DNS can be a subdomain

Grant Taylor gtaylor at tnetconsulting.net
Wed Jun 27 04:15:14 UTC 2018

On 06/26/2018 06:21 PM, Elias Pereira wrote:
> yes. :)
> https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters


After reading that section of the page you linked to, I'm not convinced 
that the DNS /must/ be on the Samba server.

> How would this work in the scenario I described above?

I completely agree with the referenced section in that AD clients and 
servers absolutely MUST use the same DNS zone and server(s).  (Servers 
plural for master ~> slave replication of the same zone.)

However, nothing about Microsoft AD servers requires that the DNS zone 
be hosted /on/ or /by/ the AD DC.  It is /completely/ possible to host 
the AD DNS zone on any DNS server.  There are two caveats that 
absolutely MUST be met.

1)  All AD clients need to be able to query the same view of the DNS 
zone.  (Replication across servers is perfectly fine.)

2)  AD DNS records must be added to said DNS zone.

It is completely possible to use a BIND DNS server to host an AD DNS 
zone.  You don't even need to allow dynamic updates.  It's possible to 
manually add the resource records (all 30 ~ 50 of them for a basic AD 
forest) to the DNS zone on a BIND server by hand.  AD will work 
perfectly fine and have not care where the DNS zone is hosted.

It's more convenient to allow the server (?) service to dynamically 
create the necessary resource records via dynamic updates.

It is also convenient to run DNS on an AD DC that is also a DNS server. 
The integration makes things simple and usually works.

Seeing how Microsoft AD servers are perfectly happy to have the DNS zone 
hosted on other servers, I wondered if Samba AD servers are equally happy.

Aside:  (I'm fairly certain that) it is possible to integrate Kerberos 
based authentication for AD clients to update their own DNS resource 
records on BIND.  Jan-Piet Mens has a blog article on how to do it.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180626/d988d0e6/attachment.bin>

More information about the bind-users mailing list