samba - Mar 2016 - AD, multiple DC, some DC without DNS at all

Hi all,

How to configure Samba to remove DNS service from DC?

I thought there was an option for samba_dnsupgrade command to tell "remove
all DNS service from current DC" but I don't find it anymore.

This question is because we are about to deploy an AD with 20 or more DC
and there is no need they are all DNS servers. In fact having them all DNS
servers make design more complex and more risky. The point is to avoid
risks.

How I would proceed if samba_dnsupgrade is not able to remove DNS service
automatically:
- as for BIND9_DLZ backend, I will keep into smb.conf the "-dns" for
runninf services.
- stop Bind-DLZ service on non-DNS-DC
- modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
remaining DNS servers.

This seems not too rough as a process but I'd like to have your opinion on
that subject, to verify that process and of course to get a better one if
possible : )

Best regards,

Mathias

Hello Mathias,

Am 01.03.2016 um 11:59 schrieb mathias dufresne:
> I thought there was an option for samba_dnsupgrade command to tell
"remove
> all DNS service from current DC" but I don't find it anymore.
I think there's no such option (yet), but would be worth a feature
request. :-)



> This question is because we are about to deploy an AD with 20 or more DC
> and there is no need they are all DNS servers. In fact having them all DNS
> servers make design more complex and more risky. The point is to avoid
> risks.
You should deploy these DCs without DNS (--dns-backend=NONE), because
then they don't get
  DC=ForestDnsZones,DC=samdom,DC=example,DC=com
  DC=DomainDnsZones,DC=samdom,DC=example,DC=com
replicated at all.



> How I would proceed if samba_dnsupgrade is not able to remove DNS service
> automatically:
> - as for BIND9_DLZ backend, I will keep into smb.conf the "-dns"
for
> runninf services.
> - stop Bind-DLZ service on non-DNS-DC
> - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
> remaining DNS servers.
I think this should work, beside that those DCs still get the DNS stuff
replicated.

You can also switch to the internal DNS. If the IP of those DCs is not
used by clients in their DNS configuration, the DNS won't be used. And
if, then nothing bad should happen. :-)



Regards,
Marc

Hi all,

Thank you Mark for these precisions.

I did switch a DC to --dns-backend=NONE using samba-tool domain join. This
removed dns-<DCname> user for this DC and associated keytab.

We changed /etc/resolv.conf to use another DC - one with Bind running - as
nameserver.

Stopping there, running samba_dnsupdate gave error "NOTAUTH".

As we want our DC being able to push into DNS database some changes (when
we move our DC from Site to Site at least) I tried to find out what is
needed to replace that user in a way this user can be used by several DC to
modify AD DNS database.

What was done to get nsupdate -g working from non-DNS-DC pushing
modification to bind-dlz-DC:
- copy of private/dns.keytab from bind-dlz-DC to non-DNS-DC
- generate a Kerberos ticket for user account dns-<bind-dlz-DC>
- run samba_dnsupdate
If I remember correctlly error was "NOTAUTH" too.

- add SPN to user account dns-<bind-dlz-DC>, new SPN added were:
+ DNS/<non-DNS-DC>.ad.domain.tld
+ DNS/<non-DNS-DC>.ad.domain.tld at AD.DOMAIN.TLD

- add dns-<bind-dlz-DC> user account into dnsAdmins built-in group

Now I am able to modify AD DNS zone AD.DOMAIN.TLD using temporary files
generated by samba_dnsupdate (samba_dnsupdate was modified around line 408
to comment tmp file deletion, the unlink() function).
Trying to modify _msdcs.AD.DOMAIN.TLD is not working, I get error: "update
failed: REFUSED".

Trying to push modification using nsupdate -g is working on both AD zones
when the Kerberos ticket for my session is a ticket belonging to
"administrator" account.

In résumé nsupdate -g works pushing modification from non-DNS-DC to
bind-dlz-DC:
with Administrator kerberos ticket: on both DNS zones ad.domain.tld and
_msdcs.ad.domain.tld
with dns-<bind-dlz-DC> Kerberos ticket: only on DNS zone ad.domain.tl;
_msdcs.ad.domain.tld modification gives "update failed: REFUSED".

So I miss something to be able to use non-administrator account to modify
_msdcs DNS zone. Any idea would be welcomed.

Best regards,

mathias



2016-03-01 20:02 GMT+01:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Hello Mathias,
>
> Am 01.03.2016 um 11:59 schrieb mathias dufresne:
> > I thought there was an option for samba_dnsupgrade command to tell
> "remove
> > all DNS service from current DC" but I don't find it anymore.
>
> I think there's no such option (yet), but would be worth a feature
> request. :-)
>
>
>
>
> > This question is because we are about to deploy an AD with 20 or more
DC
> > and there is no need they are all DNS servers. In fact having them all
> DNS
> > servers make design more complex and more risky. The point is to avoid
> > risks.
>
> You should deploy these DCs without DNS (--dns-backend=NONE), because
> then they don't get
>   DC=ForestDnsZones,DC=samdom,DC=example,DC=com
>   DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> replicated at all.
>
>
>
>
> > How I would proceed if samba_dnsupgrade is not able to remove DNS
service
> > automatically:
> > - as for BIND9_DLZ backend, I will keep into smb.conf the
"-dns" for
> > runninf services.
> > - stop Bind-DLZ service on non-DNS-DC
> > - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
> > remaining DNS servers.
>
> I think this should work, beside that those DCs still get the DNS stuff
> replicated.
>
> You can also switch to the internal DNS. If the IP of those DCs is not
> used by clients in their DNS configuration, the DNS won't be used. And
> if, then nothing bad should happen. :-)
>
>
>
> Regards,
> Marc
>

