samba - Feb 2020 - Samba Bind DLZ Slow queries

Thanks Rowland, I have removed from options, and amended the forwarders.

[global]
        workgroup = <MYDOMAIN>
        realm = <MYDOMAIN>.CORP
        netbios name = <HOSTNAME>
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        idmap config * : range = 3000-7999 ----------> If I remove the
portion I get errors -> idmap range not specified for domain '*'
        guest account = nobody
        restrict anonymous = 1
        winbind max clients = 2000
        log level = 1 auth_audit:3 auth_json_audit:3 dns:10 dsdb_audit:3
dsdb_json_audit:3
        max log size = 10000
        ldap server require strong auth = no
        ntlm auth = mschapv2-and-ntlmv2-only
        template homedir = /home/<mydomain>.corp/%U
        template shell = /bin/bash
        interfaces = lo ens192
        bind interfaces only = yes
        server services = -dns
        prefork children = 8

# Disable printer share
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes

# Enable Vodadealers TLS
        tls enabled  = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem

[netlogon]
        path = /var/lib/samba/sysvol/<mydomain>.corp/scripts
        read only = Yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = Yes

Also see below resolv.conf

search mydomain.corp otherdomain.corp otherdomain.net otherdomain.co.za
mydomain.co.za
nameserver DC2
nameserver DC3
nameserver DC1
nameserver DC5
nameserver DC6
nameserver DC4

Regards

On Fri, Feb 28, 2020 at 11:07 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 28/02/2020 08:46, Eben Victor via samba wrote:
> > Hello All,
> >
> > I hope you can assist me,
> > I'm running Bind DLZ with our Samba AD DC environment
> >
> > Is there anything I might be missing in my named config?
> Well, yes and then again, no ;-)
> > See below bind config,
> > # cat /etc/named.conf
> > # Global Configuration Options
> >
> >      statistics-channels {
> >          inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
> >      };
> >
> >          include "/var/lib/samba/bind-dns/named.conf";
> >
> > options {
> >
> >      version "";
> >      dump-file   "/var/named/data/cache_dump.db";
> >      statistics-file "/var/named/data/named_stats.txt";
> >      memstatistics-file
"/var/named/data/named_mem_stats.txt";
> >      auth-nxdomain yes;
> >      directory "/var/named";
> >      notify no;
> >      empty-zones-enable no;
> >      tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
> >      minimal-responses yes;
> >
> >      dnssec-validation no;
> >      dnssec-enable no;
> >      dnssec-lookaside no;
> >
> >      listen-on port 53 { <Server IP>; 127.0.0.1; };
> >
> >      # IP addresses and network ranges allowed to query the DNS
server:
> >      allow-query { any; };
> >
> >      # IP addresses and network ranges allowed to run recursive
queries:
> >      # (Zones not served by this DNS server)
> >      allow-recursion { any; };
> >
> >      # Forward queries that can not be answered from own zones
> >      # to these DNS servers:
> >      forwarders {
> >          DC1;
> >          DC2;
> >          DC3;
> >          DC4;
> >          DC5;
> >      };
> >   };
>
> OK, i have removed lines from 'options' that you do not need ;-)
>
> The one thing I haven't changed and you definitely need to, are the
> forwarders, you cannot forward to another DC. you need to forward to DNS
> servers outside your AD dns domain, Googles for example.
>
> Everything else in named.conf is okay
>
> It may help if you also post your smb.conf file.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Eben Victor
Cell:  +27 82 759 5266
Email: eben.victor at gmail.com

On 28/02/2020 09:21, Eben Victor wrote:
> Thanks Rowland, I have removed from options, and amended the forwarders.
>
> [global]
> ? ? ? ? workgroup = <MYDOMAIN>
> ? ? ? ? realm = <MYDOMAIN>.CORP
> ? ? ? ? netbios name = <HOSTNAME>
> ? ? ? ? server role = active directory domain controller
> ? ? ? ? idmap_ldb:use rfc2307 = yes
> ? ? ? ? idmap config * : range = 3000-7999 ----------> If I remove the 
> portion I get errors -> idmap range not specified for domain '*'
Yes, I know, remove the line and ignore the error, it is meaningless
;-)
> Also see below resolv.conf
>
> search mydomain.corp otherdomain.corp otherdomain.net 
> <http://otherdomain.net> otherdomain.co.za
<http://otherdomain.co.za>
> mydomain.co.za <http://mydomain.co.za>
Remove all domains except for the AD dns domain
> nameserver DC2
> nameserver DC3
> nameserver DC1
> nameserver DC5
> nameserver DC6
> nameserver DC4
>
The DC should use itself as its nameserver, whether you have other 
nameservers is debatable, if Samba crashes, do you want it contacting 
another DC ?

