Mandi! Rowland Penny via samba In chel di` si favelave...> Try reading this: > http://www.itgeared.com/articles/1046-dns-client-settings-for-active/I try to summarize. ''To be a DC'', servers have to add/update some DNS record. If you have a single DC, there's no choice. ;-) If you have more than a DC, you have to pay attention to have as DNS not the DC itself only, because you can lead to 'islanding', eg the DC modify the DNS record on itself only, propagation of data is broken an diverge more and more. Still i've not clear if 'localhost' can be the first DNS in a DC. Looking at the above link, they say: A combination of the two strategies is recommended. Domain Controllers should be configured to point to themselves and an alternate DNS server if possible. so seems to me that adding 'localhost' as a first choice is a good choice. Or not?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hi! Thank you all!! Regards On 10-04-2018 14:05, Marco Gaiarin via samba wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > >> Try reading this: >> http://www.itgeared.com/articles/1046-dns-client-settings-for-active/ > I try to summarize. > > ''To be a DC'', servers have to add/update some DNS record. > If you have a single DC, there's no choice. ;-) > > If you have more than a DC, you have to pay attention to have as DNS > not the DC itself only, because you can lead to 'islanding', eg the DC > modify the DNS record on itself only, propagation of data is broken an > diverge more and more. > > > Still i've not clear if 'localhost' can be the first DNS in a DC. > Looking at the above link, they say: > > A combination of the two strategies is recommended. Domain Controllers should be configured to point to themselves and an alternate DNS server if possible. > > so seems to me that adding 'localhost' as a first choice is a good > choice. > > Or not?! > > > Thanks. >
> > > > so seems to me that adding 'localhost' as a first choice is a good > > choice. > > > > Or not?!Better Not.. It may give some problems in the long run. Because if a "something" is using kerberos auth and it uses localhost, it may fail. Just prevent this, by setting the ip of dc, it really helps in the long run. So in my optinion, dont use localhost, use the ip of the DC itself for any regular DC of Member setup. I like to do it as followed. At install time, 2+ DC.s DC1 nameserver IP_OF_DC_FSMO. DC2 nameserver IP_OF_DC_FSMO. nameserver IP_OF_DC2 DC3 nameserver IP_OF_DC_FSMO. nameserver IP_OF_D3 When finished installing/configuring the DC, reboot 1-2 times, if everthing is still ok, think here in tests with dbcheck replications etc, now change the resolv.conf again ( see below), reboot and check again. DC1 nameserver IP_OF_DC_FSMO. nameserver IP_OF_DC2 nameserver IP_OF_DC3 DC2 nameserver IP_OF_DC2 nameserver IP_OF_DC3 nameserver IP_OF_DC_FSMO. DC3 nameserver IP_OF_DC3 nameserver IP_OF_DC2 nameserver IP_OF_DC_FSMO. And now for any member server setup you can add. I dont advice this for the DC's. ! In resolv.conf add : Set timeout:n to 1-3 sec. Set attempts:n to 1-3 And set : rotate Optional: edns0 0 Add max 3 dns server in your resolv.conf. Example resolv.conf nameserver 192.168.1.2 #DC2 nameserver 192.168.1.1 #DC1 options rotate options timeout:1 options edns0 The exeptions for me are. And only these use localhost in resolv.conf. ( optional with 1 internal and one external dns server ) Mail server, since this one is very important here, this one uses a bind9 slave setup, where the primary is the DC with FSMO. If all my DC's ( and with that my DNS servers) are down my mail keeps processing.. Mail relay server, this one used a caching+forwarding setup, i forward the request internal.domain.tld to my dc's and domain.tld and other requests to my ISP DNS servers. optional, setup a slave zone for the internal.domain.tld, but i dont need it here. Web server , like a regular member, but with a forwarding for my external domains. Proxy server, this one used a caching+forwarding setup, squid like the caching setup. The forwarding to external is use so i always match the correct SPF DKIM TLSA setting, things like that. This is how i run it all, and it works, as i noticed here, the best for me. For you, just try it. If one can find improvements in my setup, of any disadvantages, Let met know, post to the list and we learn all from it. Most of you also know i only run Debian. Now i noticed that, after the upgrade from Jessie to Stretch and with the use of samba 4.7.6 as DC's. My complete network is resolving much quicker also, servers are faster, and the "look/feel" when working on them improved a lot imo. Just an observation i wanted you to know also. Greetz, Louis
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> Better Not.. It may give some problems in the long run. > Because if a "something" is using kerberos auth and it uses localhost, it may fail.Ok, seems clear. Thanks.> Set timeout:n to 1-3 sec. > Set attempts:n to 1-3 > And set : rotate > Optional: edns0 0Ok, thanks for this additional hints. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)