Table of Contents

DNS Administration

Introduction

If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.

There are two ways to manage a DNS server:

  1. Using samba-tool dns command line.
  2. Using DNS MMC Snap-In on Windows. See Samba AD management from Windows for more details.

Per default, Samba creates the following two forward zones during provisioning/upgrading (of course with your own domain name):

Features


The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't cover all features yet, you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/feature request at https://bugzilla.samba.org/.

But even if the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.

Known/issues missing features


Importance of DNS for Active Directory


A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/s and other important AD services by DNS queries.

Administering DNS on Windows


To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See Samba AD management from Windows for more details.

Adding new records


Updating existing records


Delete a record


Changing zone properties


Note: Currently both DNS backends doesn't support all features, that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/feature request at https://bugzilla.samba.org/.

Creating a new zone


As example we'll add a reverse lookup zone.

If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.

The internal DNS as backend currently needs a restart of Samba to take effect. See bug report #9404.

Deleting a zone


Administering DNS on Linux/Unix


Adding new records


 # samba-tool dns add <Your-DNS-Server> redtic.uclv.cu demo A 10.12.2.50
 # samba-tool dns add <Your-DNS-Server> 0.12.10.in-addr.arpa 50 PTR demo.redtic.uclv.cu
 # samba-tool dns add <Your-DNS-Server> redtic.uclv.cu _demo._tcp SRV 'demo.redtic.uclv.cu 8080 0 100'

A note on SRV records: The order of the four parameters in the last field (“data”) are 'hostname port priority weight' and have to be between ' '.

Updating existing records


 # samba-tool dns update <Your-DNS-Server> redtic.uclv.cu demo A 10.12.2.50 10.12.2.60

Delete a record


 # samba-tool dns delete <Your-DNS-Server> redtic.uclv.cu demo A 10.12.2.50

Creating a new zone


 # samba-tool dns zonecreate <Your-DNS-Server> 0.12.10.in-addr.arpa

If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.

The internal DNS as backend currently needs a restart of Samba to take effect. See bug report #9404.

Testing your DNS Server


On Windows and *nix, you can use “nslookup” to test if your computer can resolve records by using your DNS. Try resolving the name of your Domain Controller into its IP:

 # nslookup DC1.samdom.example.com
 Server:         10.99.0.1
 Address:        10.99.0.1#53

 Name:   DC1.samdom.example.com
 Address: 10.99.0.1

Nslookup will show you, which server was asked (10.99.0.1) and the result of your query (DC1.samdom.example.com has IP 10.99.0.1)

To query a SVR record, you have to start nslookup and set the type to “SRV”, to retrieve the values (works on Windows and *nix):

 # nslookup
 Default Server:  UnKnown
 :  10.99.0.1

 > set type=SRV
 > _ldap._tcp.samdom.example.com.
 Server:  UnKnown
 Address:  10.99.0.1

 _ldap._tcp.samdom.example.com   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc1.samdom.example.com
 samdom.example.com      nameserver = dc1.samdom.example.com
 dc1.samdom.example.com  internet address = 10.99.0.1

If your query can't be answered, because it doesn't exist, you'll receive.

 ** server can't find win7.redtic.uclv.cu: NXDOMAIN

If you query a none existing DNS server, it would result in:

 ;; connection timed out; no servers could be reached