L.P.H. van Belle
2016-Aug-17 08:57 UTC
[Samba] samba ADDC dns setup? ( this is same for any MS server )
Hai eveyone. I know about the dns "things" in the past. DNS Islanding problems etc. This one is a bit hijacking the subject : “Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server” I would like to suggest a smale change in how we suggest to setup samba ADDC dns things, and i do think this help in the setup of the AD DC, and reduce change on errors. So this is what i suggest, and i explain why, so yeah.. long email again, sorry about that. The loopback address ip should be configured only as a secondary or tertiary DNS server on a domain controller. but in my opionion should be avoided in all times. I’ll address 2 things here. Resolving (orders) and ipv4/ipv6 preferences. --------------------- In a single ADDC server setup, resolv.conf suggestions. search ad-dc-subdom.domain.tld ( and maybe others to search.) nameserver IP_OF_DC_AND_NOT_127.0.0.1 Only now a localhost ip is optional here but i dont suggest it, when you later add a DC and you move the FSMO roles, this can a problem. Why, simple we forget to change it when needed if we add a dc, or change FSMO roles to other servers. At least this happens, you reboot and you have a dns problem. --------------------- In a 2 server ADDC server setup First Server. ( ADDC with fsmo roles and primary dns zones ) search ad-dc-subdom.domain.tld ( and maybe others to search.) nameserver IP_OF_DC1_AND_NOT_127.0.0.1 ( and later (optional) add DC2 ip. ) DONT CHANGE THE ORDER HERE. First DC1 then DC2. Note : any server should always resolv first to the ADDC dns which contains domain controller locator CNAME record for all the other domain controllers in the root. Second ADDC Server. search ad-dc-subdom.domain.tld ( and maybe others to search.) nameserver IP_OF_DC1_AND_NOT_127.0.0.1 nameserver IP_OF_DC2_AND_NOT_127.0.0.1 --------------------- In a 3 DC server setup, or more. First Server. ( primary with fsmo roles ) search ad-dc-subdom.domain.tld ( and maybe others to search.) nameserver IP_OF_DC1_AND_NOT_127.0.0.1 ( optional add DC2 and/or DC3 IP) Second ADDC Server. search ad-dc-subdom.domain.tld ( and maybe others to search.) nameserver IP_OF_DC1_AND_NOT_127.0.0.1 nameserver IP_OF_DC3_AND_NOT_127.0.0.1 (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1) Third ADDC Server. search ad-dc-subdom.domain.tld ( and maybe others to search.) nameserver IP_OF_DC1 nameserver IP_OF_DC2 (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1) IF you have the room for it, 3 DC setup is the best. For the clients, point to DC2 and DC3, or depending on load of the servers. And for all servers above, NEVER add the own ip of a ADDC AND 127.0.0.1 in resolv.conf. But that should be obvious. --------------------------------- Since MS is change-ing a lot in security and i see lots it pointing to FQDN and not single names like it used to before, so looks to me using ip/hostname with FQDN, more correct, better resolving, less problems in the future. Latest security fixed, badlock things, GPO security fixes changed a lot to FQDN for authentication things (etc). And i think this is one of the best tips for today.. Also setup what you preffer IPV4 over IPV6, etc, the clients (win7 and win10) ALWAYS prefferer ipv6 over ipv4. thanks to MS. So i can suggest setup a COMPUTER GPO and setup your preferences for the resolve order. I disabled all IPv6 components on my clients since i dont use it in my lan. Look here howto setup. ( preffered ) http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx Or use : https://support.microsoft.com/en-us/kb/929852 Last to know, above avoids DNS islanding in all cases. Tell us your thoughts.... Greetz, Louis p.s. source reverals : https://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx https://support.microsoft.com/en-us/kb/275278 http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
Rowland Penny
2016-Aug-17 10:06 UTC
[Samba] samba ADDC dns setup? ( this is same for any MS server )
