DHCP, DNS and non-domain members

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

DHCP, DNS and non-domain members

Samba - General mailing list
Hi all,

I am preparing a migration from Samba NT-Domain to Samba AD. The migration itself is all fine, but I
have a general problem in understanding the network architecture of an active directory domain.

Right now (Samba NT style), each client gets its IP address from a DHCP server (isc-dhcp-server).
The DHCP server in turn updates the DNS (bind9) via dynamic DNS updates. This way, every client (and
more important in terms of DNS: several servers with dynamic IPs) can be found in the DNS - forward
and reverse.

Now with Samba AD, the Samba server has full and exclusive control over the DNS zone. Windows
clients and Linux clients, which have joined the domain, update the DNS zone with an entry
(apparently only forward but not reverse). But what should I do with clients and other servers,
which are not in the AD domain? Clients are not so important, but the servers have to be reached via
DNS :-)

I could deliver a fixed IP address via DHCP to the servers and manually create a DNS entry in the AD.

Or I could put them into a different DNS domain, which is not controlled by Samba, but by
isc-dhcp-server and bind. But then the clients would need two different domain search suffixes (not
so nice with Windows).

How do you solve this problem with DHCP and DNS entries for non-AD members?

Regards,
Martin



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
On Thu, 23 Nov 2017 15:20:45 +0100
Martin Renner via samba <[hidden email]> wrote:

> Hi all,
>
> I am preparing a migration from Samba NT-Domain to Samba AD. The
> migration itself is all fine, but I have a general problem in
> understanding the network architecture of an active directory domain.
>
> Right now (Samba NT style), each client gets its IP address from a
> DHCP server (isc-dhcp-server). The DHCP server in turn updates the
> DNS (bind9) via dynamic DNS updates. This way, every client (and more
> important in terms of DNS: several servers with dynamic IPs) can be
> found in the DNS - forward and reverse.

This sounds very like my AD domain ;-)

>
> Now with Samba AD, the Samba server has full and exclusive control
> over the DNS zone. Windows clients and Linux clients, which have
> joined the domain, update the DNS zone with an entry (apparently only
> forward but not reverse). But what should I do with clients and other
> servers, which are not in the AD domain? Clients are not so
> important, but the servers have to be reached via DNS :-)

As long as your servers are in the same dns domain, this should work as
before, If you think about it, every DHCP client before it is joined to
the domain works this way.

Just because a computer (or printer etc) gets its IP from a DHCP
server running on an AD DC, doesn't mean it has to be joined to the
domain.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
Hi Rowland,

my problem is, how to get the non-AD members into the DNS? Especially, if they are servers and have
dynamic IPs from a DHCP server?

As far as I understand, only AD members will update the DNS inside of the AD. So do I have to
deliver fixed IP addresses via DHCP to servers and put a manual entry into the AD DNS?

Regards,
Martin


Am 23.11.2017 um 16:28 schrieb Rowland Penny via samba:

> On Thu, 23 Nov 2017 15:20:45 +0100
> Martin Renner via samba <[hidden email]> wrote:
>
>> Hi all,
>>
>> I am preparing a migration from Samba NT-Domain to Samba AD. The
>> migration itself is all fine, but I have a general problem in
>> understanding the network architecture of an active directory domain.
>>
>> Right now (Samba NT style), each client gets its IP address from a
>> DHCP server (isc-dhcp-server). The DHCP server in turn updates the
>> DNS (bind9) via dynamic DNS updates. This way, every client (and more
>> important in terms of DNS: several servers with dynamic IPs) can be
>> found in the DNS - forward and reverse.
> This sounds very like my AD domain ;-)
>
>> Now with Samba AD, the Samba server has full and exclusive control
>> over the DNS zone. Windows clients and Linux clients, which have
>> joined the domain, update the DNS zone with an entry (apparently only
>> forward but not reverse). But what should I do with clients and other
>> servers, which are not in the AD domain? Clients are not so
>> important, but the servers have to be reached via DNS :-)
> As long as your servers are in the same dns domain, this should work as
> before, If you think about it, every DHCP client before it is joined to
> the domain works this way.
>
> Just because a computer (or printer etc) gets its IP from a DHCP
> server running on an AD DC, doesn't mean it has to be joined to the
> domain.
>
> Rowland
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
On Thu, 23 Nov 2017 17:05:00 +0100
Martin Renner via samba <[hidden email]> wrote:

