User Tools

Site Tools


dns_administration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

dns_administration [2020/04/10 17:38]
dns_administration [2020/04/10 17:38] (current)
Line 1: Line 1:
 +**DNS Administration**
 +
 +====== Introduction ======
 +
 +If you're running Samba as Active Directory Domain Controller, you also have to administer a DNS server.
 +
 +There are two ways to manage a DNS server:
 +  - Using **samba-tool dns** command line.
 +  - Using DNS MMC Snap-In on Windows. See [[samba_ad_management_from_windows|Samba AD management from Windows]] for more details.
 +
 +Per default, Samba creates the following two forward zones during provisioning/​upgrading (of course with your own domain name):
 +  * **samdom.example.com**:​ Zone for your domain.
 +  * **_msdcs.samdom.example.com**:​ This is the ForestDNSZone,​ that contains several service records for the entire directory.
 +
 +
 +===== Features =====
 +----
 +
 +The Samba internal DNS is a new implementation. Although BIND is a grown up DNS and long in production on millions of servers, the Samba BIND DLZ module is still new. That's why both backends don't cover all features yet, you can setup with the Microsoft DNS tools. If you discover problems or missing features, please open a bug report/​feature request at [[https://​bugzilla.samba.org/​]].
 +
 +But even if the internal DNS and the BIND DLZ modules are new, they both support all basic requirements for Active Directory and more.
 +
 +
 +===== Known/​issues missing features =====
 +----
 +
 +  * Managing zone transfers is not implemented yet. Bug report [[https://​bugzilla.samba.org/​show_bug.cgi?​id=9951|#​9951:​DNS MMC: Enabling DNS zone transfers in MMC fails]].
 +  * Different zone transfer settings on internal DNS (denied) and BIND DLZ (allowed). Bug report [[https://​bugzilla.samba.org/​show_bug.cgi?​id=9634|#​9634:​ Samba Bind DLZ module allows zone transfers for everyone]].
 +
 +
 +====== Importance of DNS for Active Directory ======
 +----
 +
 +A working Active Directory is heavily based on a working DNS. It's not just for resolving IP addresses into names and vice versa. Clients find their Domain Controller/​s and other important AD services by DNS queries.
 +
 +
 +====== Administering DNS on Windows ======
 +----
 +
 +To administer DNS from a Windows client, you have to install the DNS MMC Snap-In. See [[samba_ad_management_from_windows|Samba AD management from Windows]] for more details.
 +
 +
 +===== Adding new records =====
 +----
 +
 +  * Navigate to the zone, where you want to to add a new record.
 +  * Right-click to it and choose the kind of record to add.
 +    {{:​dns_manager_add_records.png?​400|}}
 +  * Fill the fields and save the new entry.
 +
 +
 +===== Updating existing records =====
 +----
 +
 +  * Navigate to the zone that contains the record you want to edit.
 +  * Right-click the record and choose "​Properties"​.
 +{{:​dns_manager_change_record.png?​300|}}
 +  * Edit the entry and save the changes.
 +
 +
 +===== Delete a record =====
 +----
 +
 +  * Navigate to the zone that contains the record you want to remove.
 +  * Right-click to the record and choose "​Delete"​.
 +
 +
 +===== Changing zone properties =====
 +----
 +
 +  * Right-click to a zone of which you you want to do changes.
 +  * Choose "​Properties"​.
 +
 +**Note**: Currently both DNS backends doesn'​t support all features, that can be setup in the dialogues. If you discover problems or missing features, please open a bug report/​feature request at [[https://​bugzilla.samba.org/​]].
 +
 +
 +===== Creating a new zone =====
 +----
 +
 +As example we'll add a reverse lookup zone.
 +
 +  * Right-click to "​Reverse Lookup Zones" and choose "New Zone".
 +  * The "New Zone Wizard"​ appears.
 +  * Zone Type: Select "​Primary zone" and "Store the zone in Active Directory"​.
 +{{:​dns_add_zone_wizzard_1.png?​300|}}
