Difference between revisions of "DNS Administration"

m (Minor reformatting)
m (/* Update page and added how to create a /16 reverse zone)
 
(37 intermediate revisions by 7 users not shown)
Line 3: Line 3:
 
If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.
 
If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.
  
You will already find general [[DNS|information on the internal DNS and the BIND DLZ module]] and documentation about [[DNS_Backend_BIND|Bind as DNS Backend]] in the Wiki.
+
You will already find general [[The_Samba_AD_DNS_Back_Ends|information on the internal DNS and the BIND DLZ module]] and documentation about [[BIND9_DLZ_DNS_Back_End|Bind as DNS Backend]] in the Wiki.
 +
 
 +
 
 +
 
 +
 
  
 
= General =
 
= General =
  
Per default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):
+
By default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):
  
 
* '''samdom.example.com''': Zone for your domain.
 
* '''samdom.example.com''': Zone for your domain.
Line 18: Line 22:
 
= Features =
 
= Features =
  
The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't cover all features yet, you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].
+
The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't yet cover all the features that you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].
  
But even if the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.
+
Even though the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.
  
  
Line 29: Line 33:
  
 
* Different zone transfer settings on internal DNS (denied) and BIND DLZ (allowed). [https://bugzilla.samba.org/show_bug.cgi?id=9634 Bug report #9634: Samba Bind DLZ module allows zone transfers for everyone]
 
* Different zone transfer settings on internal DNS (denied) and BIND DLZ (allowed). [https://bugzilla.samba.org/show_bug.cgi?id=9634 Bug report #9634: Samba Bind DLZ module allows zone transfers for everyone]
 +
 +
 +
 +
  
 
= Importance of DNS for Active Directory =
 
= Importance of DNS for Active Directory =
  
A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries.
+
A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries, this means that your clients must use your Domain Controller/s as their nameservers. Do not use anything else between your clients and Domain Controller/s.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Administering DNS on Linux/Unix with samba-tool =
 +
 
 +
== Creating a new zone ==
 +
 
 +
As an example we'll add a reverse lookup zone.
  
 +
It is suggested that you use, wherever possible, one of the RFC 1918 zones, these are:
  
 +
10.0.0.0/8
 +
172.16.0.0/12
 +
192.168.0.0/16
  
 +
Using the first one: 10.0.0.0/8 will allow you to have a maximum of 16,777,214 ipaddresses.
 +
The second: 172.16.0.0/12 will allow you to have a maximum of 1,048,574 ipaddresses.
 +
The third: 192.168.0.0/16 will allow you to have a maximum of 65,534 ipaddresses.
  
 +
You can, if you so wish, use different Subnet masks/CIDRs to split up the RFC1918 zones. For instance, using 192.168.0.0/24 (netmask 255.255.255.0) will you allow you to have a maximum of 254 ipaddresses.
  
= Administering DNS on Windows =
+
== To create a /24 reverse zone ==
 +
 
 +
# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.168.192.in-addr.arpa
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Zone 0.168.192.in-addr.arpa created successfully
 +
 
 +
== To create a /16 reverse zone ==
 +
 
 +
# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 168.192.in-addr.arpa
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Zone 168.192.in-addr.arpa created successfully
  
To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See [[Installing_RSAT_on_Windows_for_AD_Management|Installing RSAT on Windows for AD Management]] for more details.
+
Your new zone will be directly live without restarting Samba or BIND.
  
  
Line 46: Line 82:
 
== Adding new records ==
 
== Adding new records ==
  
* Navigate to the zone, where you want to to add a new record.
+
* Example: Adding an A record
 +
 
 +
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 192.168.0.55
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record added successfully
 +
 
 +
* Example: Adding a PTR record to the 192.168.0.0/24 reverse zone
 +
 
 +
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 0.168.192.in-addr.arpa 55 PTR demo.samdom.example.com
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record added successfully
 +
 
 +
* Example: Adding a PTR record to the 192.168.0.0/16 reverse zone
 +
 
 +
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 168.192.in-addr.arpa 55.0 PTR demo.samdom.example.com
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record added successfully
 +
 
 +
* Example: Adding a SRV record to _tcp.samdom.example.com
 +
 
 +
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100'
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record added successfully
  
* Right-click to it and choose the kind of record to add.
+
:A note on SRV records: The order of the four parameters in the last field ("data") are 'hostname port priority weight' and have to be between '  '.
  
