Also, why didn’t anyone tell me about match-subdomain=yes?
For almost two years, my homelab’s core router has been a MikroTik, namely a CCR2004-16G-2S+ and then a CCR2004-16G-2S+PC. I also run a FreeBSD Samba Active Directory domain controller.
One problem I was having was the AD gets out of sync after a few hours. This happens using the instructions online.
Then I learned about the match-subdomain=yes and it worked wonders, that combined with ttl=0s.
Keep in mind that by using this guide, I am assuming you’re using the DNS server on a MikroTik router, versus an external resolver.
If you’re using MikroTik’s resolver, add the following configuration:
/ip dns static
add forward-to=IP match-subdomain=yes name=DOMAIN ttl=0s type=FWD
Replace IP with your DC’s IP address, and DOMAIN with the domain name used by AD.
Note: you need ttl=0s, otherwise it gets out of sync. match-subdomain=yes is a shortcut Google never told us about (even without “AI” responses), but is ultra useful here.
If you wish to forward reverse DNS entries, you can do:
/ip dns static
add forward-to=IP match-subdomain=yes name=xx.in-addr.arpa ttl=0s type=FWD
add forward-to=IP match-subdomain=yes name=yy.ip6.arpa ttl=0s type=FWD
Replace IP with the IP address of the DNS server, and xx (IPv4) and yy (IPv6) with the Reverse DNS zones used by your network.
This should give reliable AD DNS using MikroTik’s DNS server.
Leave a Reply