samba - Oct 2017 - Samba AD Best Practice (DNS)

On 2017-10-12 12:30 PM, Rowland Penny via samba wrote:
> It might help if you described your network.
I thought I went into detail in the first message:


For this example:
- Network: 172.18.0.0/24
- Domain: network.ca
- AD server: ad.network.ca, 172.18.0.20
- Gateway/DNS: 172.18.0.1

The gateway is running as the main DNS server, and has the various 
underscore ("_") entries required for Windows to find the Active 
Directory. It sends "172.18.0.1" as the DNS option over its DHCP
server.
The samba AD server has its DNS forwarder set to "172.18.0.1".


The only thing to add is that 172.18.0.1 runs dnsmasq. samba is used 
with Windows Desktops for AD and home shares, and with Linux servers for 
AD with sssd (sambda's Winbind wasn't quite there when this was set up).
Nothing really relies on DNS from samba; unless you know something about 
this point that I do not.

I could also manually add the local entries to samba's DNS. Not crazy 
about this option.

Thanks,
--Pat

Here's what we do for our school district:

- Each site is in its own isolated network
- Each site has two DCs and a file server
- The DHCP server hands out the DCs of the site as both DNS servers (i.e.
dc1 = 192.168.0.2, 192.168.0.3)
- The DNS server runs from the Samba DCs (using bind9 or the Internal DNS,
does not matter)
- If we want something else to resolve, we add an A record (i.e.
mail.ad.district.com IN A 192.168.0.5) or a CNAME record (i.e.
mail.ad.district.com IN CNAME mail.district.com)

The clients need to point their DNS servers to the AD DCs for everything to
work "correctly", especially with name resolution. You need the DC
servers
to point their DNS forwarders to either your network DNS Servers, or your
ISP / other DNS servers.

On Thu, Oct 12, 2017 at 11:00 AM, Pat Suwalski via samba <
samba at lists.samba.org> wrote:
> On 2017-10-12 12:30 PM, Rowland Penny via samba wrote:
>
>> It might help if you described your network.
>>
>
> I thought I went into detail in the first message:
>
>
> For this example:
> - Network: 172.18.0.0/24
> - Domain: network.ca
> - AD server: ad.network.ca, 172.18.0.20
> - Gateway/DNS: 172.18.0.1
>
> The gateway is running as the main DNS server, and has the various
> underscore ("_") entries required for Windows to find the Active
Directory.
> It sends "172.18.0.1" as the DNS option over its DHCP server. The
samba AD
> server has its DNS forwarder set to "172.18.0.1".
>
>
> The only thing to add is that 172.18.0.1 runs dnsmasq. samba is used with
> Windows Desktops for AD and home shares, and with Linux servers for AD with
> sssd (sambda's Winbind wasn't quite there when this was set up).
Nothing
> really relies on DNS from samba; unless you know something about this point
> that I do not.
>
> I could also manually add the local entries to samba's DNS. Not crazy
> about this option.
>
> Thanks,
> --Pat
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 2017-10-12 02:26 PM, Luke Barone via samba wrote:
> - If we want something else to resolve, we add an A record (i.e.
> mail.ad.district.com IN A 192.168.0.5) or a CNAME record (i.e.
> mail.ad.district.com IN CNAME mail.district.com)
Right, so you have the ad.x subdomain as well. That's what we don't 
have, and it seems it would require starting from scratch to implement it.

--Pat

Pat

There's no such thing as "best practice" - there's good and
bad
practice and I hope that here (Samba ML) you will get some good advice,
in return for a good question.

The environment you describe, to me, implies that it would be best if
you simply "fit in". You can but it will take a bit of work (not too
much).  It does not matter where DNS comes from, provided it gives the
correct answers to client queries.  So, you will have to get your new
Samba DC's DNS records set up on the dnsmasq system.  I don't think
that dnsmasq can do dynamic DNS apart from perhaps registering DHCP
leases as DNS entries.  You will also have to set the gateway as your
Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the
Samba DNS implementation.

The whole point of this is that is is generally a good (may be not the
best in all cases) idea to have all systems on one network to have a
single view of DNS.  Your colleagues seem to have already stipulated
dnsmasq and I would roll with that - fit in.  Its not my preferred
solution but will work fine with some care.

Before you get going with Samba, the box must have time in sync with
the other DCs and be able to DNS resolve all the relevent addresses.