On Wed, 17 Aug 2016 10:57:08 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai eveyone. > > > > I know about the dns "things" in the past. DNS Islanding problems > etc. > > This one is a bit hijacking the subject : > > “Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool > domain demote --remove-other-dead-server” > > > > > > I would like to suggest a smale change in how we suggest to setup > samba ADDC dns things, > > and i do think this help in the setup of the AD DC, and reduce change > on errors. > > > > So this is what i suggest, and i explain why, so yeah.. long email > again, sorry about that. > > > > The loopback address ip should be configured only as a secondary or > tertiary DNS server on a domain controller. > > but in my opionion should be avoided in all times. > > I’ll address 2 things here. Resolving (orders) and ipv4/ipv6 > preferences. > > > > --------------------- > > In a single ADDC server setup, resolv.conf suggestions. > > > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > nameserver IP_OF_DC_AND_NOT_127.0.0.1 > > > > Only now a localhost ip is optional here but i dont suggest it, > > when you later add a DC and you move the FSMO roles, this can a > problem. > > > > Why, simple we forget to change it when needed if we add a dc, > > or change FSMO roles to other servers. > > At least this happens, you reboot and you have a dns problem. > > > > > > --------------------- > > In a 2 server ADDC server setup > > First Server. ( ADDC with fsmo roles and primary dns zones ) > > > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > nameserver IP_OF_DC1_AND_NOT_127.0.0.1 > > ( and later (optional) add DC2 ip. ) > > > > DONT CHANGE THE ORDER HERE. First DC1 then DC2. > > Note : any server should always resolv first to the ADDC dns which > contains > > domain controller locator CNAME record for all the other domain > controllers in the root. > > > > Second ADDC Server. > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > nameserver IP_OF_DC1_AND_NOT_127.0.0.1 > > nameserver IP_OF_DC2_AND_NOT_127.0.0.1 > > > > --------------------- > > In a 3 DC server setup, or more. > > First Server. ( primary with fsmo roles ) > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > nameserver IP_OF_DC1_AND_NOT_127.0.0.1 > > ( optional add DC2 and/or DC3 IP) > > > > Second ADDC Server. > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > nameserver IP_OF_DC1_AND_NOT_127.0.0.1 > > nameserver IP_OF_DC3_AND_NOT_127.0.0.1 > > (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1) > > > > Third ADDC Server. > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > nameserver IP_OF_DC1 > > nameserver IP_OF_DC2 > > (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1) > > > > IF you have the room for it, 3 DC setup is the best. > > For the clients, point to DC2 and DC3, or depending on load of the > servers. > > > > And for all servers above, NEVER add the own ip of a ADDC AND > 127.0.0.1 in resolv.conf. > > But that should be obvious. > > > > --------------------------------- > > Since MS is change-ing a lot in security and i see lots it pointing > to FQDN > > and not single names like it used to before, so looks to me using > ip/hostname with FQDN, more correct, better resolving, less problems > in the future. > > Latest security fixed, badlock things, GPO security fixes changed a > lot to FQDN for authentication things (etc). > > > > > > And i think this is one of the best tips for today.. > > Also setup what you preffer IPV4 over IPV6, etc, the clients (win7 > and win10) > > ALWAYS prefferer ipv6 over ipv4. thanks to MS. > > So i can suggest setup a COMPUTER GPO and setup your preferences for > the resolve order. > > I disabled all IPv6 components on my clients since i dont use it in > my lan. > > Look here howto setup. ( preffered ) > > http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx > > > > Or use : https://support.microsoft.com/en-us/kb/929852 > > > > Last to know, above avoids DNS islanding in all cases. > > > > Tell us your thoughts.... > > > > Greetz, > > > > Louis > > > > p.s. > > > > source reverals : > > https://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx > > https://support.microsoft.com/en-us/kb/275278 > > http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx > > >Not sure I agree with you Louis, The first of the last links you posted seems to be discussing a windows dns server and contains a comment that makes posting the second link a waste of time. Also if I run on a DC: netstat -tulpn | grep ':53' I get: tcp 0 0 192.168.0.5:53 0.0.0.0:* LISTEN 28589/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 28589/named udp 0 0 192.168.0.5:53 0.0.0.0:* 28589/named udp 0 0 127.0.0.1:53 0.0.0.0:* 28589/named Which plainly shows that it is listening on both 192.168.0.5:53 and 127.0.0.1:53 Which to me means: On a single Samba AD DC: search <your dns domain> DC_IP OR 127.0.0.1 With 2 DCs: First DC: search <your dns domain> IP_OF_OTHER_DC DC_IP OR 127.0.0.1 Second DC: search <your dns domain> IP_OF_OTHER_DC DC_IP OR 127.0.0.1 Rowland