: [[Image:DNS_Manager_Add_records.png]]
+
* Example: Adding a NS record to samdom.example.com zone
  
* Fill the fields and save the new entry.
+
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS newdc.sambdom.example.com
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record added successfully
  
  
Line 58: Line 118:
 
== Updating existing records ==
 
== Updating existing records ==
  
* Navigate to the zone that contains the record you want to edit.
+
* Example: Changing an A record
 +
 
 +
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 192.168.0.55 192.168.0.66
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record updated succefully
  
* Right-click the record and choose „Properties“.
+
* Example: Changing a SOA Resource Record
 +
: The data part of the SOA record consists of 7 space ('&#32;') separated elements in the following order:
 +
: ''nameserver, email, serial, refresh, retry, expire, minimum-ttl''
 +
: &nbsp;
 +
: The following example changes the host masters mail address:
 +
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ SOA \
 +
  "dc1.samdom.example.com hostmaster.example.com 63 900 600 86400 3600" \
 +
  "dc1.samdom.example.com admin.example.com 64 900 600 86400 3600"
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record updated successfully
  
: [[Image:DNS_Manager_Change_record.png]]
 
  
* Edit the entry and save the changes.
 
  
 +
== Delete a record ==
  
 +
* Example: Deleting an A record
 +
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 192.168.0.55
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record deleted succefully
  
== Delete a record ==
+
* Example: Deleting a NS record from samdom.example.com zone
  
* Navigate to the zone that contains the record you want to remove.
+
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS olddc.sambdom.example.com
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Record deleted successfully
  
* Right-click to the record and choose „Delete“.
 
  
  
 +
== Deleting a zone ==
  
== Changing zone properties ==
+
* Example: Deleting a reverse zone:
  
* Right-click to a zone of which you you want to do changes.
+
# samba-tool dns zonedelete <Your-AD-DNS-Server-IP-or-hostname> 0.168.192.in-addr.arpa
 +
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 +
Zone 0.168.192.in-addr.arpa delete successfully
  
* Choose „Properties“.
 
  
'''Note''': Currently both DNS backends doesn't support all features, that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].
 
  
 +
== Listing existing zones ==
  
 +
* Example: listing secondary zones
 +
# samba-tool dns zonelist <Your-AD-DNS-Server-IP-or-hostname> --secondary -U administrator
  
== Creating a new zone ==
 
  
As example we'll add a reverse lookup zone.
 
  
* Right-click to „Reverse Lookup Zones“ and choose „New Zone“.
+
== Listing zone information ==
  
* The „New Zone Wizard“ appears.
+
* Example: showing information about a zone
 +
# samba-tool dns zoneinfo <Your-AD-DNS-Server-IP-or-hostname> <zone-name> -U administrator
  
* Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.
 
  
: [[Image:DNS_Add_Zone_Wizzard_1.png]]
 
  
* Zone Replication Scope: Depents on your needs.
+
== Listing zone records ==
  
: [[Image:DNS_Add_Zone_Wizzard_2.png]]
+
* Example: listing records from a zone
 +
# samba-tool dns query <Your-AD-DNS-Server-IP-or-hostname> <zone-name> @ ALL -U administrator
  
* Reverse Lookup Zone Name: Depents on your needs.
 
  
: [[Image:DNS_Add_Zone_Wizzard_3.png]]
 
  
: Dynamic Update: Depents on your needs.
 
  
: [[Image:DNS_Add_Zone_Wizzard_4.png]]
 
  
* Finish the wizard.
+
= Administering DNS on Windows =
  
If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.
+
To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See [[Installing RSAT|Installing RSAT on Windows for AD Management]] for more details.
  
The internal DNS as backend currently needs a restart of Samba to take effect. See [https://bugzilla.samba.org/show_bug.cgi?id=9404 bug report #9404].
+
If you use the internal DNS server, there are the following known problems:
  
 +
* Scavenging is not implemented yet. The error message "This function is not supported on this system" is returned.
 +
* Conditional forwarders are not implemented yet. The same error message as above is returned.
 +
* The DNS forwarder can only be changed in the smb.conf, not via the MMC Snap-In.
 +
* Creating static records. When a static record is created it has a timestamp and the option "Delete this record when it becomes stale". In Windows Active Directory, static records have a "static" timestamp and cannot be accidently deleted.
  
