DNS Administration: Difference between revisions

From SambaWiki
(Fix information, that new zones are directly live. Internal DNS requires a restart of Samba for that currently (Bug))
Line 111: Line 111:
* Finish the wizard.
* Finish the wizard.


Your new zone is direclty live. You don't have to restart Samba/BIND.
If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.

The internal DNS as backend currently needs a restart of Samba to take effect. See [https://bugzilla.samba.org/show_bug.cgi?id=9404 bug report #9404].




Line 174: Line 176:
Zone 0.99.10.in-addr.arpa created successfully
Zone 0.99.10.in-addr.arpa created successfully


Your new zone is direclty live. You don't have to restart Samba/BIND.
If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.

The internal DNS as backend currently needs a restart of Samba to take effect. See [https://bugzilla.samba.org/show_bug.cgi?id=9404 bug report #9404].





Revision as of 19:06, 26 February 2014

Introduction

If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.

You will already find general information on the internal DNS and the BIND DLZ module and documentation about Bind as DNS Backend in the Wiki.

General

Per default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):

  • samdom.example.com: Zone for your domain.
  • _msdcs.samdom.example.com: This is the ForestDNSZone, that contains several service records for the entire directory.



Features

The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't cover all features yet, you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at https://bugzilla.samba.org/.

But even if the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.


Known/issues missing features

Importance of DNS for Active Directory

A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries.



Administering DNS on Windows

To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See Samba AD Management from Windows for more details.


Adding new records

  • Navigate to the zone, where you want to to add a new record.
  • Right-click to it and choose the kind of record to add.
DNS Manager Add records.png
  • Fill the fields and save the new entry.


Updating existing records

  • Navigate to the zone that contains the record you want to edit.
  • Right-click the record and choose „Properties“.
DNS Manager Change record.png
  • Edit the entry and save the changes.


Delete a record

  • Navigate to the zone that contains the record you want to remove.
  • Right-click to the record and choose „Delete“.


Changing zone properties

  • Right-click to a zone of which you you want to do changes.
  • Choose „Properties“.

Note: Currently both DNS backends doesn't support all features, that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at https://bugzilla.samba.org/.


Creating a new zone

As example we'll add a reverse lookup zone.

  • Right-click to „Reverse Lookup Zones“ and choose „New Zone“.
  • The „New Zone Wizard“ appears.
  • Zone Type: Select „Primary zone“ and „Store the zone in Active Directory“.
DNS Add Zone Wizzard 1.png
  • Zone Replication Scope: Depents on your needs.
DNS Add Zone Wizzard 2.png
  • Reverse Lookup Zone Name: Depents on your needs.
DNS Add Zone Wizzard 3.png
Dynamic Update: Depents on your needs.
DNS Add Zone Wizzard 4.png
  • Finish the wizard.

If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.

The internal DNS as backend currently needs a restart of Samba to take effect. See bug report #9404.


Deleting a zone

  • Right-click to a zone and choose „Delete“.
DNS Delete Zone.png

Administering DNS on Linux/Unix

Adding new records

  • Example: Adding an A record
# samba-tool dns add <Your-Server> samdom.example.com demo A 10.99.0.55
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record added successfully
  • Example: Adding a PTR record to a reverse zone
# samba-tool dns add <Your-Server> 0.99.10.in-addr.arpa 55 PTR demo.samdom.example.com
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record added successfully
  • Example: Adding a SRV record to _tcp.samdom.example.com
# samba-tool dns add <Your-Server> samdom.example.com _demo._tcp SRV 'demo.samdom.example.com 8080 0 100'
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record added successfully
A note on SRV records: The order of the four parameters in the last field („data“) are 'hostname port priority weight' and have to be between ' '.


Updating existing records

  • Example: Changing an A record
# samba-tool dns update <Your-Server> samdom.example.com demo A 10.99.0.55 10.99.0.66
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record updated succefully


Delete a record

  • Example: Deleting an A record
# samba-tool dns delete <Your-Server> samdom.example.com demo A 10.99.0.55
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Record deleted succefully


Creating a new zone

As example we'll add a reverse lookup zone.

# samba-tool dns zonecreate <Your-Server> 0.99.10.in-addr.arpa
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Zone 0.99.10.in-addr.arpa created successfully

If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.

The internal DNS as backend currently needs a restart of Samba to take effect. See bug report #9404.


Deleting a zone

  • Example: Deleting a reverse zone:
# samba-tool dns zonedelete <Your-Server> 0.99.10.in-addr.arpa
Password for [administrator@SAMDOM.EXAMPLE.COM]:
Zone 0.99.10.in-addr.arpa delete successfully

Configuring clients to use your AD DNS server

If you provide DNS server addresses via DHCP to your clients, configure your DHCP server to ship the adress/es of your DNS server/s.

For static configuration on the different Windows versions, continue reading.


Windows 8

  • Press [Win]+[W] and search for „Network and Sharing Center“ in Settings and open the app.
File:Win8 Network App.png
  • Click „Change adapter settings“.
  • Right-click to your network adapter and choose „Properties“.
File:Win8 Network and Sharing Center.png
  • Click to your Internet Protocol (IPv4/IPv6) and click the „Properties“ button.
  • Enter the IP address/es of your DNS server/s.
File:Win8 DNS Server Addresses.png
  • Save the settings by clicking „OK“.


Windows 7

  • Click to „Start“ and search for „Network and Sharing Center“.
  • Click „Change adapter settings“.
  • Right-click to your network adapter and choose „Properties“.
File:Win7 Network and Sharing Center.png
  • Click to your Internet Protocol (IPv4/IPv6) and click the „Properties“ button.
  • Enter the IP address/es of your DNS server/s.
File:Win7 DNS Server Addresses.png
  • Save the settings by clicking „OK“.


Windows XP

  • Right-click to „My Network Places“ and choose „Properties“.
  • Right-click to your network connection and choose „Properties“.
File:WinXP My Network Places.png
  • Click to your Internet Protocol and click the „Properties“ button.
  • Enter the IP address/es of your DNS server/s.
File:WinXP DNS Server Addresses.png
  • Save the settings by clicking „OK“.


Linux/Unix

Edit your /etc/resolv.conf and add a „nameserver“ entry for each DNS server and your search domain:

nameserver 10.99.0.1
nameserver 10.99.0.2
search samdom.example.com



Testing your DNS Server

On Windows and *nix, you can use „nslookup“ to test if your computer can resolve records by using your DNS. Try resolving the name of your Domain Controller into its IP:

# nslookup DC1.samdom.example.com
Server:         10.99.0.1
Address:        10.99.0.1#53

Name:   DC1.samdom.example.com
Address: 10.99.0.1

Nslookup will show you, which server was asked (10.99.0.1) and the result of your query (DC1.samdom.example.com has IP 10.99.0.1)

To query a SVR record, you have to start nslookup and set the type to „SRV“, to retrieve the values (works on Windows and *nix):

# nslookup
Default Server:  UnKnown
Address:  10.99.0.1

> set type=SRV
> _ldap._tcp.samdom.example.com.
Server:  UnKnown
Address:  10.99.0.1

_ldap._tcp.samdom.example.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc1.samdom.example.com
samdom.example.com      nameserver = dc1.samdom.example.com
dc1.samdom.example.com  internet address = 10.99.0.1 

If your query can't be answered, because it doesn't exist, you'll receive

** server can't find DC9.samdom.example.com: NXDOMAIN

If you query a none existing DNS server, it would result in

;; connection timed out; no servers could be reached