mathias dufresne
2016-Aug-17 10:54 UTC
[Samba] samba ADDC dns setup? ( this is same for any MS server )
I must remind you that the need of using another DCV as first resolver is due to Microsoft bug which happens on MS Server until 2088R2, in MS Server 2012 (or AD 2012 perhaps, no real idea), this problem is solved. On these system AD was sending DNS request to prepare the start up of AD service, including DNS service. So using localhost as resolver fathered to DNS service wasn't started as others services which depend on DNS (as most AD services). The use of a second DC as first resolver make the dumb MS Server recveive replies to startup DNS requests and then don't waste time before running AD services (I believe at one moment MS Servers were starting AD services anyway). I expect we are speaking here about Samba. Samba should have had that issue too in older version, that's not the case anymore. Samba is not MS implementation of AD and behaves differently in lot of manners, including that one. On Samba no need to use another DC as first resolver with Bind_DLZ: Bind does not care about availability of LDAP or AD, it starts, then if it can it will discuss with AD/LDAP to look into AD zones. Samba can also starts without issue without Bind started I believe (not at work right now to test). Without issue for starting, there would be some issue to serve incoming requests (at least DNS requests as we are speaking of DC using itself as resolver with no DNS service started). So the need of using another DC as first resolver is a purely Microsoft question. Do it on MS Windows Servers running as AD DC but bother with that on your Samba DC, that's useless. Another thing which push me to use local DC as local resolver is: when adding a new DNS entry on DC1 (configured to use DC2 as first resolver) you will need to wait DC" was synched with DC1 to see this change, this new entry (without synch done DC2 will reply there is no entry for that name and the client won't ask the second resolver because the client would have already received a reply (not found reply is a reply)). With DC1 using DC1 as resolver, no need to wait for synch. My 2 cents, do what you like, we're speaking about free software, you're free : ) 2016-08-17 12:06 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 17 Aug 2016 10:57:08 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai eveyone. > > > > > > > > I know about the dns "things" in the past. DNS Islanding problems > > etc. > > > > This one is a bit hijacking the subject : > > > > “Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool > > domain demote --remove-other-dead-server” > > > > > > > > > > > > I would like to suggest a smale change in how we suggest to setup > > samba ADDC dns things, > > > > and i do think this help in the setup of the AD DC, and reduce change > > on errors. > > > > > > > > So this is what i suggest, and i explain why, so yeah.. long email > > again, sorry about that. > > > > > > > > The loopback address ip should be configured only as a secondary or > > tertiary DNS server on a domain controller. > > > > but in my opionion should be avoided in all times. > > > > I’ll address 2 things here. Resolving (orders) and ipv4/ipv6 > > preferences. > > > > > > > > --------------------- > > > > In a single ADDC server setup, resolv.conf suggestions. > > > > > > > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > > > nameserver IP_OF_DC_AND_NOT_127.0.0.1 > > > > > > > > Only now a localhost ip is optional here but i dont suggest it, > > > > when you later add a DC and you move the FSMO roles, this can a > > problem. > > > > > > > > Why, simple we forget to change it when needed if we add a dc, > > > > or change FSMO roles to other servers. > > > > At least this happens, you reboot and you have a dns problem. > > > > > > > > > > > > --------------------- > > > > In a 2 server ADDC server setup > > > > First Server. ( ADDC with fsmo roles and primary dns zones ) > > > > > > > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > > > nameserver IP_OF_DC1_AND_NOT_127.0.0.1 > > > > ( and later (optional) add DC2 ip. ) > > > > > > > > DONT CHANGE THE ORDER HERE. First DC1 then