On Tue, 28 Oct 2025 03:02:34 +0100 Markus Gschwendt via samba <samba at lists.samba.org> wrote:> > It did read this some time ago and I don't remember the source - > sorry. But good to know it should still work in Trixie. > However, the upgrade was necessary because we could not join Win11 > 24H2 clients and we thought its time to migrate to AD anyways.The time, in my opinion, was more than 5 years ago, if not longer.> > > > > > So we did the migration prior to the Debian upgrade. > > > As we have the problem with AXFR transfers only at one of 2 sites > > > I'd > > > like to fix this before we do any further upgrades. > > > > Why do you want to do this ? > > Samba AD DCs are authoritative for the DNS domain, all of them, it > > is known as multi-master. There is no real need to transfer the > > records to > > an external dns server. > > We really don't want the Samba server to be our central DNS system.It doesn't have to be, but as AD lives and dies on DNS, the DC(s) need to be 'central' for your AD domain clients. The DC(s) need to be the first port of contact for the domain clients, anything unknown e.g. www.google.com is forwarded to an external DNS server.> Separating services is the main reason. (Security, debugging, ...) > Maybe a discussion for another thread.In my opinion you are setting yourself up for a lot pain.> > > ? > > > (A short try to upgrade to Trixie did not start samba - I had no > > > time > > > to investigate) > > > > It should have started, provided you ran something like 'systemctl > > start samba-ad-dc'. > > > > I'll try again in some weeks when we are done with the rest of the > migration. >> > It's like 'ad1.companyname.internal' > .internal as TLD as recommended by IANA [0]If IANA is recommending that, then I do not know why, they haven't added it to the reserved list. However, that is beyond the point, whatever you use should not be routable from the internet.> > > ... > > > > > > We need to get the whole zone information to another Bind9 server > > > via > > > AXFR. > > > > Why ? > > I think that's one of the reasons the bind9_dlz module exists and even > there is a setting in smb.conf '[global]' to allow such transfers. > E.g.: > 'dns zone transfer clients allow = 192.168.0.1'I have never really understood just why you would do that, it isn't required and can cause problems. As I said, just set your domain clients to use the DC(s) as their nameservers and everything just works. Rowland
Am 28.10.2025 um 10:18 schrieb Rowland Penny via samba:> On Tue, 28 Oct 2025 03:02:34 +0100 > Markus Gschwendt via samba<samba at lists.samba.org> wrote: > > We really don't want the Samba server to be our central DNS system. > > It doesn't have to be, but as AD lives and dies on DNS, the DC(s) need > to be 'central' for your AD domain clients. The DC(s) need to be the > first port of contact for the domain clients, anything unknown e.g. > www.google.com is forwarded to an external DNS server. >> Separating services is the main reason. (Security, debugging, ...) >> Maybe a discussion for another thread.What we do is to have two separate nameservers apart from the DC's. These serve everything that is not AD, and they are the servers configured in AD as forwarders where the non-AD requests go (and vice versa). In this way we keep our AD DNS restricted to the AD members, but at the same time get full DNS resolution for all systems without doing any transfers. You could even run these nameservers on the AD systems on a separate IP, if you do not want to waste 4 systems doing almost nothing in a small environment. I completely agree with Rowland that you absolutely need to configure the AD servers, and nothing else, as nameservers for all domain members, or you will be in big trouble soon. HTH, Jakob
On Tue, 2025-10-28 at 09:18 +0000, Rowland Penny via samba wrote:> On Tue, 28 Oct 2025 03:02:34 +0100 > Markus Gschwendt via samba <samba at lists.samba.org> wrote: > > > > > It did read this some time ago and I don't remember the source - > > sorry. But good to know it should still work in Trixie. > > However, the upgrade was necessary because we could not join Win11 > > 24H2 clients and we thought its time to migrate to AD anyways. > > The time, in my opinion, was more than 5 years ago, if not longer. > >I fully agree. We started around 2016 but it took some time...> > > > ... > > We really don't want the Samba server to be our central DNS system. > > It doesn't have to be, but as AD lives and dies on DNS, the DC(s) > need > to be 'central' for your AD domain clients. The DC(s) need to be the > first port of contact for the domain clients, anything unknown e.g. > www.google.com?is forwarded to an external DNS server. > > > Separating services is the main reason. (Security, debugging, ...) > > Maybe a discussion for another thread. > > In my opinion you are setting yourself up for a lot pain.DNS is designed to be a distributed system and the whole internet as we know it today lives an dies on DNS. But not every service (webserver email, chat,...) has to bring it's own DNS server. It works great when samba transfers its DNS records to the central DNS infrastructure like all other master and hidden master servers do. And I'm really happy we can do it that way with Samba. Thanks for that great piece of software! There are lots of reasons not to use those monolithic systems from M$. Markus