Active directory dns confusion

activedirectory

(Ralph) #1

I’ve got some confusion about the domain name and the dns configuration. It has to do with the fact that the domain controller sits on a separate virtual host.
When I created the primary host, I named it “ads.company.net”. With activating the active directory controller I got automatically the virtual host “nsdc-ads.ad.company.net”.
There is a mail server with an ip of the internal network. Now, should the reverse dns name be “mail.company.net” or “mail.ad.company.net”? This question concerns all other hosts on the lan respectively.
Last not least, what is the primary name server for the domain? Is it the ip of the ads or the nsdc-ads host which should be addressed by the other domain hosts?
Thanks for a clarification.


[SOLVED] Unable to join W7 to AD/Esxi
(Rob Bosch) #2

Have a look at the docs. It will clarify your confusion: http://docs.nethserver.org/en/v7/accounts.html#dns-and-ad-domain


(Ralph) #3

Unfortunately it does not. Here the external domain is named “company.com” and the MX record is “mail.company.com” whereas the internal domain is named “company.net”. So the internal net is not a subdomain of the external domain.


(Rob Bosch) #4

The advice is to use a subdomain of the external domain. This does not mean it must be a subdomain of the external domain. But if you use .net instead of .com, you must be very sure the .net domain is not used anywhere else on the internet, since internal DNS will redirect to your internal domain, but external DNS will redirect to the server where the .net domain is hosted.
It will be hard to configure something like VPN roadwarriors. That’s one of the reasons why your solution is not optimal. It has room for DNS problems, which you (should) want to avoid.

Unless you also own the company.net domain, you might want to reconsider your internal naming convention.


(Ralph) #5

Oh yeah, looks like a severe problem.
So, the host “ads.company.net” should be “ads.company.com” and the virtual host “nsdc-ads.ad.company.net” should be "nsdc-ads.ad.company.com?, right?
Is it possible to rename the whole internal domain step by step, or should I rather create a new virtual machine becoming the ad controller and then migrate the other hosts to this correctly named ad?
Any further hints?


(Rob Bosch) #6

If you want to change the domain name you will have to reinstall the Samba4 AD Account provider. If you are in early stage of creating your internal domain, it would be best to at least do that. You will lose allready created users!


(Gabriele Maoret) #7

IMHO there’s a little issue with AD domain name.
In Microsoft AD enviroment it is strongly recomended to not use PUBLIC domain name and FQDN.

So the normal use is:

Public internet domain and FQDN: *.companyname.com (or .it - .net - .org and so on…)
Private AD domain and FQDN: *.companyname.local (or like it)

That is the recomended way to configure an AD domain.


(Ralph) #8

Who says so? Have a look at this:
https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx#Recommendation


(Marc) #9



(Gabriele Maoret) #10

You’re right, it’s me who stayed behind …

I was referring to an old recommendation I had not seen the new ones …

Sorry to all…


(Ralph) #11

So, is it possible in NS to drop the “ad” in the user’s mail address?
To have "user@company.com" instead of "user@ad.company.com"?


(Markus Neuberger) #12

I think there are some things mixed up. The AD domain doesn’t affect the mail addresses and is not the same as the network domain.

As @robb wrote, to drop the “ad” you have to reinstall AD and create a domain “company.com” instead of “ad.company.com”. NethServer autofills the domain to “ad.company.com” so you have to change it.


(Ralph) #13

Sorry, to change what, the “ad”?


(Markus Neuberger) #14

Yes, drop the “ad” and just write “company.com” without “ad” in the DNS domain name field:

grafik


(Ralph) #15

Oh I see! I should have known that before!


(Davide Principi) #16

Again it is allowed but it’s not an optimal DNS configuration.

AD must have a reserved (private) DNS zone for it, whilst company.com is likely to be already mounted by your public DNS provider.

That’s the reason why the NS UI prepends an “ad.” third level domain.


(Davide Principi) #17

Markus is right. The NethServer domain part of its FQDN determines the “mail” domain. It’s a requirement that you set it to a public DNS domain, if you want to set up a mail server.

I want to point out also that with local AD provider, the userPrincipalName attribute is synchronized automatically with the mail domain. So you can log on from windows workstations also with the mail address. In your example both user@company.com and user@ad.company.com are good as Windows logins, as long as the NetBIOS domain form, COMPANY\user.

In NethServer the following user names are considered valid:

  • user@company.com
  • user

Furthermore, SSSD recognizes also:

  • user@ad.company.com
  • COMPANY\user

…but applications might not allow them.


Please contribute to improve the manual!

There are two main use cases about DNS:

  • NethServer AD member (even when it hosts a local AD provider) and mail server
  • NethServer just AD member (i.e. File Server)

The first one requires NethServer has public DNS domain to make SMTP work. As said AD has a private, internal DNS zone - a third level domain is recommended, but weird .local .lan & co can work for pre-existing networks.

In the second case, NethServer should be in the same DNS domain of the AD domain (private).