 +  * Zone Replication Scope: Depents on your needs.
 +{{:​dns_add_zone_wizzard_2.png?​300|}}
 +  * Reverse Lookup Zone Name: Depents on your needs.
 +{{:​dns_add_zone_wizzard_3.png?​300|}}
 +  * Dynamic Update: Depents on your needs.
 +{{:​dns_add_zone_wizzard_4.png?​300|}}
 +  * Finish the wizard.
 +
 +If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.
 +
 +The internal DNS as backend currently needs a restart of Samba to take effect. See [[https://​bugzilla.samba.org/​show_bug.cgi?​id=9404|bug report #9404]].
 +
 +
 +===== Deleting a zone =====
 +----
 +
 +  * Right-click to a zone and choose "​Delete"​.
 +{{:​dns_delete_zone.png?​350|}}
 +
 +
 +====== Administering DNS on Linux/Unix ======
 +----
 +
 +===== Adding new records =====
 +----
 +
 +  * Example: Adding an A record:
 +<​code>​
 + # samba-tool dns add <​Your-DNS-Server>​ redtic.uclv.cu demo A 10.12.2.50
 +</​code>​
 +
 +  * Example: Adding a PTR record to a reverse zone:
 +<​code>​
 + # samba-tool dns add <​Your-DNS-Server>​ 0.12.10.in-addr.arpa 50 PTR demo.redtic.uclv.cu
 +</​code>​
 +
 +  * Example: Adding a SRV record to _tcp.redtic.uclv.cu:​
 +<​code>​
 + # samba-tool dns add <​Your-DNS-Server>​ redtic.uclv.cu _demo._tcp SRV '​demo.redtic.uclv.cu 8080 0 100'
 +</​code>​
 +
 +**A note on SRV records**: The order of the four parameters in the last field ("​data"​) are '​hostname port priority weight'​ and have to be between ' '.
 +
 +
 +===== Updating existing records =====
 +----
 +
 +  * Example: Changing an A record:
 +<​code>​
 + # samba-tool dns update <​Your-DNS-Server>​ redtic.uclv.cu demo A 10.12.2.50 10.12.2.60
 +</​code>​
 +
 +
 +===== Delete a record =====
 +----
 +
 +  * Example: Deleting an A record:
 +<​code>​
 + # samba-tool dns delete <​Your-DNS-Server>​ redtic.uclv.cu demo A 10.12.2.50
 +</​code>​
 +
 +
 +===== Creating a new zone =====
 +----
 +
 +  * As example we'll add a reverse lookup zone.
 +<​code>​
 + # samba-tool dns zonecreate <​Your-DNS-Server>​ 0.12.10.in-addr.arpa
 +</​code>​
 +
 +If you are using BIND_DLZ as backend, then your new zone is directly live without restarting Samba or BIND.
 +
 +The internal DNS as backend currently needs a restart of Samba to take effect. See [[https://​bugzilla.samba.org/​show_bug.cgi?​id=9404|bug report #9404]].
 +
 +
 +====== Testing your DNS Server ======
 +----
 +
 +On Windows and *nix, you can use "​nslookup"​ to test if your computer can resolve records by using your DNS. Try resolving the name of your Domain Controller into its IP:
 +<​code>​
 + # nslookup DC1.samdom.example.com
 + ​Server: ​        ​10.99.0.1
 + ​Address: ​       10.99.0.1#​53
 +
 + ​Name: ​  ​DC1.samdom.example.com
 + ​Address:​ 10.99.0.1
 +</​code>​
 +
 +Nslookup will show you, which server was asked (10.99.0.1) and the result of your query (DC1.samdom.example.com has IP 10.99.0.1)
 +
 +To query a SVR record, you have to start nslookup and set the type to "​SRV",​ to retrieve the values (works on Windows and *nix):
 +
 +<​code>​
 + # nslookup
 + ​Default Server: ​ UnKnown
 + : ​ 10.99.0.1
 +
 + > set type=SRV
 + > _ldap._tcp.samdom.example.com.
 + ​Server: ​ UnKnown
 + ​Address: ​ 10.99.0.1
 +
 + ​_ldap._tcp.samdom.example.com ​  SRV service location:
 +          priority ​      = 0
 +          weight ​        = 100
 +          port           = 389
 +          svr hostname ​  = dc1.samdom.example.com
 + ​samdom.example.com ​     nameserver = dc1.samdom.example.com
 + ​dc1.samdom.example.com ​ internet address = 10.99.0.1
 +</​code>​
 +
 +If your query can't be answered, because it doesn'​t exist, you'll receive.
 +
 +<​code>​
 + ** server can't find win7.redtic.uclv.cu:​ NXDOMAIN
 +</​code>​
 +
 +If you query a none existing DNS server, it would result in:
 +<​code>​
 + ;; connection timed out; no servers could be reached
 +</​code>​
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
  
dns_administration.txt ยท Last modified: 2020/04/10 17:38 (external edit)