The Samba AD DNS Back Ends: Difference between revisions

From SambaWiki
m (Updated link)
m (/* minor update)
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
__TOC__
= Why DNS is essential for a working Active Directory =


= Introduction =
Operation of Active Directory requires several special entries in DNS. They are usually automatically added whenever the domain is provisioned, or a server or client joins the domain, or changes its name or IP address.


In an Active Directory (AD), DNS is a very important service. It is used for:
AD not only requires the normal entries that list the names and IP addresses of all servers and clients, but also an entry for the domain itself (i.e. domain.company.com, not just server.domain.company.com).
* name resolution
* locating services, such as Kerberos and LDAP
* locating local domain controllers (DC) when using AD sites. For details, see [[Active_Directory_Sites|Active Directory Sites]].


{{Imbox
This domain entry contains several infos about the domain, for example a list of Domain Controllers that can be used to log on to the domain.
| type = note
| text = All clients and server in an AD must use a DNS server that is able to resolve the AD DNS zones.
}}


Without this info from the DNS server, the clients cannot find the Domain.


For this reason you absolutely must configure all servers and clients of the domain such that they query a DNS server that does have these special entries.


You can use either the internal DNS server that is built into the samba4 binary, or an external bind DNS server. Default is to use the internal server, and it is highly recommended that when you start using Samba4 as AD-DC for the first time, you install it this way. You can later switch between the two variants if needed. If you do use an external bind DNS server, it must use the DLZ backend and run on the Samba AD DC.


Whichever DNS server you use, you must configure the AD DC so that it uses 127.0.0.1 or its own IP address as DNS server, and all clients must be configured to use the IP address of the AD DC as DNS. This server will usually only be able to answer queries regarding servers and clients that are members of the domain. If you want your server and clients to be able to also see the rest of the world, you must configure the DNS server to forward all queries that it cannot answer itself, to another DNS server which can resolve the rest of the world.


= Supported DNS Back Ends =


Samba supports the following DNS back ends:


* [[Samba_Internal_DNS_Back_End|Samba Internal DNS Back End]]
:* Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.
:* No additional software or DNS knowledge is required.
:* Use this back end for simple DNS setups. For a list of limitations, see [[Samba_Internal_DNS_Back_End#Limitations|Limitations]].


* [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]
:* Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see [[Setting_up_a_BIND_DNS_Server|Setting up a BIND DNS Server]].
:* Requires knowledge about the BIND DNS server and how to configure the service.
:* Use this back end for complex DNS scenarios, you can not configure in the internal DNS.


= Which DNS backend should I choose? =


If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]].
You should choose the DNS backend based on the requirements of your network or existing DNS installations.


The internal DNS is a new implementation, that allows you to quickly and easily setup the DNS backend that is required for every AD installation. No further work is required to set it up. Currently it covers the important and required parts for AD.


{{Imbox
If you already having BIND running, plan complex DNS setups or you require special functions (zone transfers only from defined hosts, etc.) that are currently not supported by the internal DNS, BIND should be the preferred backend.
| type = important
| text = Do not use the <code>BIND9_FLATFILE</code> DNS back end. It is not supported and will be formally deprecated when 4.11.0 is released and removed at 4.12.0.
}}


Your choice of a DNS backend during provisioning/upgrading is not final. If you find that your choice doesn't fit your requirements, you can flip over and [[Changing_the_DNS_backend|change the DNS backend]].






== Samba Internal DNS ==


= Selecting the AD Forest Root Domain =
The internal DNS server is built into Samba and uses AD as backend. Also it is the default DNS solution when provisioning a new Samba AD DC or upgrade from a Samba NT4 domain to Samba AD. See the documentation about the [[Samba_Internal_DNS_Back_End|Samba INTERNAL_DNS Back End]] for further information.


Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]].


{{Imbox
| type = warning
| text = Samba does not support renaming the AD forest root domain.
}}


Best practices:
== DNS backend BIND_DLZ ==


* Use a domain name you own.
BIND 9.8 and 9.9 can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in. Please note that BIND server must run on the same machine as the Samba AD DC! See the [[BIND9_DLZ_DNS_Back_End|Bind as DNS backend HowTo]] for further documentation.
* Use a subdomain of your domain, such as <code>ad.example.com</code>.
* Do not use <code>.local</code> domains. They can cause problems with Mac OS X and Zeroconf.


For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]].








= Selecting the Forest Root Domain =


----
See Microsofts suggestions about selecting the forest root domain: [http://technet.microsoft.com/en-us/library/cc726016%28v=ws.10%29.aspx/ http://technet.microsoft.com/en-us/library/cc726016%28v=ws.10%29.aspx/]
[[Category:Active Directory]]

[[Category:DNS]]


== Avoid .local TLD ==

Avoid using .local as the TLD for your Active Directory. It cause connection problems with Mac and zeroconf peripherals.



== Best practice ==

See [http://technet.microsoft.com/en-us/library/bb727085.aspx http://technet.microsoft.com/en-us/library/bb727085.aspx]. Summary of the relevant parts:

* As a best practice use DNS names registered with an Internet authority in the Active Directory namespace. Only registered names are guaranteed to be globally unique. If another organization later registers the same DNS domain name, or if your organization merges with, acquires, or is acquired by other company that uses the same DNS names then the two infrastructures can never interact with one another.

* Add a prefix that is not currently in use to the registered DNS name to create a new subordinate name. For example, if your DNS root name were contoso.com then you should create an Active Directory forest root domain name such as concorp.contoso.com, where the namespace concorp.contoso.com is not already in use on the network. This new branch of the namespace will be dedicated to Active Directory and can easily be integrated with the existing DNS implementation.





= Testing Dynamic DNS Updates =

To test the dynamic DNS updates, run as user <code>root</code> on your Samba domain controller (DC):

# samba_dnsupdate --verbose --all-names

This commands forces an update of all records specified in the <code>/usr/local/samba/private/dns_update_list</code> file.

The <code>samba_dnsupdate</code> utility updates the DNS. It automatically checks for missing DNS records specified in the <code>dns_update_list</code> file when the <code>samba</code> daemon starts and after every 10 minutes.

If the dynamic DNS updates fail, see:

* <code>BIND9_DLZ</code> back end: [[BIND9_DLZ_DNS_Back_End#Troubleshooting|BIND9_DLZ Troubleshooting]]
* <code>INTERNAL_DNS</code> back end: [[Samba_internal_DNS_Back_End#Troubleshooting|Samba Internal DNS Troubleshooting]]

Revision as of 12:30, 28 August 2019

Introduction

In an Active Directory (AD), DNS is a very important service. It is used for:

  • name resolution
  • locating services, such as Kerberos and LDAP
  • locating local domain controllers (DC) when using AD sites. For details, see Active Directory Sites.



Supported DNS Back Ends

Samba supports the following DNS back ends:

  • Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.
  • No additional software or DNS knowledge is required.
  • Use this back end for simple DNS setups. For a list of limitations, see Limitations.
  • Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see Setting up a BIND DNS Server.
  • Requires knowledge about the BIND DNS server and how to configure the service.
  • Use this back end for complex DNS scenarios, you can not configure in the internal DNS.


If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see Changing the DNS Back End of a Samba AD DC.




Selecting the AD Forest Root Domain

Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see Active Directory Naming FAQ.

Best practices:

  • Use a domain name you own.
  • Use a subdomain of your domain, such as ad.example.com.
  • Do not use .local domains. They can cause problems with Mac OS X and Zeroconf.

For details, see Active Directory Naming FAQ.