  
== Deleting a zone ==
 
  
* Right-click to a zone and choose „Delete“.
 
  
: [[Image:DNS_Delete_Zone.png]]
+
== Adding new records ==
  
 +
* Navigate to the zone, where you want to to add a new record.
  
 +
* Right-click to it and choose the kind of record to add.
  
 +
: [[Image:DNS_Manager_Add_records.png]]
  
 +
* Fill the fields and save the new entry.
  
= Administering DNS on Linux/Unix =
 
  
== Adding new records ==
 
  
* Example: Adding an A record
+
== Updating existing records ==
  
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55
+
* Navigate to the zone that contains the record you want to edit.
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 
Record added successfully
 
  
* Example: Adding a PTR record to a reverse zone
+
* Right-click the record and choose „Properties“.
  
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa 55 PTR demo.samdom.example.com
+
: [[Image:DNS_Manager_Change_record.png]]
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 
Record added successfully
 
  
* Example: Adding a SRV record to _tcp.samdom.example.com
+
* Edit the entry and save the changes.
  
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100'
 
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 
Record added successfully
 
  
:A note on SRV records: The order of the four parameters in the last field („data“) are 'hostname port priority weight' and have to be between '  '.
 
  
 +
== Delete a record ==
  
 +
* Navigate to the zone that contains the record you want to remove.
  
== Updating existing records ==
+
* Right-click to the record and choose „Delete“.
  
* Example: Changing an A record
 
  
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55 10.99.0.66
 
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 
Record updated succefully
 
  
 +
== Changing zone properties ==
  
 +
* Right-click to a zone of which you you want to do changes.
  
== Delete a record ==
+
* Choose „Properties“.
  
* Example: Deleting an A record
+
'''Note''': Currently both DNS backends don't support all features that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at [https://bugzilla.samba.org/ https://bugzilla.samba.org/].
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 10.99.0.55
 
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 
Record deleted succefully
 
  
  
Line 177: Line 245:
 
As example we'll add a reverse lookup zone.
 
As example we'll add a reverse lookup zone.
  
# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa
+
* Right-click to „Reverse Lookup Zones“ and choose „New Zone“.
Password for [administrator@SAMDOM.EXAMPLE.COM]:
+
 
Zone 0.99.10.in-addr.arpa created successfully
+
* The „New Zone Wizard“ appears.
 +
 
 +
* Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.
 +
 
 +
: [[Image:DNS_Add_Zone_Wizzard_1.png]]
 +
 
 +
* Zone Replication Scope: Depends on your needs.
 +
 
 +
: [[Image:DNS_Add_Zone_Wizzard_2.png]]
 +
 
 +
* Reverse Lookup Zone Name: Depends on your needs.
 +
 
 +
: [[Image:DNS_Add_Zone_Wizzard_3.png]]
 +
 
 +
: Dynamic Update: Depends on your needs.
 +
 
 +
: [[Image:DNS_Add_Zone_Wizzard_4.png]]
 +
 
 +
* Finish the wizard.
  
If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.
+
Your new zone is directly live without restarting Samba or BIND.
  
The internal DNS as backend currently needs a restart of Samba to take effect. See [https://bugzilla.samba.org/show_bug.cgi?id=9404 bug report #9404].
 
  
  
Line 189: Line 274:
 
== Deleting a zone ==
 
== Deleting a zone ==
  
* Example: Deleting a reverse zone:
+
* Right-click to a zone and choose „Delete“.
  
# samba-tool dns zonedelete <Your-AD-DNS-Server-IP-or-hostname> 0.99.10.in-addr.arpa
+
: [[Image:DNS_Delete_Zone.png]]
Password for [administrator@SAMDOM.EXAMPLE.COM]:
 
Zone 0.99.10.in-addr.arpa delete successfully
 
  
= Configuring clients to use your AD DNS server =
+
= Administering DNS on Linux with admin-tools =
  
If you provide DNS server addresses via DHCP to your clients, configure your DHCP server to ship the adress/es of your DNS server/s.
+
You can administer DNS from a Linux client using the admin-tools DNS module. The admin-tools DNS module uses samba-tool as a backend. You can download an [https://appimage.github.io/admin-tools/ AppImage here].
  
For static configuration on the different Windows versions, continue reading.
+
== Adding new records ==
  
 +
* Navigate to the zone where you want to to add a new record.
  
