DNS Administration
Introduction
If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.
You will already find general information on the internal DNS and the BIND DLZ module and documentation about Bind as DNS Backend in the Wiki.
General
By default, Samba creates two forward zones during provisioning/upgrading, this wiki will use the imaginary dns domain of samdom.example.com
(you should of course use your own domain name).
This will lead to these two forward zones:
- samdom.example.com: Zone for your domain.
- _msdcs.samdom.example.com: This is the ForestDNSZone, that contains several service records for the entire directory.
The default DC name will be dc1
Features
The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't yet cover all the features that you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at https://bugzilla.samba.org/.
Even though the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.
Known/issues missing features
- Managing zone transfers is not implemented yet. Bug report #9951:DNS MMC: Enabling DNS zone transfers in MMC fails
Importance of DNS for Active Directory
A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries, this means that your clients must use your Domain Controller/s as their nameservers. Do not use anything else between your clients and Domain Controller/s.
Administering DNS on Linux/Unix with samba-tool
Creating a new zone
As an example we'll add a reverse lookup zone.
It is suggested that you use, wherever possible, one of the RFC 1918 zones, these are:
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Using the first one: 10.0.0.0/8 will allow you to have a maximum of 16,777,214 ipaddresses. The second: 172.16.0.0/12 will allow you to have a maximum of 1,048,574 ipaddresses. The third: 192.168.0.0/16 will allow you to have a maximum of 65,534 ipaddresses.
You can, if you so wish, use different Subnet masks/CIDRs to split up the RFC1918 zones. For instance, using 192.168.0.0/24 (netmask 255.255.255.0) will you allow you to have a maximum of 254 ipaddresses.
To create a /24 reverse zone
$ samba-tool dns zonecreate dc1.samdom.example.com 0.168.192.in-addr.arpa -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Zone 0.168.192.in-addr.arpa created successfully
To create a /16 reverse zone
$ samba-tool dns zonecreate dc1.samdom.example.com 168.192.in-addr.arpa -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Zone 168.192.in-addr.arpa created successfully
Your new zone will be directly live without restarting Samba or BIND.
Adding new records
- Example: Adding an A record
$ samba-tool dns add dc1.samdom.example.com samdom.example.com demo A 192.168.0.55 -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record added successfully
- Example: Adding a PTR record to the 192.168.0.0/24 reverse zone
$ samba-tool dns add dc1.samdom.example.com 0.168.192.in-addr.arpa 55 PTR demo.samdom.example.com -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record added successfully
- Example: Adding a PTR record to the 192.168.0.0/16 reverse zone
$ samba-tool dns add dc1.samdom.example.com 168.192.in-addr.arpa 55.0 PTR demo.samdom.example.com -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record added successfully
- Example: Adding a SRV record to _tcp.samdom.example.com
$ samba-tool dns add dc1.samdom.example.com samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100' -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record added successfully
- A note on SRV records: The order of the four parameters in the last field ("data") are 'hostname port priority weight' and have to be between ' '.