DC2. > > > > Note : any server should always resolv first to the ADDC dns which > > contains > > > > domain controller locator CNAME record for all the other domain > > controllers in the root. > > > > > > > > Second ADDC Server. > > > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > > > nameserver IP_OF_DC1_AND_NOT_127.0.0.1 > > > > nameserver IP_OF_DC2_AND_NOT_127.0.0.1 > > > > > > > > --------------------- > > > > In a 3 DC server setup, or more. > > > > First Server. ( primary with fsmo roles ) > > > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > > > nameserver IP_OF_DC1_AND_NOT_127.0.0.1 > > > > ( optional add DC2 and/or DC3 IP) > > > > > > > > Second ADDC Server. > > > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > > > nameserver IP_OF_DC1_AND_NOT_127.0.0.1 > > > > nameserver IP_OF_DC3_AND_NOT_127.0.0.1 > > > > (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1) > > > > > > > > Third ADDC Server. > > > > search ad-dc-subdom.domain.tld ( and maybe others to search.) > > > > nameserver IP_OF_DC1 > > > > nameserver IP_OF_DC2 > > > > (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1) > > > > > > > > IF you have the room for it, 3 DC setup is the best. > > > > For the clients, point to DC2 and DC3, or depending on load of the > > servers. > > > > > > > > And for all servers above, NEVER add the own ip of a ADDC AND > > 127.0.0.1 in resolv.conf. > > > > But that should be obvious. > > > > > > > > --------------------------------- > > > > Since MS is change-ing a lot in security and i see lots it pointing > > to FQDN > > > > and not single names like it used to before, so looks to me using > > ip/hostname with FQDN, more correct, better resolving, less problems > > in the future. > > > > Latest security fixed, badlock things, GPO security fixes changed a > > lot to FQDN for authentication things (etc). > > > > > > > > > > > > And i think this is one of the best tips for today.. > > > > Also setup what you preffer IPV4 over IPV6, etc, the clients (win7 > > and win10) > > > > ALWAYS prefferer ipv6 over ipv4. thanks to MS. > > > > So i can suggest setup a COMPUTER GPO and setup your preferences for > > the resolve order. > > > > I disabled all IPv6 components on my clients since i dont use it in > > my lan. > > > > Look here howto setup. ( preffered ) > > > > http://social.technet.microsoft.com/wiki/contents/ > articles/5927.how-to-disable-ipv6-through-group-policy.aspx > > > > > > > > Or use : https://support.microsoft.com/en-us/kb/929852 > > > > > > > > Last to know, above avoids DNS islanding in all cases. > > > > > > > > Tell us your thoughts.... > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > p.s. > > > > > > > > source reverals : > > > > https://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx > > > > https://support.microsoft.com/en-us/kb/275278 > > > > http://social.technet.microsoft.com/wiki/contents/ > articles/5927.how-to-disable-ipv6-through-group-policy.aspx > > > > > > > > > Not sure I agree with you Louis, The first of the last links you posted > seems to be discussing a windows dns server and contains a comment that > makes posting the second link a waste of time. > > Also if I run on a DC: netstat -tulpn | grep ':53' > > I get: > > tcp 0 0 192.168.0.5:53 0.0.0.0:* > LISTEN 28589/named > tcp 0 0 127.0.0.1:53 0.0.0.0:* > LISTEN 28589/named > udp 0 0 192.168.0.5:53 0.0.0.0:* > 28589/named > udp 0 0 127.0.0.1:53 0.0.0.0:* > 28589/named > > Which plainly shows that it is listening on both 192.168.0.5:53 and > 127.0.0.1:53 > > Which to me means: > > On a single Samba AD DC: > > search <your dns domain> > DC_IP OR 127.0.0.1 > > With 2 DCs: > > First DC: > > search <your dns domain> > IP_OF_OTHER_DC > DC_IP OR 127.0.0.1 > > Second DC: > > search <your dns domain> > IP_OF_OTHER_DC > DC_IP OR 127.0.0.1 > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2016-Aug-17 14:58 UTC
[Samba] samba ADDC dns setup? ( this is same for any MS server )
