Difference between revisions of "The Samba AD DNS Back Ends"

(Configuration: Avoid mentioning misleading option for "allow dns updates")
m (/* minor update)
 
(65 intermediate revisions by 12 users not shown)
Line 1: Line 1:
= Which DNS backend should I choose? =
+
__TOC__
  
The DNS backend should be choosen, on the requirements of your network or existing DNS installations.
+
= Introduction =
  
The internal DNS is a new implementation, that allows to quick and easy setup of the DNS backend, that is required for every AD installation. No further work is required to set it up. Currently it covers the important and required parts for AD.
+
In an Active Directory (AD), DNS is a very important service. It is used for:
 +
* name resolution
 +
* locating services, such as Kerberos and LDAP
 +
* locating local domain controllers (DC) when using AD sites. For details, see [[Active_Directory_Sites|Active Directory Sites]].
  
If you already having BIND running, plan complex DNS setups or you require special functions (zone transfers only from defined hosts, etc.), that are currently not supported by the internal DNS, BIND should be the preferred backend.
+
{{Imbox
 +
| type = note
 +
| text = All clients and server in an AD must use a DNS server that is able to resolve the AD DNS zones.
 +
}}
  
The choice for a DNS backend during provisioning/upgrading is not a one way street. If you find out, that your choice doesn't fit your requirements, you can flip over and [[#Changing_the_DNS_backend|change the DNS backend]].
 
  
  
  
  
 +
= Supported DNS Back Ends =
  
= Internal DNS =
+
Samba supports the following DNS back ends:
  
The internal DNS server is built into Samba and uses AD as backend. Also it is the default DNS solution when you provisioning/upgrading an Samba AD controller.
+
* [[Samba_Internal_DNS_Back_End|Samba Internal DNS Back End]]
 +
:* Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.
 +
:* No additional software or DNS knowledge is required.
 +
:* Use this back end for simple DNS setups. For a list of limitations, see [[Samba_Internal_DNS_Back_End#Limitations|Limitations]].
  
 +
* [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]
 +
:* Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see [[Setting_up_a_BIND_DNS_Server|Setting up a BIND DNS Server]].
 +
:* Requires knowledge about the BIND DNS server and how to configure the service.
 +
:* Use this back end for complex DNS scenarios, you can not configure in the internal DNS.
  
  
== Configuration ==
+
If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]].
  
If you choosed the internal server as DNS backend for your environment, there are three options that can be added to your smb.conf to control the behavior of DNS at this point:
 
  
# Allow unsigned updates | don't allow any updates | only allow signed updates
+
{{Imbox
allow dns updates = False | nonsecure | signed only
+
| type = important
+
| text = Do not use the <code>BIND9_FLATFILE</code> DNS back end. It is not supported and will be formally deprecated when 4.11.0 is released and removed at 4.12.0.
# If recursive queries = yes is set, the following is also needed
+
}}
dns forwarder = <ip addr of external dns server>
 
  
== Limitations / Known issues ==
 
  
* The internal server is not a caching resolver.
 
  
* The samba_dnsupdate command produces warnings when used with signed updates. We're currenly investigating a fix for the warnings, but the updates actually succeed. Client systems like samba3 or Win7 work fine.
 
  
  
 +
= Selecting the AD Forest Root Domain =
  
== Tests ==
+
Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]].
  
Run during make test
+
{{Imbox
TDB_NO_FSYNC=1 make test TESTS=samba.tests.dns
+
| type = warning
 +
| text = Samba does not support renaming the AD forest root domain.
 +
}}
  
Run against external servers (Windows or BIND)
+
Best practices:
SERVER_IP=<dns server ip> SERVER=<dns server name> REALM=<dns server domain name part> PYTHONPATH=`pwd`/bin/python ./source4/scripting/bin/subunitrun samba.tests.dns
 
  
 +
* Use a domain name you own.
 +
* Use a subdomain of your domain, such as <code>ad.example.com</code>.
 +
* Do not use <code>.local</code> domains. They can cause problems with Mac OS X and Zeroconf.
  
 +
For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]].
  
  
  
= BIND DLZ plug-in (for BIND 9.8 and 9.9) =
 
  
BIND can be setup to provide DNS resolving for zones managed in AD. They are accessable from BIND through the DLZ (dynamically loadable zones) plug-in.
 
  
 
+
----
 
+
[[Category:Active Directory]]
== Installation / Setup ==
+
[[Category:DNS]]
 
 
See the [[Dns-backend_bind|Bind as DNS backend HowTo]] for a detailed instruction.
 
 
 
 
 
 
 
 
 
 
 
= Changing the DNS backend =
 
 
 
== Changing from Internal DNS to BIND ==
 
 
 
* Shutdown Samba
 
 
 
* Migrate the zonefiles to BIND9_DLZ:
 
...../sbin/samba_upgradedns --dns-backend=BIND9_DLZ
 
 
 
* Remove the 'dns' option from the 'server services = ' parameter in your smb.conf, or change it to '-dns':
 
server services = ........ -dns
 
 
 
* [[#Installation_.2F_Setup|Setup BIND]]
 
 
 
* Start BIND and Samba
 
 
 
 
 
 
 
== Changing from BIND to Internal DNS ==
 
 
 
* Shutdown BIND and Samba
 
 
 
* Migrate the zonefiles to internal DNS:
 
...../sbin/samba_upgradedns --dns-backend=SAMBA_INTERNAL
 
 
 
* Add 'dns' option to the 'server services = ' parameter in your smb.conf:
 
server services = ........ dns
 
 
 
* Start Samba
 

Latest revision as of 12:30, 28 August 2019

Introduction

In an Active Directory (AD), DNS is a very important service. It is used for:

  • name resolution
  • locating services, such as Kerberos and LDAP
  • locating local domain controllers (DC) when using AD sites. For details, see Active Directory Sites.



Supported DNS Back Ends

Samba supports the following DNS back ends:

  • Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.
  • No additional software or DNS knowledge is required.
  • Use this back end for simple DNS setups. For a list of limitations, see Limitations.
  • Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see Setting up a BIND DNS Server.
  • Requires knowledge about the BIND DNS server and how to configure the service.
  • Use this back end for complex DNS scenarios, you can not configure in the internal DNS.


If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see Changing the DNS Back End of a Samba AD DC.




Selecting the AD Forest Root Domain

Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see Active Directory Naming FAQ.

Best practices:

  • Use a domain name you own.
  • Use a subdomain of your domain, such as ad.example.com.
  • Do not use .local domains. They can cause problems with Mac OS X and Zeroconf.

For details, see Active Directory Naming FAQ.