> Hi Rowland,
>
> my problem is, how to get the non-AD members into the DNS?
> Especially, if they are servers and have dynamic IPs from a DHCP
> server?
>
> As far as I understand, only AD members will update the DNS inside of
> the AD. So do I have to deliver fixed IP addresses via DHCP to
> servers and put a manual entry into the AD DNS?
>

You run the DHCP server on a DC, see here:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
On Thu, 2017-11-23 at 16:35 +0000, Rowland Penny via samba wrote:

> On Thu, 23 Nov 2017 17:05:00 +0100
> Martin Renner via samba <[hidden email]> wrote:
>
> > Hi Rowland,
> >
> > my problem is, how to get the non-AD members into the DNS?
> > Especially, if they are servers and have dynamic IPs from a DHCP
> > server?
> >
> > As far as I understand, only AD members will update the DNS inside of
> > the AD. So do I have to deliver fixed IP addresses via DHCP to
> > servers and put a manual entry into the AD DNS?
> >
>
> You run the DHCP server on a DC, see here:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

That is a really great article!

If there is a strict requirement to split it up, ovbiously the commands
to create the user and extract the keytab can be done on the DC and the
 result passed to another server.

I've long wished for a patch to our DNS server to support shared-secret
TSIG to make this easier, but with this script written there isn't
really much need any more.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

On 23 Nov 2017 17:35 Rowland Penny via samba wrote:

> On Thu, 23 Nov 2017 17:05:00 +0100
> Martin Renner via samba <[hidden email]> wrote:
>
>> Hi Rowland,
>>
>> my problem is, how to get the non-AD members into the DNS?
>> Especially, if they are servers and have dynamic IPs from a DHCP
>> server?
>>
>> As far as I understand, only AD members will update the DNS inside of
>> the AD. So do I have to deliver fixed IP addresses via DHCP to
>> servers and put a manual entry into the AD DNS?
>>
> You run the DHCP server on a DC, see here:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
> Rowland
>

thank you for this link.

I configured everything according to the howto and disabled DNS updates in the group policy (Default
Domain Policy / Computer Configuration / Policies / Administrative Templates / Network / DNS Client
/ Dynamic Updates). But it looks like if the Windows clients still try to update their DNS entries
(even after "gpupdate /force" and reboot).

When a Windows client is booting, I can see entries in /var/log/syslog which are definitively from
the DHCP shell script:

   samba_dlz: allowing update of signer=dhcpduser\@AD.COMPANY.COM name=test-pc.ad.company.com
tcpaddr=... type=A key=...."

both for the forward end reverse zone.

But shortly after these messages, I can see messages which seem to come from the client:

   samba_dlz: starting transaction on zone ad.company.com
   client 192.168.105.101#59890: update 'ad.company.com/IN' denied
   samba_dlz: cancelling transaction on zone ad.company.com
   samba_dlz: starting transaction on zone ad.company.com
   samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM name=test-PC.ad.company.com
type=A error=insufficient access rights
   client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM: updating zone 'ad.company.com/NONE':
update failed: rejected by secure update (REFUSED)

This looks to me like if the client is still trying to update its DNS entry. Did I miss anything in
the client configuration?

Regards,
Martin



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
On Tue, 2017-11-28 at 10:46 +0100, Martin Renner via samba wrote:

> But shortly after these messages, I can see messages which seem to come from the client:
>
>    samba_dlz: starting transaction on zone ad.company.com
>    client 192.168.105.101#59890: update 'ad.company.com/IN' denied
>    samba_dlz: cancelling transaction on zone ad.company.com
>    samba_dlz: starting transaction on zone ad.company.com
>    samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM name=test-PC.ad.company.com
> type=A error=insufficient access rights
>    client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM: updating zone 'ad.company.com/NONE':
> update failed: rejected by secure update (REFUSED)
>
> This looks to me like if the client is still trying to update its DNS entry. Did I miss anything in
> the client configuration?

DNS entries are owned on a first-to-claim basis by the account that
creates it, so if DHCP creates it, the PC will be denied.