On 3/1/2016 5:59 AM, mathias dufresne wrote:
> Hi all,
>
> How to configure Samba to remove DNS service from DC?
>
> I thought there was an option for samba_dnsupgrade command to tell
"remove
> all DNS service from current DC" but I don't find it anymore.
>
> This question is because we are about to deploy an AD with 20 or more DC
> and there is no need they are all DNS servers. In fact having them all DNS
> servers make design more complex and more risky. The point is to avoid
> risks.
>
> How I would proceed if samba_dnsupgrade is not able to remove DNS service
> automatically:
> - as for BIND9_DLZ backend, I will keep into smb.conf the "-dns"
for
> runninf services.
> - stop Bind-DLZ service on non-DNS-DC
> - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
> remaining DNS servers.
>
> This seems not too rough as a process but I'd like to have your opinion
on
> that subject, to verify that process and of course to get a better one if
> possible : )
>
> Best regards,
>
> Mathias
Hi Mathias, I have a question for you: How do you deploy your 20 DCs?
  I think there are two scenarios:
1. deploy it within one site with +1000 client machines(large subnet);
2. deploy it with many many sites, like 5-10 sites(small subnet, each 
site has less than 250 machines).
If you choose number 1, then your network design is not perfect.
If you choose number 2, then DC+internal DNS is the simple way to deploy 
samba DC.

I use #2 to deploy my DCs + internal DSN across sites, and it works perfect.
I don't use any linux commands to update the internal DNS. It just works.
The only change I made to the internal DNS is adding a NS record for a 
new added DC with windows tool.

So what's wrong with the internal DNS?
Does it cause high load on your server?
Is it too hard for you to manage the internal DNS? (I don't manage it at 
all, it just works)
Why do you do so hard to disable a working internal DNS service? Don't 
fix a working system.

Allen

Hi Allen,

I have to use choice 1, not my own choice but that's a centralized scenario.

With Internal DNS I was facing update issue (records weren't always updated
after moving from site to site, I was advised not to continue with Internal
DNS backend as what I want to achieve was judged too complex for Internal
DNS. At least that's what I have understood : )

Now I'm happy with Bind9_DLZ backend. I could even keep Bind running on all
my DC and just don't use it (this means DC would continue to ask themselves
for DNS resolution and that clients will send DNS request to only a few DC
which will do only DNS.

At the end I'd like to have:

SITE A: no network associated
DC in that site: FSMO, two DNS, new DC waiting for synchronisation to
finish before moving to SITE B.

SITE B: All network used in that company (reminder: their choice is to have
all on same geographical site, so no point to split networks in multiple AD
sites)
DC in that site: DC dedicated to authentication (so DNS is not required).

What shown up last week:
Using nsupdate -g (so nsupdate + kerberos auth, based on perviously
generated ticket)
- account in dnsAdmins built in group can modify only root zone, not _msdcs
zone.
- administrator can modify everything.

Modifying rights in RSAT's DNS console I was able to use some nsupdate -g
to push also modification into _msdcs zone (account created especially for
that test). This modification was allowed only for DC modifying DNS using
locally running Bind service. When trying the same from remote DC with no
Bind pushing modification (with nsupdate -g) on remote server (the one
which worked previously), the modification was refused (error message refused).

Finally I expect all that has to do with servicePrincipalName into user's
configuration (plus RSAT's DNS console -> properties -> security tab
to add
that user or some group he belong to).

But I'm still lost in MS SFU documentation.


2016-03-05 17:26 GMT+01:00 Allen Chen <achen at harbourfrontcentre.com>:
> On 3/1/2016 5:59 AM, mathias dufresne wrote:
>
>> Hi all,
>>
>> How to configure Samba to remove DNS service from DC?
>>
>> I thought there was an option for samba_dnsupgrade command to tell
"remove
>> all DNS service from current DC" but I don't find it anymore.
>>
>> This question is because we are about to deploy an AD with 20 or more
DC
>> and there is no need they are all DNS servers. In fact having them all
DNS
>> servers make design more complex and more risky. The point is to avoid
>> risks.
>>
>> How I would proceed if samba_dnsupgrade is not able to remove DNS
service
>> automatically:
>> - as for BIND9_DLZ backend, I will keep into smb.conf the
"-dns" for
>> runninf services.
>> - stop Bind-DLZ service on non-DNS-DC
>> - modify /etc/resolv.conf on non-DNS-DC for they send DNS request to
>> remaining DNS servers.
>>
>> This seems not too rough as a process but I'd like to have your
opinion on
>> that subject, to verify that process and of course to get a better one
if
>> possible : )
>>
>> Best regards,
>>
>> Mathias
>>
> Hi Mathias, I have a question for you: How do you deploy your 20 DCs?
>  I think there are two scenarios:
> 1. deploy it within one site with +1000 client machines(large subnet);
> 2. deploy it with many many sites, like 5-10 sites(small subnet, each site
> has less than 250 machines).
> If you choose number 1, then your network design is not perfect.
> If you choose number 2, then DC+internal DNS is the simple way to deploy
> samba DC.
>
> I use #2 to deploy my DCs + internal DSN across sites, and it works
> perfect.
> I don't use any linux commands to update the internal DNS. It just
works.
> The only change I made to the internal DNS is adding a NS record for a new
> added DC with windows tool.
>
> So what's wrong with the internal DNS?
> Does it cause high load on your server?
> Is it too hard for you to manage the internal DNS? (I don't manage it
at
> all, it just works)
> Why do you do so hard to disable a working internal DNS service? Don't
fix
> a working system.
>
> Allen
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>