 +
* Select the Action menu and choose the kind of record to add.
  
== Windows 8 ==
+
: [[Image:Admin_tools_DNS_Manager_Add_records.png]]
  
* Press [Win]+[W] and search for „Network and Sharing Center“ in Settings and open the app.
+
* Fill the fields and save the new entry.
  
: [[Image:Win8_Network_App.png]]
 
  
* Click „Change adapter settings“.
 
  
* Right-click to your network adapter and choose „Properties“.
+
== Updating existing records ==
  
: [[Image:Win8_Network_and_Sharing_Center.png]]
+
* Navigate to the zone that contains the record you want to edit.
  
* Click to your Internet Protocol (IPv4/IPv6) and click the „Properties“ button.
+
* Highlight the record, then select the Action menu and choose „Properties“.
  
* Enter the IP address/es of your DNS server/s.
+
: [[Image:Admin_tools_DNS_Manager_Change_record.png]]
  
: [[Image:Win8_DNS_Server_Addresses.png]]
+
* Edit the entry and save the changes.
  
* Save the settings by clicking „OK“.
 
  
  
 +
== Delete a record ==
  
== Windows 7 ==
+
* Navigate to the zone that contains the record you want to remove.
  
* Click to „Start“ and search for „Network and Sharing Center“.
+
* Highlight the record, then select the Action menu and choose „Delete“.
  
* Click „Change adapter settings“.
 
  
* Right-click to your network adapter and choose „Properties“.
 
  
: [[Image:Win7_Network_and_Sharing_Center.png]]
+
== Creating a new zone ==
  
* Click to your Internet Protocol (IPv4/IPv6) and click the „Properties“ button.
+
As example we'll add a reverse lookup zone.
  
* Enter the IP address/es of your DNS server/s.
+
* Highlight „Reverse Lookup Zones“, then select the Action menu and choose „New Zone“.
  
: [[Image:Win7_DNS_Server_Addresses.png]]
+
* The „New Zone Wizard“ appears.
  
* Save the settings by clicking „OK“.
+
* Choose IPv4 or IPv6: Depends on your needs.
  
 +
: [[Image:Admin_tools_DNS_Add_Zone_Wizard_1.png]]
  
 +
* Reverse Lookup Zone Name: Depends on your needs.
  
== Windows XP ==
+
: [[Image:Admin_tools_DNS_Add_Zone_Wizard_2.png]]
  
* Right-click to „My Network Places“ and choose „Properties“.
+
* Finish the wizard.
  
* Right-click to your network connection and choose „Properties“.
+
Your new zone is directly live without restarting Samba or BIND.
  
: [[Image:WinXP_My_Network_Places.png]]
 
  
* Click to your Internet Protocol and click the „Properties“ button.
 
  
* Enter the IP address/es of your DNS server/s.
 
  
: [[Image:WinXP_DNS_Server_Addresses.png]]
+
== Deleting a zone ==
  
* Save the settings by clicking „OK“.
+
* Highlight a zone, then select the Action menu and choose „Delete“.
  
 +
: [[Image:Admin_tools_DNS_Delete_Zone.png]]
  
  
== Linux/Unix ==
 
  
Edit your /etc/resolv.conf and add a „nameserver“ entry for each DNS server and your search domain:
 
nameserver 10.99.0.1
 
nameserver 10.99.0.2
 
search samdom.example.com
 
  
  
 +
= Configuring clients to use your AD DNS server =
  
 +
* [[Windows_DNS_Configuration|Windows]]
 +
* [[Linux_and_Unix_DNS_Configuration|Linux/Unix]]
 +
* [[MacOSX_DNS_Configuration|MacOSX]]
  
  
= Testing your DNS Server =
 
  
On Windows and *nix, you can use „nslookup“ to test if your computer can resolve records by using your DNS. Try resolving the name of your Domain Controller into its IP:
 
  
# nslookup DC1.samdom.example.com
 
Server:        10.99.0.1
 
Address:        10.99.0.1#53
 
 
Name:  DC1.samdom.example.com
 
Address: 10.99.0.1
 
  
Nslookup will show you, which server was asked (10.99.0.1) and the result of your query (DC1.samdom.example.com has IP 10.99.0.1)
+
= Testing your DNS Server =
  
To query a SVR record, you have to start nslookup and set the type to „SRV“, to retrieve the values (works on Windows and *nix):
+
See [[Testing_the_DNS_Name_Resolution|Testing the DNS Name Resolution]].
  
