Continuing the previous tutorial on[how to administer Samba4 from Windows 10 via RSAT][4], in this part we’ll see how to remotely manage our Samba AD Domain controller DNS server from Microsoft DNS Manager, how to create DNS records, how to create a Reverse Lookup Zone and how to create a domain policy via Group Policy Management tool.
#### Requirements
1. [Create an AD Infrastructure with Samba4 on Ubuntu 16.04 – Part 1][1]
2. [Manage Samba4 AD Infrastructure from Linux Command Line – Part 2][2]
3. [Manage Samba4 Active Directory Infrastructure from Windows10 via RSAT – Part 3][3]
### Step 1: Manage Samba DNS Server
Samba4 AD DCuses an internal DNS resolver module which is created during the initial domain provision (ifBIND9 DLZmodule is not specifically used).
Samba4internalDNSmodule supports the basic features needed for anAD Domain Controller. The domain DNS server can be managed in two ways, directly from command line through samba-tool interface or remotely from a Microsoft workstation which is part of the domain viaRSAT DNS Manager.
Here, we’ll cover the second method because it’s more intuitive and not so prone to errors.
1.To administer the DNS service for your domain controller viaRSAT, go to your Windows machine, openControl Panel->System and Security->Administrative Toolsand runDNS Managerutility.
Once the tool opens, it will ask you on what DNS running server you want to connect. Choose The following computer, type yourdomain namein the field (orIP AddressorFQDNcan be used as well), check the box that says ‘Connect to the specified computer now’ and hitOKto open yourSamba DNSservice.
[
][5]
Connect Samba4 DNS on Windows
2.In order to add a DNS record (as an example we will add an`A`record that will point to our LAN gateway), navigate to domainForward Lookup Zone, right click on the right plane and chooseNew Host(`A`or`AAA`).
[
][6]
Add DNS A Record on Windows
3.On the New host opened window, type thenameand theIP Addressof your DNS resource. TheFQDNwill be automatically written for you by DNS utility. When finished, hit theAdd Hostbutton and a pop-up window will inform you that yourDNS Arecord has been successfully created.
Make sure you addDNS Arecords only for those resources in your network[configured with static IP Addresses][7]. Don’t addDNS Arecords for hosts which are configured to acquire network configurations from aDHCPserver or theirIP Addresseschange often.
[
][8]
Configure Samba Host on Windows
To update aDNSrecord just double click on it and write your modifications. To delete the record right click on therecordand choosedeletefrom the menu.
In the same way you can add other types ofDNSrecords for your domain, such asCNAME(also known asDNS aliasrecord)MXrecords (very useful for mail servers) or other type of records (SPF,TXT,SRVetc).
### Step 2: Create a Reverse Lookup Zone
By default,Samba4 Ad DCdoesn’t automatically add a reverse lookup zone and PTR records for your domain because these types of records are not crucial for a domain controller to function correctly.
Instead, a DNS reverse zone and its PTR records are crucial for the functionality of some important network services, such as an e-mail service because these type of records can be used to verify the identity of clients requesting a service.
Practically, PTR records are just the opposite of standard DNS records. The clients know the IP address of a resource and queries the DNS server to find out their registered DNS name.
4.In order to a create a reverse lookup zone forSamba AD DC, openDNS Manager, right click onReverse Lookup Zonefrom the left plane and chooseNew Zonefrom the menu.
[
][9]
Create Reverse Lookup DNS Zone
5.Next, hitNextbutton and choosePrimaryzone fromZone Type Wizard.
[
][10]
Select DNS Zone Type
6.Next, choose To allDNSservers running on domain controllers in this domain from theAD Zone Replication Scope, choseIPv4 Reverse Lookup Zoneand hitNextto continue.
[
][11]
Select DNS for Samba Domain Controller
[
][12]
Add Reverse Lookup Zone Name
7.Next, type the IP network address for yourLANinNetwork IDfiled and hitNextto continue.
AllPTRrecords added in this zone for your resources will point back only to192.168.1.0/24network portion. If you want to create a PTR record for a server that does not reside in this network segment (for example mail server which is located in10.0.0.0/24network), then you’ll need to create a new reverse lookup zone for that network segment as well.
[
][13]
Add IP Address of Reverse Lookup DNS Zone
8.On the next screen choose toAllowonly secure dynamic updates, hit next to continue and, finally hit onfinishto complete zone creation.
][15]
New DNS Zone Summary
9.At this point you have a valid DNS reverse lookup zone configured for your domain. In order to add aPTRrecord in this zone, right click on the rightplaneand choose to create aPTRrecord for a network resource.
In this case we’ve created a pointer for our gateway. In order to test if the record was properly added and works as expected from client’s point of view, open aCommand Promptand issue anslookupquery against the name of the resource and another query for its IP Address.
Both queries should return the correct answer for your DNS resource.
```
nslookup gate.tecmint.lan
nslookup 192.168.1.1
ping gate
```
[
][16]
Add DNS PTR Record and Query PTR
### Step 3: Domain Group Policy Management
10.An important aspect of a domain controller is its ability to control system resources and security from a single central point. This type of task can be easily achieved in a domain controller with the help ofDomain Group Policy.
Unfortunately, the only way to edit or manage group policy in a samba domain controller is throughRSAT GPMconsole provided by Microsoft.
In the below example we’ll see how simple can be to manipulate group policy for our samba domain in order to create an interactive logon banner for our domain users.
In order to access group policy console, go toControl Panel->System and Security->Administrative Toolsand openGroup Policy Managementconsole.
Expand the fields for your domain and right click onDefault Domain Policy. ChooseEditfrom the menu and a new windows should appear.
[
][17]
Manage Samba Domain Group Policy
11.OnGroup Policy Management Editorwindow go toComputer Configuration->Policies->Windows Settings->Security settings->Local Policies->Security Optionsand a new options list should appear in the right plane.
In the right plane search and edit with your custom settings following two entries presented on the below screenshot.
[
][18]
Configure Samba Domain Group Policy
12.After finishing editing the two entries, close all windows, open an elevated Command prompt and force group policy to apply on your machine by issuing the below command:
```
gpupdate /force
```
[
][19]
Update Samba Domain Group Policy
13.Finally, reboot your computer and you’ll see the logon banner in action when you’ll try to perform logon.
[
][20]
Samba4 AD Domain Controller Logon Banner
That’s all!Group Policyis a very complex and sensitive subject and should be treated with maximum care by system admins. Also, be aware that group policy settings won’t apply in any way to Linux systems integrated into the realm.
------
作者简介:I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.