# ntpq -p

$ dig example.co.uk

Should return DC IPs

You'll need this lot:

https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha
t-are-required-for-proper-functionality-of-active-directory/

Test with eg:

$ dig _ldap._tcp.pdc._msdcs.example.co.uk SRV

That should return the IP address of the box with the PDC emulator
role.  That box probably should also be your preferred ntp host unless
everything is virtual and you have a well designed ntp setup on
physical hosts with decent clocks and ntp sync.  Don't get too hung up
on this bit though - a second or two either way is good enough for now.

# net ads info

This should imply that things are good to go before based on your
smb.conf, resolv.conf and probably krb5.conf before you do any AD
fiddling.

Now, for my money, I'd be content with being a domin member first
before adding another DC unless you are doing it for redundancy
reasons.

Cheers
Jon


On Thu, 2017-10-12 at 14:00 -0400, Pat Suwalski via samba
wrote:
> On 2017-10-12 12:30 PM, Rowland Penny via samba wrote:
> > It might help if you described your network.
> 
> I thought I went into detail in the first message:
> 
> 
> For this example:
> - Network: 172.18.0.0/24
> - Domain: network.ca
> - AD server: ad.network.ca, 172.18.0.20
> - Gateway/DNS: 172.18.0.1
> 
> The gateway is running as the main DNS server, and has the various 
> underscore ("_") entries required for Windows to find the Active 
> Directory. It sends "172.18.0.1" as the DNS option over its DHCP
> server. 
> The samba AD server has its DNS forwarder set to "172.18.0.1".
> 
> 
> The only thing to add is that 172.18.0.1 runs dnsmasq. samba is used 
> with Windows Desktops for AD and home shares, and with Linux servers
> for 
> AD with sssd (sambda's Winbind wasn't quite there when this was set
> up). 
> Nothing really relies on DNS from samba; unless you know something
> about 
> this point that I do not.
> 
> I could also manually add the local entries to samba's DNS. Not
> crazy 
> about this option.
> 
> Thanks,
> --Pat
>

On 2017-10-13 06:09 PM, Jon Gerdes via samba wrote:
> There's no such thing as "best practice" - there's good
and bad
> practice and I hope that here (Samba ML) you will get some good advice,
> in return for a good question.
Thanks for this very thoughtful reply.
> The environment you describe, to me, implies that it would be best if
> you simply "fit in". You can but it will take a bit of work (not
too
> much).  It does not matter where DNS comes from, provided it gives the
> correct answers to client queries.  So, you will have to get your new
> Samba DC's DNS records set up on the dnsmasq system.  I don't think
> that dnsmasq can do dynamic DNS apart from perhaps registering DHCP
> leases as DNS entries.  You will also have to set the gateway as your
> Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the
> Samba DNS implementation.
That is correct. dnsmasq registers all of the DNS leases it hands out, 
so that part is basically in-line with what the AD server's DNS does for 
the Windows clients.

The part about the DNS server is the sticky point. It's currently set to 
itself (the Samba DNS server). I'm worried that changing that might 
break something in Samba itself.
> The whole point of this is that is is generally a good (may be not the
> best in all cases) idea to have all systems on one network to have a
> single view of DNS.  Your colleagues seem to have already stipulated
> dnsmasq and I would roll with that - fit in.  Its not my preferred
> solution but will work fine with some care.
Well, whether it be dnsmasq or bind, we need more functionality than the 
Samba DNS server provides. The goal at this point. as you surmised, is 
to fit in to the existing system.
> Before you get going with Samba, the box must have time in sync with
> the other DCs and be able to DNS resolve all the relevent addresses.
> 
> # ntpq -p
We run NTP everywhere, so that's in sync.
> $ dig example.co.uk
> 
> Should return DC IPs
> 
> You'll need this lot:
> 
> https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha
> t-are-required-for-proper-functionality-of-active-directory/
Interesting. I had built up my list by trial and error and it's quite 
different than what is listed there. I don't have an A record at all, 
and my SRV records are not the same at all:

_gc._tcp.Default-First-Site-Name._sites.domain.ca
_gc._tcp.domain.ca
_ldap._tcp.Default-First-Site-Name._sites.domain.ca
_ldap._tcp.dc._msdcs.domain.ca
_ldap._tcp.domain.ca
_kerberos._udp.DOMAIN.CA
_kerberos._tcp.DOMAIN.CA
_kpasswd._tcp.DOMAIN.CA
_kpasswd._udp.DOMAIN.CA

Then again, I'm only dealing with a single DC, so my entries are aimed 
strictly at clients, and this list seems to work. I might need to add 
these entries if I set my Samba server to use the main DNS server 
(dnsmasq) as well.

Thanks for all the advice. I guess my big takeaway from this is that I 
should, in fact, make my Samba server use the main DNS server, so that 
everything is in-line.

--Pat