The Samba AD DNS Back Ends

From SambaWiki


In an Active Directory (AD), DNS is a very important service. It is used for:

  • name resolution
  • locating services, such as Kerberos and LDAP
  • locating local domain controllers (DC) when using AD sites. For details, see Active Directory Sites.

Supported DNS Back Ends

Samba supports the following DNS back ends:

  • Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.
  • No additional software or DNS knowledge is required.
  • Use this back end for simple DNS setups. For a list of limitations, see Limitations.
  • Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see Setting up a BIND DNS Server.
  • Requires knowledge about the BIND DNS server and how to configure the service.
  • Use this back end for complex DNS scenarios, you can not configure in the internal DNS.

If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see Changing the DNS Back End of a Samba AD DC.

Using the Samba Internal DNS Back End

The Samba internal DNS server can be edited and queried using samba-tool. For example,

To get a get a list of zones: samba-tool dns zonelist server

To update a record: samba-tool dns update server zone_name A|AAA|CNAME|NS|MX|SRV|TXT old_value new_value

Run samba-tool dns -h to see the complete list of available commands.

Selecting the AD Forest Root Domain

Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see Active Directory Naming FAQ.

Best practices:

  • Use a domain name you own.
  • Use a subdomain of your domain, such as
  • Do not use .local domains. They can cause problems with Mac OS X and Zeroconf.

For details, see Active Directory Naming FAQ.