# nslookup
 
Default Server:  UnKnown
 
Address:  10.99.0.1
 
 
> set type=SRV
 
> _ldap._tcp.samdom.example.com.
 
Server:  UnKnown
 
Address:  10.99.0.1
 
 
_ldap._tcp.samdom.example.com  SRV service location:
 
          priority      = 0
 
          weight        = 100
 
          port          = 389
 
          svr hostname  = dc1.samdom.example.com
 
samdom.example.com      nameserver = dc1.samdom.example.com
 
dc1.samdom.example.com  internet address = 10.99.0.1
 
  
If your query can't be answered, because it doesn't exist, you'll receive
 
  
** server can't find DC9.samdom.example.com: NXDOMAIN
 
  
If you query a none existing DNS server, it would result in
 
  
;; connection timed out; no servers could be reached
+
----
 +
[[Category:Active Directory]]
 +
[[Category:DNS]]

Latest revision as of 09:27, 8 August 2019

Introduction

If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.

You will already find general information on the internal DNS and the BIND DLZ module and documentation about Bind as DNS Backend in the Wiki.



General

By default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):

  • samdom.example.com: Zone for your domain.
  • _msdcs.samdom.example.com: This is the ForestDNSZone, that contains several service records for the entire directory.



Features

The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't yet cover all the features that you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at https://bugzilla.samba.org/.

Even though the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.


Known/issues missing features



Importance of DNS for Active Directory

A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries, this means that your clients must use your Domain Controller/s as their nameservers. Do not use anything else between your clients and Domain Controller/s.



Administering DNS on Linux/Unix with samba-tool

Creating a new zone

As an example we'll add a reverse lookup zone.

It is suggested that you use, wherever possible, one of the RFC 1918 zones, these are:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Using the first one: 10.0.0.0/8 will allow you to have a maximum of 16,777,214 ipaddresses. The second: 172.16.0.0/12 will allow you to have a maximum of 1,048,574 ipaddresses. The third: 192.168.0.0/16 will allow you to have a maximum of 65,534 ipaddresses.

You can, if you so wish, use different Subnet masks/CIDRs to split up the RFC1918 zones. For instance, using 192.168.0.0/24 (netmask 255.255.255.0) will you allow you to have a maximum of 254 ipaddresses.

To create a /24 reverse zone

# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 0.168.192.in-addr.arpa
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Zone 0.168.192.in-addr.arpa created successfully

To create a /16 reverse zone

# samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> 168.192.in-addr.arpa
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Zone 168.192.in-addr.arpa created successfully

Your new zone will be directly live without restarting Samba or BIND.


Adding new records

  • Example: Adding an A record
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 192.168.0.55
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record added successfully
  • Example: Adding a PTR record to the 192.168.0.0/24 reverse zone
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 0.168.192.in-addr.arpa 55 PTR demo.samdom.example.com
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record added successfully
  • Example: Adding a PTR record to the 192.168.0.0/16 reverse zone
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> 168.192.in-addr.arpa 55.0 PTR demo.samdom.example.com
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record added successfully
  • Example: Adding a SRV record to _tcp.samdom.example.com
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100'
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record added successfully
A note on SRV records: The order of the four parameters in the last field ("data") are 'hostname port priority weight' and have to be between ' '.
  • Example: Adding a NS record to samdom.example.com zone
# samba-tool dns add <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS newdc.sambdom.example.com
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record added successfully


Updating existing records

  • Example: Changing an A record
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 192.168.0.55 192.168.0.66
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record updated succefully
  • Example: Changing a SOA Resource Record
The data part of the SOA record consists of 7 space (' ') separated elements in the following order:
nameserver, email, serial, refresh, retry, expire, minimum-ttl
 
The following example changes the host masters mail address:
# samba-tool dns update <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ SOA \
  "dc1.samdom.example.com hostmaster.example.com 63 900 600 86400 3600" \
  "dc1.samdom.example.com admin.example.com 64 900 600 86400 3600"
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record updated successfully


Delete a record

  • Example: Deleting an A record
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com demo A 192.168.0.55
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record deleted succefully
  • Example: Deleting a NS record from samdom.example.com zone
# samba-tool dns delete <Your-AD-DNS-Server-IP-or-hostname> samdom.example.com @ NS olddc.sambdom.example.com
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record deleted successfully


