On 06/26/2018 06:21 PM, Elias Pereira wrote:
yes. :)https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters
Hum.After reading that section of the page you linked to, I'm not convinced that the DNS /must/ be on the Samba server.
How would this work in the scenario I described above?
I completely agree with the referenced section in that AD clients and servers absolutely MUST use the same DNS zone and server(s). (Servers plural for master ~> slave replication of the same zone.)
However, nothing about Microsoft AD servers requires that the DNS zone be hosted /on/ or /by/ the AD DC. It is /completely/ possible to host the AD DNS zone on any DNS server. There are two caveats that absolutely MUST be met.
1) All AD clients need to be able to query the same view of the DNS zone. (Replication across servers is perfectly fine.)
2) AD DNS records must be added to said DNS zone.It is completely possible to use a BIND DNS server to host an AD DNS zone. You don't even need to allow dynamic updates. It's possible to manually add the resource records (all 30 ~ 50 of them for a basic AD forest) to the DNS zone on a BIND server by hand. AD will work perfectly fine and have not care where the DNS zone is hosted.
It's more convenient to allow the server (?) service to dynamically create the necessary resource records via dynamic updates.
It is also convenient to run DNS on an AD DC that is also a DNS server. The integration makes things simple and usually works.
Seeing how Microsoft AD servers are perfectly happy to have the DNS zone hosted on other servers, I wondered if Samba AD servers are equally happy.
Aside: (I'm fairly certain that) it is possible to integrate Kerberos based authentication for AD clients to update their own DNS resource records on BIND. Jan-Piet Mens has a blog article on how to do it.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
