DNS can be a subdomain
Grant Taylor
gtaylor at tnetconsulting.net
Wed Jun 27 04:15:14 UTC 2018
On 06/26/2018 06:21 PM, Elias Pereira wrote:
> yes. :)
>
> https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters
Hum.
After reading that section of the page you linked to, I'm not convinced
that the DNS /must/ be on the Samba server.
> How would this work in the scenario I described above?
I completely agree with the referenced section in that AD clients and
servers absolutely MUST use the same DNS zone and server(s). (Servers
plural for master ~> slave replication of the same zone.)
However, nothing about Microsoft AD servers requires that the DNS zone
be hosted /on/ or /by/ the AD DC. It is /completely/ possible to host
the AD DNS zone on any DNS server. There are two caveats that
absolutely MUST be met.
1) All AD clients need to be able to query the same view of the DNS
zone. (Replication across servers is perfectly fine.)
2) AD DNS records must be added to said DNS zone.
It is completely possible to use a BIND DNS server to host an AD DNS
zone. You don't even need to allow dynamic updates. It's possible to
manually add the resource records (all 30 ~ 50 of them for a basic AD
forest) to the DNS zone on a BIND server by hand. AD will work
perfectly fine and have not care where the DNS zone is hosted.
It's more convenient to allow the server (?) service to dynamically
create the necessary resource records via dynamic updates.
It is also convenient to run DNS on an AD DC that is also a DNS server.
The integration makes things simple and usually works.
Seeing how Microsoft AD servers are perfectly happy to have the DNS zone
hosted on other servers, I wondered if Samba AD servers are equally happy.
Aside: (I'm fairly certain that) it is possible to integrate Kerberos
based authentication for AD clients to update their own DNS resource
records on BIND. Jan-Piet Mens has a blog article on how to do it.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180626/d988d0e6/attachment.bin>
More information about the bind-users
mailing list