Hai Rowland/Mathias.> > Not sure I agree with you Louis, The first of the last links you posted > seems to be discussing a windows dns server and contains a comment that > makes posting the second link a waste of time. > > Also if I run on a DC: netstat -tulpn | grep ':53' > > I get: > > tcp 0 0 192.168.0.5:53 0.0.0.0:* LISTEN > 28589/named > tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN > 28589/named > udp 0 0 192.168.0.5:53 0.0.0.0:* > 28589/named > udp 0 0 127.0.0.1:53 0.0.0.0:* > 28589/named > > Which plainly shows that it is listening on both 192.168.0.5:53 and > 127.0.0.1:53 > > Which to me means: > > On a single Samba AD DC: > > search <your dns domain> > DC_IP OR 127.0.0.1 > > With 2 DCs: > > First DC: > > search <your dns domain> > IP_OF_OTHER_DC > DC_IP OR 127.0.0.1 > > Second DC: > > search <your dns domain> > IP_OF_OTHER_DC > DC_IP OR 127.0.0.1 > > Rowland >Nothing wrong with that totaly agree, with both you guys. And thanks mathias for that MS DNS bug note, i'll have a look into that, and found fixed in server 2003.. that i missed that.. :-/ The setup i suggested it not only for replication/preventing island problems. It can also be a major dns performance improvement, which i also noticed. And maybe this was also something in samba what changed i dont know (yet). This was an update from 4.4.3 to 4.4.5 in my case also. And i changed my resolving setup at the same time and since i run it as is now, i notice much better performance in the complete network, and user noticed it also. This also forces all registration to go to a single DNS server where it is registered and then replicated to the other servers, which i prefer. But hee. As mathias says.. its all our own choice. I noticed it so i mention it and maybe it helps someone. Greetz, Louis
mathias dufresne
2016-Aug-17 22:11 UTC
[Samba] samba ADDC dns setup? ( this is same for any MS server )
Louis, please do believe I'm interested in what you wrote! The main point is I don't have much time in front of me to really read (and think about! it deserve it ;)) your mail. What you proposed is not about the dumb bug from M$ servers, shame to them, not to us :p Still haven't spent enough to read your mail, it is - from a user point of view - really welcomed: DNS questions must be addressed in the right way regarding Samba and thank you for your effort! I'll read it! carefully :) DNS configuration must be addressed and we also must stop charging Samba about M$ bugs, it's time we address it to get solution. Thanks to you, again ;) 2016-08-17 16:58 GMT+02:00 L.P.H. van Belle via samba <samba at lists.samba.org>:> Hai Rowland/Mathias. > > > > > Not sure I agree with you Louis, The first of the last links you posted > > seems to be discussing a windows dns server and contains a comment that > > makes posting the second link a waste of time. > > > > Also if I run on a DC: netstat -tulpn | grep ':53' > > > > I get: > > > > tcp 0 0 192.168.0.5:53 0.0.0.0:* > LISTEN > > 28589/named > > tcp 0 0 127.0.0.1:53 0.0.0.0:* > LISTEN > > 28589/named > > udp 0 0 192.168.0.5:53 0.0.0.0:* > > 28589/named > > udp 0 0 127.0.0.1:53 0.0.0.0:* > > 28589/named > > > > Which plainly shows that it is listening on both 192.168.0.5:53 and > > 127.0.0.1:53 > > > > Which to me means: > > > > On a single Samba AD DC: > > > > search <your dns domain> > > DC_IP OR 127.0.0.1 > > > > With 2 DCs: > > > > First DC: > > > > search <your dns domain> > > IP_OF_OTHER_DC > > DC_IP OR 127.0.0.1 > > > > Second DC: > > > > search <your dns domain> > > IP_OF_OTHER_DC > > DC_IP OR 127.0.0.1 > > > > Rowland > > > > Nothing wrong with that totaly agree, with both you guys. > > And thanks mathias for that MS DNS bug note, i'll have a look into that, > and found fixed in server 2003.. that i missed that.. :-/ > > The setup i suggested it not only for replication/preventing island > problems. > It can also be a major dns performance improvement, which i also noticed. > And maybe this was also something in samba what changed i dont know (yet). > This was an update from 4.4.3 to 4.4.5 in my case also. > And i changed my resolving setup at the same time and since i run it > as is now, i notice much better performance in the complete network, and > user noticed it also. > > This also forces all registration to go to a single DNS server where it is > registered and then replicated to the other servers, which i prefer. > > But hee. As mathias says.. its all our own choice. > I noticed it so i mention it and maybe it helps someone. > > > Greetz, > > Louis > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Apparently Analagous Threads
- samba ADDC dns setup? ( this is same for any MS server )
- samba ADDC dns setup? ( this is same for any MS server )
- Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server
- How to set same UID and GID for ADDC server and all Member server
- id username output ADDC and Member.