In this sense there’s a wiki page that describes how to add the NethServer DC to an existing Active Directory domain.
It’s quite old. As a starting point it could be tested and refreshed.
1 Like
BIND is not the solution to all problems
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture
The Samba-BIND integration has some limitations and is far from being perfect.
In the end it seems Samba DC does not offer an ultimate authoritative DNS server solution. I cannot evaluate the MS alternative in this sense.
Maybe not using AD at all is the correct way 
2 Likes
Hi Davidep
I have the greatest respect for your contributions and wisdom here, but:
As you know, NethServer can’t handle authenticated Shares with LDAP (actually, why not?), it needs a AD implementation in the background.
If LDAP authenticated Shares become possible, I’d say give users both options.
→ Users DO have both options now, AD or LDAP, but it’s like a Democratic Vote in North Korea:
You either vote “right”, or you vote “wrong”…
Having all Shares as “Public” is just NOT usable!
However, doing a “split-brain” DNS, as suggested on the Samba side, might be a very good idea - and shouldn’t be too difficult to implement on NethServer. The basics are there, justs needs some fine tuning. Maybe samba-bind in AD and BIND directly in NethServer…
My 2 cents
Andy
1 Like
Ok, I’ll bite… 
@davidep, you may live in a linux world, but the majority of the rest of the world (unfortunately) lives in a Windows world. At least a Windows client world. And since the sane way of authentication in a Windows world is AD, you can not state to ditch AD…
What does BIND have to do with Let’s Encrypt certificates? I’ve already documented two ways of getting wildcard certs that don’t require BIND.
Hi Robb
As you know, I’m NOT primarily a Windows user. Personally I use Mac and Linux, but I do have Clients using Windows, so I have a virtual windows around.
Even if using just Linux, Users have problems if only public shares are allowed.
Sure, the CLI affiliate ones can almost always connect, but these don’t need my help.
My 2 cents
Andy
@danb
If you have to add/update/remove TLSA resource records for certificate/host/port/protocol combinations a hidden primary nameserver is the simpliest solution.
We’re did you document ways of getting Let’s Encrypt wildcard certificates without BIND automatically?
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
The second one is aimed at the use case of an internal server that can’t be reached by the Internet, but it would work just as well to get a wildcard cert–the process would be identical.
2 Likes
Does acme-dns support wildcard-SAN-certificates?
e.g.
mydomain1.tld *.mydomain1.tld mydomain2.tld *.mydomain2.tld mydomain3.tld *.mydomain3.tld
Of course, up to 100 SANs on a cert. You’d just need to set the appropriate CNAME records for any domain you wanted on the cert.
1 Like
Is the --dhcp-script hook of DNSMasq available in nethserver?