable? IP or hostname?

Thanks --Mark

Rowland Penny

2023-Dec-01 08:13 UTC

head link

[Samba] Provisioning new AD Domain Controller

On Fri, 01 Dec 2023 01:38:55 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> Following up on this, not understanding the 'three octets'
principle
> as described by Rowland, I previouly did the zone create as:
The 'octets' are just the groups of numbers in your ipaddress,
separated by dots, an IPV4 address always has 4
> 
> samba-tool dns zonecreate 182.168.0.2   2.0.168.192.in-addr.arpa
> (i.e. entire IP address)
> 
Lets look at your example above, as you can see you have the four
octets '192', '168', '0' '2', which is from the
well known private
range '192.168.0.0'. If you now look at the end of what the zone will
be called, you will find '.in-addr.arpa'. expanding this for clarity
(and only clarity, do not do this in real life), it becomes:
'in-address.arpa'. 'in-addr' means the fixed part of your
reverse zone
(and is always in the ipaddress) and 'arpa' means not internet
resolvable 

So, if you require 255 clients, you need to name your reversezone
accordingly. You would take the first three octets and reverse them
'0.168.192' add the '.in-addr.arpa' part and end up with
'0.168.192.in-addr.arpa. That reversezone will then allow for ipaddress
that end in '1' through '255' and will give you 255 clients,
i.e.
clients that have '192.168.0' in their ipaddresses and end with the
number '1' through '255'.

If you require more than 255 clients, then you need to name your
reversezone accordingly, for instance, if you used
'168.192.in-addr.arpa' (the first two octets), you can have 65,534
clients.

None of this is really Samba related, it is standard DNS and as AD
lives on DNS, I suggest you read up on DNS.

> doing 'samba-tool dns zonelist 192.168.0.2' gives (plus others):
> 
>   pszZoneName                 : 2.0.168.192.in-addr.arpa
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE ZoneType                    :
> DNS_ZONE_TYPE_PRIMARY Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn                   :
> DomainDnsZones.hprs.locl
> 
> Should I delete this zone and recreate with
"0.168.192.in-addr.arpa"?
Yes, your reversezone at present has space for only one client.
> If so, what should I use for <Your-AD-DNS-Server-IP-or-hostname>? (my
> DC is dc1.hprs.locl). This template example says "or-hostname",
so
> would that be just "dc1" and not the FQDN? If I'm
interpreting this
> correctly, "<Your-AD-DNS-Server-IP-or-hostname>" should be
either
> "182.168.9.2" or "dc1", right? Which specification is
preferable? IP
> or hostname?
>
They should all work
You can use either the short hostname 'dc1', or its FQDN
'dc1.hprs.locl' or its ipaddress (which I feel sure isn't
'182.168.9.2', because if it is, you have even bigger problems). 

Rowland

samba - Dec 2023 - Provisioning new AD Domain Controller

[Samba] Provisioning new AD Domain Controller

[Samba] Provisioning new AD Domain Controller