Long ago I remember a dhcp option to hint to the client that the server
was doing the DNS updates, perhaps that might help.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 28 Nov 2017 10:46:43 +0100
Martin Renner via samba <[hidden email]> wrote:

> Hi,
>
> On 23 Nov 2017 17:35 Rowland Penny via samba wrote:
> > On Thu, 23 Nov 2017 17:05:00 +0100
> > Martin Renner via samba <[hidden email]> wrote:
> >
> >> Hi Rowland,
> >>
> >> my problem is, how to get the non-AD members into the DNS?
> >> Especially, if they are servers and have dynamic IPs from a DHCP
> >> server?
> >>
> >> As far as I understand, only AD members will update the DNS inside
> >> of the AD. So do I have to deliver fixed IP addresses via DHCP to
> >> servers and put a manual entry into the AD DNS?
> >>
> > You run the DHCP server on a DC, see here:
> >
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> >
> > Rowland
> >
>
> thank you for this link.
>
> I configured everything according to the howto and disabled DNS
> updates in the group policy (Default Domain Policy / Computer
> Configuration / Policies / Administrative Templates / Network / DNS
> Client / Dynamic Updates). But it looks like if the Windows clients
> still try to update their DNS entries (even after "gpupdate /force"
> and reboot).
>
> When a Windows client is booting, I can see entries
> in /var/log/syslog which are definitively from the DHCP shell script:
>
>    samba_dlz: allowing update of signer=dhcpduser\@AD.COMPANY.COM
> name=test-pc.ad.company.com tcpaddr=... type=A key=...."
>
> both for the forward end reverse zone.
>
> But shortly after these messages, I can see messages which seem to
> come from the client:
>
>    samba_dlz: starting transaction on zone ad.company.com
>    client 192.168.105.101#59890: update 'ad.company.com/IN' denied
>    samba_dlz: cancelling transaction on zone ad.company.com
>    samba_dlz: starting transaction on zone ad.company.com
>    samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM
> name=test-PC.ad.company.com type=A error=insufficient access rights
>    client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM:
> updating zone 'ad.company.com/NONE': update failed: rejected by
> secure update (REFUSED)
>
> This looks to me like if the client is still trying to update its DNS
> entry. Did I miss anything in the client configuration?
>

It certainly looks like your windows clients are trying to update their
own records and this will not work because they don't own them now ;-)

You need to find out why the GPO isn't being used. This has nothing to
do with the DHCP script.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 28 Nov 2017 22:54:57 +1300
Andrew Bartlett via samba <[hidden email]> wrote:

> On Tue, 2017-11-28 at 10:46 +0100, Martin Renner via samba wrote:
> > But shortly after these messages, I can see messages which seem to
> > come from the client:
> >
> >    samba_dlz: starting transaction on zone ad.company.com
> >    client 192.168.105.101#59890: update 'ad.company.com/IN' denied
> >    samba_dlz: cancelling transaction on zone ad.company.com
> >    samba_dlz: starting transaction on zone ad.company.com
> >    samba_dlz: disallowing update of
> > signer=TEST-PC\$\@AD.COMPANY.COM name=test-PC.ad.company.com type=A
> > error=insufficient access rights client 192.168.105.101#63148/key
> > TEST-PC\$\@AD.COMPANY.COM: updating zone 'ad.company.com/NONE':
> > update failed: rejected by secure update (REFUSED)
> >
> > This looks to me like if the client is still trying to update its
> > DNS entry. Did I miss anything in the client configuration?
>
> DNS entries are owned on a first-to-claim basis by the account that
> creates it, so if DHCP creates it, the PC will be denied.

Correct ;-)

>
> Long ago I remember a dhcp option to hint to the client that the
> server was doing the DNS updates, perhaps that might help.

No, you just need to stop the windows clients trying to update their
own records, this has nothing to do with DHCP.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DHCP, DNS and non-domain members

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

> It certainly looks like your windows clients are trying to update their
> own records and this will not work because they don't own them now ;-)
>
> You need to find out why the GPO isn't being used. This has nothing to
> do with the DHCP script.
>
> Rowland
>

indeed, the Group Policy was not working. On the tab "Details" of the "Default Domain Policy" the
object state was set to "all settings deactivated". After changing this to "activated", the client
did no longer update the DNS entries.

Thanks,
Martin

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba