I have four domain controllers on my Samba 4.1.17 domain. Each is on a separate site in AD, in the real world each is at a separate physical location connected by VPN links. They are each configured as DNS servers for the domain using the internal Samba DNS implementation. On each site the local clients are configured to go to their local domain controller for DNS. My understanding of the Sysvol share is that on startup a domain member PC (eg running Win7) will access: \\domain.mydomain.com\sysvol to check its GPOs are up-to-date. My concern is that if I ping domain.mydomain.com from any of the sites, domain.mydomain.com resolves to a single domain controller (the first domain controller that was configured). So the clients at the remote sites will be accessing the sysvol share over the VPN, instead of the local copy on their local domain controller. Should domain.mydomain.com not resolve to the domain controller that is responding to the DNS query? Is this a limitation of the internal DNS server? Thanks, Will
On Sun, 2015-03-08 at 10:35 +0000, William Ross wrote:> I have four domain controllers on my Samba 4.1.17 domain. Each is on a > separate site in AD, in the real world each is at a separate physical > location connected by VPN links. > > They are each configured as DNS servers for the domain using the > internal Samba DNS implementation. On each site the local clients are > configured to go to their local domain controller for DNS. > > My understanding of the Sysvol share is that on startup a domain > member PC (eg running Win7) will access: > \\domain.mydomain.com\sysvol > to check its GPOs are up-to-date. > > My concern is that if I ping domain.mydomain.com from any of the > sites, domain.mydomain.com resolves to a single domain controller (the > first domain controller that was configured). So the clients at the > remote sites will be accessing the sysvol share over the VPN, instead > of the local copy on their local domain controller. > > Should domain.mydomain.com not resolve to the domain controller that > is responding to the DNS query? Is this a limitation of the internal > DNS server?What the clients should do is use domain DFS to find a real DC, hopefully the local server, to access - they should not be accessing the realm name directly. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
> > > > My concern is that if I ping domain.mydomain.com from any of the > > sites, domain.mydomain.com resolves to a single domain controller (the > > first domain controller that was configured). So the clients at the > > remote sites will be accessing the sysvol share over the VPN, instead > > of the local copy on their local domain controller. > > > > Should domain.mydomain.com not resolve to the domain controller that > > is responding to the DNS query? Is this a limitation of the internal > > DNS server? > > What the clients should do is use domain DFS to find a real DC, > hopefully the local server, to access - they should not be accessing the > realm name directly. >Andrew , I am shure that the client *will* access the Domain master due IN NS over VPN with latest samba 4.x - due the domain DFS do only work - if the IN NS exist for the samba Second DC . secondly DC must be autorative DNS for the domain - There is still an BUG in the soa - marc know it. This is one of my reasons why i asked my Questions to you to make shure that nessary DC dns entries exist. regards Horst