- Example: Adding a NS record to samdom.example.com zone
$ samba-tool dns add dc1.samdom.example.com samdom.example.com @ NS newdc.sambdom.example.com -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record added successfully
Updating existing records
- Example: Changing an A record
$ samba-tool dns update dc1.samdom.example.com samdom.example.com demo A 192.168.0.55 192.168.0.66 -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record updated succefully
- Example: Changing a SOA Resource Record
- The data part of the SOA record consists of 7 space (' ') separated elements in the following order:
- nameserver, email, serial, refresh, retry, expire, minimum-ttl
- The following example changes the host masters mail address:
$ samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ SOA \ "dc1.samdom.example.com hostmaster.example.com 63 900 600 86400 3600" \ "dc1.samdom.example.com admin.example.com 64 900 600 86400 3600" -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record updated successfully
Delete a record
- Example: Deleting an A record
$ samba-tool dns delete dc1.samdom.example.com samdom.example.com demo A 192.168.0.55 -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record deleted succefully
- Example: Deleting a NS record from samdom.example.com zone
$ samba-tool dns delete dc1.samdom.example.com samdom.example.com @ NS olddc.sambdom.example.com -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Record deleted successfully
Deleting a zone
- Example: Deleting a reverse zone:
$ samba-tool dns zonedelete dc1.samdom.example.com 0.168.192.in-addr.arpa -U administrator Password for [administrator@SAMDOM.EXAMPLE.COM]: Zone 0.168.192.in-addr.arpa delete successfully
Listing existing zones
- Example: listing secondary zones
$ samba-tool dns zonelist dc1.samdom.example.com --secondary -U administrator
Listing zone information
- Example: showing information about a zone
$ samba-tool dns zoneinfo dc1.samdom.example.com <zone-name> -U administrator
Listing zone records
- Example: listing records from a zone
$ samba-tool dns query dc1.samdom.example.com <zone-name> @ ALL -U administrator
Administering DNS on Windows
To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See Installing RSAT on Windows for AD Management for more details.
If you use the internal DNS server, there are the following known problems:
- Scavenging is not implemented yet. The error message "This function is not supported on this system" is returned.
- Conditional forwarders are not implemented yet. The same error message as above is returned.
- The DNS forwarder can only be changed in the smb.conf, not via the MMC Snap-In.
- Creating static records. When a static record is created it has a timestamp and the option "Delete this record when it becomes stale". In Windows Active Directory, static records have a "static" timestamp and cannot be incidently deleted.
Adding new records
- Navigate to the zone, where you want to to add a new record.
- Right-click to it and choose the kind of record to add.
- Fill the fields and save the new entry.
Updating existing records
- Navigate to the zone that contains the record you want to edit.
- Right-click the record and choose „Properties“.
- Edit the entry and save the changes.
Delete a record
- Navigate to the zone that contains the record you want to remove.
- Right-click to the record and choose „Delete“.
Changing zone properties
- Right-click to a zone of which you you want to do changes.
- Choose „Properties“.
Note: Currently both DNS backends don't support all features that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at https://bugzilla.samba.org/.
Creating a new zone
As example we'll add a reverse lookup zone.
- Right-click to „Reverse Lookup Zones“ and choose „New Zone“.
- The „New Zone Wizard“ appears.
- Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.
- Zone Replication Scope: Depends on your needs.
- Reverse Lookup Zone Name: Depends on your needs.
- Dynamic Update: Depends on your needs.
- Finish the wizard.
Your new zone is directly live without restarting Samba or BIND.
Deleting a zone
- Right-click to a zone and choose „Delete“.
Administering DNS on Linux with admin-tools
You can administer DNS from a Linux client using the admin-tools DNS module. The admin-tools DNS module uses samba-tool as a backend. You can download an AppImage here.
Adding new records
- Navigate to the zone where you want to to add a new record.
- Select the Action menu and choose the kind of record to add.
- Fill the fields and save the new entry.
== Updating existing records == -U Administrator
- Navigate to the zone that contains the record you want to edit.
- Highlight the record, then select the Action menu and choose „Properties“.
- Edit the entry and save the changes.
Delete a record
- Navigate to the zone that contains the record you want to remove.
- Highlight the record, then select the Action menu and choose „Delete“.
Creating a new zone
As example we'll add a reverse lookup zone.
- Highlight „Reverse Lookup Zones“, then select the Action menu and choose „New Zone“.
- The „New Zone Wizard“ appears.
- Choose IPv4 or IPv6: Depends on your needs.
- Reverse Lookup Zone Name: Depends on your needs.
- Finish the wizard.
Your new zone is directly live without restarting Samba or BIND.
Deleting a zone
- Highlight a zone, then select the Action menu and choose „Delete“.
Configuring clients to use your AD DNS server
Testing your DNS Server
See Testing the DNS Name Resolution.