Hi Rowland, On Fri, Jun 28, 2019, 04:55 Rowland penny via samba <samba at lists.samba.org> wrote:> You should be doing it the other way around. Your AD clients should be > using the AD DC's as their nameservers and anything outside the AD dns > domain should be forwarded to an external DNS server. >On this wiki page [1] it says:> For high traffic environments, it is not recommended to useBIND9_DLZ-backed samba as a primary DNS server. Instead, use an external server that only forwards queries to BIND9_DLZ-backed samba DNS installations when the query is addressed to a zone managed by that node. ...which seems to conflict. We've been weighing the pros/cons of the various architectures and wondering about this as well. Is it required that AD clients point directly at AD DCs? Are there certain DNS requests (e.g. updates) that won't be forwarded properly by an intermediary DNS server? [1]: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture Jonathon>
On 28/06/2019 12:48, Jonathon Reinhart wrote:> Hi Rowland, > > On Fri, Jun 28, 2019, 04:55 Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > You should be doing it the other way around. Your AD clients > should be > using the AD DC's as their nameservers and anything outside the AD > dns > domain should be forwarded to an external DNS server. > > > On this wiki page [1] it says: > > >?For high traffic environments, it is not recommended to use > BIND9_DLZ-backed samba as a primary DNS server. Instead, use an > external server that only forwards queries to BIND9_DLZ-backed samba > DNS installations when the query is addressed to a zone managed by > that node. > > ...which seems to conflict.Yes it does, it seems to have been added by one of Catalyst's engineers back in August 2018 and is one of those statements that asks more questions than it answers. Just what is 'high traffic' ? Is it 100 queries a minute, 1000, 10000 or what, or does it depend on number of users, computers etc. All I can say is that it has never affected myself, but then I doubt if I fall into the 'high traffic' usage. ;-) I would use the dns server on the DC (internal or Bind9) and monitor it, if you find that bottlenecks occur you could then do what that statement says, use an external dns server. It would be nice if the Catalyst guy would update his statement and tell us how to use an external dns server ;-) Rowland
All i can say is, yes, i did notice these slow downs also. And after, the change between 4.5-4.8 to 4.9-4.10 is really noticable. Even my users noticed this. But these days nobody complains anymore, so thats good and i made sure my 3 multi homed servers, Query to the server there its needed. Like this : (lan dns) <-> ETH0 server ETH0 <-> Internet DNS (<- forwarded zones) (all other requests ->) That helps also reducing my queries to the AD-DC dns a lot. One reason why you DNS setup is so important. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 28 juni 2019 14:33 > Aan: sambalist > Onderwerp: Re: [Samba] AD DLZ backend - 'proper' way of doing it > > On 28/06/2019 12:48, Jonathon Reinhart wrote: > > Hi Rowland, > > > > On Fri, Jun 28, 2019, 04:55 Rowland penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > You should be doing it the other way around. Your AD clients > > should be > > using the AD DC's as their nameservers and anything > outside the AD > > dns > > domain should be forwarded to an external DNS server. > > > > > > On this wiki page [1] it says: > > > > >?For high traffic environments, it is not recommended to use > > BIND9_DLZ-backed samba as a primary DNS server. Instead, use an > > external server that only forwards queries to > BIND9_DLZ-backed samba > > DNS installations when the query is addressed to a zone managed by > > that node. > > > > ...which seems to conflict. > > Yes it does, it seems to have been added by one of Catalyst's > engineers > back in August 2018 and is one of those statements that asks more > questions than it answers. Just what is 'high traffic' ? Is it 100 > queries a minute, 1000, 10000 or what, or does it depend on number of > users, computers etc. All I can say is that it has never affected > myself, but then I doubt if I fall into the 'high traffic' usage. ;-) > > I would use the dns server on the DC (internal or Bind9) and > monitor it, > if you find that bottlenecks occur you could then do what > that statement > says, use an external dns server. > > It would be nice if the Catalyst guy would update his > statement and tell us how to use an external dns server ;-)
re-sending, to the Samba lists as well.. Hi Louis. Is this setup close to mine? I mean, are those forward records set on external DNS server, pointing to the Samba? On Fri, Jun 28, 2019 at 3:06 PM L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Hai, > > If the setup is done correctly this shoud work fine > Setup a (caching) bind9 dns server and add for every needed zone a > forward. > > zone "primary.dnsdomain.tld" { > type forward; > forwarders { 192.168.1.2; 192.168.1.1; }; > }; > > zone "168.192.in-addr.arpa" { > type forward; > forwarders { 192.168.1.2; 192.168.1.1; }; > }; > > And your done. > > I use this on my 3 split-networked servers for years now. > > Greetz, > > Louis > > >Rowland, What is '192.168.40.5', this is what replied. that's my Samba AD server. Just forgot to "mask" it :-) Also,> All i can say is, yes, i did notice these slow downs also. > And after, the change between 4.5-4.8 to 4.9-4.10 is really noticable. > Even my users noticed this.We noticed it as we had an high traffic FTP server using the samba_dlz DNS backend. The speeds dropped significantly (iirc 10 times lower download speeds after 2 weeks of usage). Also, I'd like to quote Andrew Bartlett from last summer: Each DNS lookup takes the Samba DB lock, no matter what the zone. This> appears to be the main issue here. > > We need to cache the list of zones we have so we don't need to get the > lock. > In the meantime, set your FTP server to reference a caching BIND9 that > only forwards the Samba zone to the Samba DC. > > > Andrew Bartlettso that's why I configured my setup the way I showed in my first mail here.