How to resolve SRV record to use Active Directory

[Pete5]

Hi all,
for testing purposes i setup NethServer8 & TrueNas Scale as VMs on ProxmoxVE.
NethServer is set up as domain controller configured with active directory.
When i try to configure TrueNAS to use the AD of NethServer i get the error message:

_kerberos._tcp.AD.<MYDOMAIN>.: Nameserver 192.168.xx.x failed to resolve SRV record for domain AD.<MYDOMAIN>. This may indicate a DNS misconfiguration on the TrueNAS server. NOTE: When configuring with Active Directory, all registered nameservers must be nameservers for the Active Directory domain.

As the message says it has something to do with DNS, but I have no idea what?
I'm using Unbound as my DNS on my OPNsense.

Does anyone have an idea how to get it resolved?

Regards
Pete

[Patrick M. Hausen]

All machines participating in an Active Directory domain MUST use the domain controllers as their only name servers.

[Pete5]

Just to clarify, it is not possible to use Unbound on OPNsense as DNS and NethServer on a different machine as DC with AD?
I have to configure either
OPNsense as domain controller with active directory
or
NethServ as domain controller with active directory and DNS
,correct?

Thanks Pete

[Patrick M. Hausen]

All AD member machines must use the DC and the DC only as their DNS server. AD works that way. Of course the DNS server on the DC can use Unbound on OPNsense as an upstream forwarder so you can use block lists and the like.

[Pete5]

Ok, got it. I thought that I just can connect my TrueNAS to the AD running on the NethServer, I didn't know that in this case the NethServer must be the DNS as well.
It seems that Nethserver v8 doesn't support DNS, so I have to figure out a new concept how to realize it.
Maybe I try UCS instead of Nethserver 8.

Thanks for your help!

[Patrick M. Hausen]

How are they implementing AD without a DNS server? DNS is an integral part of AD. AD is essentially integrated DNS, LDAP and Kerberos.

There are tons of special records in "yourdomain.lan" and in "_msdcs.yourdomain.lan" that AD uses to tell member PCs where to find e.g. the DCs, ticket granting server, etc.

I just quickly checked the Nethserver forum (not familiar with the product) - if run as an AD DC Samba does provide authoritative DNS as I assumed.

I did not find out entirely if that supports query forwarding to e.g. OPNsense.

So what I suggest you do instead is

- keep OPNsense as your recursive DNS server
- add query forwarding entries to your Unbound configuration for the zones "yourdomain.lan" and "_msdcs.yourdomain.lan" pulling these entries from the DC

[Pete5]

To be honestly, I don't know. I checked the whole web ui, I can setup a DC but there's no possibiltiy to configure DNS.

I found some infos here
https://docs.nethserver.org/projects/ns8/en/latest/user_domains.html

Maybe that helps me to figure it out.

[Patrick M. Hausen]

Here's some more info by the Samba team:

https://wiki.samba.org/index.php/DNS_Administration#Importance_of_DNS_for_Active_Directory


You can use RSAT from Windows for administration of DNS:

https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_Windows

Seems to be the recommended way according to some posts on the Nethserver forum.

[bimbar]

You can also use another DNS server, like the opnsense firewall, but you MUST forward DNS resolution for the AD domain to the DC.

[liceo]

I don't know for Samba, but a Windows DC can run with an external DNS server. The important aspect is: The DNS server needs to allow dynamic updates. This way, the DC creates all relevant DNS entries (including SRV) needed for operation.

[Pete5]

Thank you all for the infos provided, i will work through.
It's getting little complicated, more than I expeceted  :-\