Deleting a zone

  • Example: Deleting a reverse zone:
# samba-tool dns zonedelete <Your-AD-DNS-Server-IP-or-hostname> 0.168.192.in-addr.arpa
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Zone 0.168.192.in-addr.arpa delete successfully


Listing existing zones

  • Example: listing secondary zones
# samba-tool dns zonelist <Your-AD-DNS-Server-IP-or-hostname> --secondary -U administrator


Listing zone information

  • Example: showing information about a zone
# samba-tool dns zoneinfo <Your-AD-DNS-Server-IP-or-hostname> <zone-name> -U administrator


Listing zone records

  • Example: listing records from a zone
# samba-tool dns query <Your-AD-DNS-Server-IP-or-hostname> <zone-name> @ ALL -U administrator



Administering DNS on Windows

To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See Installing RSAT on Windows for AD Management for more details.

If you use the internal DNS server, there are the following known problems:

  • Scavenging is not implemented yet. The error message "This function is not supported on this system" is returned.
  • Conditional forwarders are not implemented yet. The same error message as above is returned.
  • The DNS forwarder can only be changed in the smb.conf, not via the MMC Snap-In.
  • Creating static records. When a static record is created it has a timestamp and the option "Delete this record when it becomes stale". In Windows Active Directory, static records have a "static" timestamp and cannot be accidently deleted.



Adding new records

  • Navigate to the zone, where you want to to add a new record.
  • Right-click to it and choose the kind of record to add.
DNS Manager Add records.png
  • Fill the fields and save the new entry.


Updating existing records

  • Navigate to the zone that contains the record you want to edit.
  • Right-click the record and choose „Properties“.
DNS Manager Change record.png
  • Edit the entry and save the changes.


Delete a record

  • Navigate to the zone that contains the record you want to remove.
  • Right-click to the record and choose „Delete“.


Changing zone properties

  • Right-click to a zone of which you you want to do changes.
  • Choose „Properties“.

Note: Currently both DNS backends don't support all features that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at https://bugzilla.samba.org/.


Creating a new zone

As example we'll add a reverse lookup zone.

  • Right-click to „Reverse Lookup Zones“ and choose „New Zone“.
  • The „New Zone Wizard“ appears.
  • Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.
DNS Add Zone Wizzard 1.png
  • Zone Replication Scope: Depends on your needs.
DNS Add Zone Wizzard 2.png
  • Reverse Lookup Zone Name: Depends on your needs.
DNS Add Zone Wizzard 3.png
Dynamic Update: Depends on your needs.
DNS Add Zone Wizzard 4.png
  • Finish the wizard.

Your new zone is directly live without restarting Samba or BIND.



Deleting a zone

  • Right-click to a zone and choose „Delete“.
DNS Delete Zone.png

Administering DNS on Linux with admin-tools

You can administer DNS from a Linux client using the admin-tools DNS module. The admin-tools DNS module uses samba-tool as a backend. You can download an AppImage here.

Adding new records

  • Navigate to the zone where you want to to add a new record.
  • Select the Action menu and choose the kind of record to add.
Admin tools DNS Manager Add records.png
  • Fill the fields and save the new entry.


Updating existing records

  • Navigate to the zone that contains the record you want to edit.
  • Highlight the record, then select the Action menu and choose „Properties“.
Admin tools DNS Manager Change record.png
  • Edit the entry and save the changes.


Delete a record

  • Navigate to the zone that contains the record you want to remove.
  • Highlight the record, then select the Action menu and choose „Delete“.


Creating a new zone

As example we'll add a reverse lookup zone.

  • Highlight „Reverse Lookup Zones“, then select the Action menu and choose „New Zone“.
  • The „New Zone Wizard“ appears.
  • Choose IPv4 or IPv6: Depends on your needs.
Admin tools DNS Add Zone Wizard 1.png
  • Reverse Lookup Zone Name: Depends on your needs.
Admin tools DNS Add Zone Wizard 2.png
  • Finish the wizard.

Your new zone is directly live without restarting Samba or BIND.



Deleting a zone

  • Highlight a zone, then select the Action menu and choose „Delete“.
Admin tools DNS Delete Zone.png



Configuring clients to use your AD DNS server



Testing your DNS Server

See Testing the DNS Name Resolution.