Manage Samba4 AD Domain Controller DNS and Group Policy from Windows

preview_player
Показать описание
Manage Samba4 AD Domain Controller DNS and Group Policy from Windows
Step 1: Manage Samba DNS Server:
- Samba4 AD DC uses an internal DNS resolver module which is created during the initial domain provision (if BIND9 DLZ module is not specifically used).

- Samba4 internal DNS module supports the basic features needed for an AD Domain Controller. The domain DNS server can be managed in two ways, directly from command line through samba-tool interface or remotely from a Microsoft workstation which is part of the domain via RSAT DNS Manager.

1. To administer the DNS service for your domain controller via RSAT, go to your Windows machine, open Start - Windows Administrative Tools and run DNS.
- Once the tool opens, it will ask you on what DNS running server you want to connect. Choose The following computer, type your domain name in the field (or IP Address or FQDN can be used as well), check the box that says ‘Connect to the specified computer now’ and hit OK to open your Samba DNS service

Step 2: Create a Reverse Lookup Zone
- By default, Samba4 Ad DC doesn’t automatically add a reverse lookup zone and PTR records for your domain because these types of records are not crucial for a domain controller to function correctly.
- Instead, a DNS reverse zone and its PTR records are crucial for the functionality of some important network services, such as an e-mail service because these type of records can be used to verify the identity of clients requesting a service.

- Practically, PTR records are just the opposite of standard DNS records. The clients know the IP address of a resource and queries the DNS server to find out their registered DNS name.

- In order to a create a reverse lookup zone for Samba AD DC, open DNS Manager, right click on Reverse Lookup Zone from the left plane and choose New Zone from the menu.

- Next, hit Next button and choose Primary zone from Zone Type Wizard.

- Next, choose To all DNS servers running on domain controllers in this domain from the AD Zone Replication Scope, chose IPv4 Reverse Lookup Zone and hit Next to continue.

- Next, type the IP network address for your LAN in Network ID filed and hit Next to continue.

- All PTR records added in this zone for your resources will point back only to 192.168.30.0/24 network portion. If you want to create a PTR record for a server that does not reside in this network segment (for example mail server which is located in 10.0.0.0/24 network), then you’ll need to create a new reverse lookup zone for that network segment as well.

- On the next screen choose to Allow only secure dynamic updates, hit next to continue and, finally hit on finish to complete zone creation.

- At this point you have a valid DNS reverse lookup zone configured for your domain. In order to add a PTR record in this zone, right click on the right plane and choose to create a PTR record for a network resource.

- In this case we’ve created a pointer for our gateway. In order to test if the record was properly added and works as expected from client’s point of view, open a Command Prompt and issue a nslookup query against the name of the resource and another query for its IP Address.

- Both queries should return the correct answer for your DNS resource.
nslookup 192.168.30.241
ping dc1

Step 3: Domain Group Policy Management:
- An important aspect of a domain controller is its ability to control system resources and security from a single central point. This type of task can be easily achieved in a domain controller with the help of Domain Group Policy.

- Unfortunately, the only way to edit or manage group policy in a samba domain controller is through RSAT GPM console provided by Microsoft.

- In the below example we’ll see how simple can be to manipulate group policy for our samba domain in order to create an interactive logon banner for our domain users.

- Go to Start - Microsoft Administrative Tools and open Group Policy Management console.
_______

⭐ Connecting With Us ⭐
-------------------------------------------

⭐ Topics ⭐
Рекомендации по теме
Комментарии
Автор

Excellent video tutorial! Respect buddy and many thanks!

vaklinov
Автор

Pleeease stop using .lokal as domain, especially in todo Videos. It is a reserved name for multicast dns / zeroconf / avahi. For almost every month im my 22 year it career i encounter this. I know MicroS... did this as well, but please DO NOT USE .LOCAL.

One example i joined a mac to AD, everything ok, next day customer call their font managing Software does not work anymore, after a long time of debugging it turn out it uses zeroconf, which falls because ad Controller answeres .local requests
Printers are not connected automagically anymore and on and on and on

Exept for that great work, and fitting christmas music

uweburger