Luis Peromarta
2025-Aug-21 10:36 UTC
[Samba] Winbind does not immediately fail over to secondary DC on one client
I see. I just feel you don?t have enough redundancy with only one BIND server, and don?t see how Samba can work pointing to himself if full DNS is running somewhere else. I would do the opposite, for consistency, use the DCs as primary DNS, and forward out-of-scope requests to the BIND server via ?forward? line in smb.conf. Still not enough redundancy on the name resolution. This is another matter and may have nothing to do with your original query. On Aug 21, 2025 at 11:58 +0200, Lauge Rasmussen <lauge.rasmussen at nru.dk>, wrote:> Hey Luis > > Thank you for the quick answer. > > You are of course right, but the problem persists even when their DNS > settings are set to themselves. (Their full IP addresses). I thought it > would be fine having themselves as the first DNS server, but I can see > that is wrong. > > The way we have it set up now is that we have our DNS server, running > bind9/named. This is our internal DNS server which controls our internal > domain (nru.dk). This DNS server then forwards all queries in our samba > domain (sambadomain.nru.dk) to our domain controllers. It does this by > having a zone rule, where it has our DCs as forwarders. This seems > different from the article you have linked, where the Samba DCs forwards > to the internal DNS server(s) (PiHoles in the case you've sent me). > > Is this setup wrong/the reason we are seeing this error? > > On 8/21/2025 10:23 AM, Luis Peromarta via samba wrote: > > To begin with, DCs should only use DCs as DNS servers. First itself then the other DC. > > > > You can forward the out of scope addresses to whichever dns server you like with the forward line in smb.conf > > > > This article about dns resiliency for AD may be of some use to you. > > > > http://samba.bigbird.es/doku.php?id=samba:resilient-dns > > > > > > On 21 Aug 2025 at 10:20 +0200, Lauge Rasmussen <lauge.rasmussen at nru.dk>, wrote: > > > > > > > One way in which the troublesome client is special is that it works as > > > the DNS server on my network, however, the DCs are configured to use > > > themselves first in their dns configuration and then the DNS server (the > > > troublesome client) after. > > -- > Lauge Rasmussen, IT support > Neurobiology Research Unit, > Building 8057, Blegdamsvej 9 > Copenhagen University Hospital, Rigshospitalet > DK-2100 Copenhagen, Denmark > lauge.rasmussen at nru.dk > -- > Any IT questions or problems, please email helpdesk at nru.dk >
Rowland Penny
2025-Aug-21 11:38 UTC
[Samba] Winbind does not immediately fail over to secondary DC on one client
Please see inline comments. On Thu, 21 Aug 2025 12:36:35 +0200 Luis Peromarta via samba <samba at lists.samba.org> wrote:> I see.I didn't, until I scrolled down Luis's post. Please ensure you reply to the list.> > I just feel you don?t have enough redundancy with only one BIND > server, and don?t see how Samba can work pointing to himself if full > DNS is running somewhere else.Every Samba AD DC dns server (like Windows DCs) is authoritative for the AD dns domain, this means that the domain members must use the DCs as their nameservers, which will then forward anything outside the AD dns domain to another dns server outside the AD dns domain. These 'outside' dns servers obtain the required dns data and the returns it to the DC, which then passes it on to the client. What this means is that your DCs can use your Bind9 dns servers as forwarders, but only for anything outside the AD dns domain.> > I would do the opposite, for consistency, use the DCs as primary DNS, > and forward out-of-scope requests to the BIND server via ?forward? > line in smb.conf. Still not enough redundancy on the name resolution. > > This is another matter and may have nothing to do with your original > query. On Aug 21, 2025 at 11:58 +0200, Lauge Rasmussen > <lauge.rasmussen at nru.dk>, wrote: > > Hey Luis > > > > Thank you for the quick answer. > > > > You are of course right, but the problem persists even when their > > DNS settings are set to themselves. (Their full IP addresses). I > > thought it would be fine having themselves as the first DNS server, > > but I can see that is wrong. > > > > The way we have it set up now is that we have our DNS server, > > running bind9/named. This is our internal DNS server which controls > > our internal domain (nru.dk). This DNS server then forwards all > > queries in our samba domain (sambadomain.nru.dk) to our domain > > controllers. It does this by having a zone rule, where it has our > > DCs as forwarders. This seems different from the article you have > > linked, where the Samba DCs forwards to the internal DNS server(s) > > (PiHoles in the case you've sent me).You appear to be doing it the opposite way to normal, but it should work if your bind9 has things like this: zone "samdom.example.com" IN { type forward; forwarders { 192.168.1.2; 192.168.1.3; }; forward only; }; Where 'samdom.example.com' is the AD dns domain and the IPs are the AD DCs. The above was taken from a caching name server I have run in the past, so I know it worked when I tested it.> > > > Is this setup wrong/the reason we are seeing this error?Bit hard to say, I just set each DC to use itself as its only nameserver, if a DC needs to use another DC for a nameserver, then usually it is having extreme problems and needs fixing. I would ensure your DCs are using themselves as their nameservers (do not use 127.0.0.1) and then point the domain members at the DCs as their nameservers. Set the DCs to forward anything outside the AD domain to an 'external' dns server. If at that point you are still getting problems, then there must be something wrong. Rowland