Rowland

Ow and i forgot.. 

If the server is firewalled, make sure you allow udp AND tcp on port 53. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 28 februari 2020 10:39
> Aan: sambalist
> Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
> 
> On 28/02/2020 09:21, Eben Victor wrote:
> > Thanks Rowland, I have removed from options, and amended 
> the forwarders.
> >
> > [global]
> > ? ? ? ? workgroup = <MYDOMAIN>
> > ? ? ? ? realm = <MYDOMAIN>.CORP
> > ? ? ? ? netbios name = <HOSTNAME>
> > ? ? ? ? server role = active directory domain controller
> > ? ? ? ? idmap_ldb:use rfc2307 = yes
> > ? ? ? ? idmap config * : range = 3000-7999 ----------> If I 
> remove the 
> > portion I get errors -> idmap range not specified for domain
'*'
> Yes, I know, remove the line and ignore the error, it is 
> meaningless ;-)
> > Also see below resolv.conf
> >
> > search mydomain.corp otherdomain.corp otherdomain.net 
> > <http://otherdomain.net> otherdomain.co.za 
> <http://otherdomain.co.za> 
> > mydomain.co.za <http://mydomain.co.za>
> Remove all domains except for the AD dns domain
> > nameserver DC2
> > nameserver DC3
> > nameserver DC1
> > nameserver DC5
> > nameserver DC6
> > nameserver DC4
> >
> The DC should use itself as its nameserver, whether you have other 
> nameservers is debatable, if Samba crashes, do you want it contacting 
> another DC ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Thanks Louis, FW configured as below

53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 636/tcp 3268/tcp
3269/tcp 49152-65535/tcp 123/udp 53/udp 88/udp 137/udp 138/udp 389/udp
464/udp 22/tcp

On Fri, Feb 28, 2020 at 12:36 PM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Ow and i forgot..
>
> If the server is firewalled, make sure you allow udp AND tcp on port 53.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland penny via samba
> > Verzonden: vrijdag 28 februari 2020 10:39
> > Aan: sambalist
> > Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
> >
> > On 28/02/2020 09:21, Eben Victor wrote:
> > > Thanks Rowland, I have removed from options, and amended
> > the forwarders.
> > >
> > > [global]
> > >         workgroup = <MYDOMAIN>
> > >         realm = <MYDOMAIN>.CORP
> > >         netbios name = <HOSTNAME>
> > >         server role = active directory domain controller
> > >         idmap_ldb:use rfc2307 = yes
> > >         idmap config * : range = 3000-7999 ----------> If I
> > remove the
> > > portion I get errors -> idmap range not specified for domain
'*'
> > Yes, I know, remove the line and ignore the error, it is
> > meaningless ;-)
> > > Also see below resolv.conf
> > >
> > > search mydomain.corp otherdomain.corp otherdomain.net
> > > <http://otherdomain.net> otherdomain.co.za
> > <http://otherdomain.co.za>
> > > mydomain.co.za <http://mydomain.co.za>
> > Remove all domains except for the AD dns domain
> > > nameserver DC2
> > > nameserver DC3
> > > nameserver DC1
> > > nameserver DC5
> > > nameserver DC6
> > > nameserver DC4
> > >
> > The DC should use itself as its nameserver, whether you have other
> > nameservers is debatable, if Samba crashes, do you want it contacting
> > another DC ?
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Eben Victor
Cell:  +27 82 759 5266
Email: eben.victor at gmail.com

So if this is done, is edns configure also ? 
?
in resolv.conf add: 
options edns0
?
and, name.conf test these. 
?
??????? //?The forwarded zone to the AD-DC DNS use these also. 
????????//dnssec-must-be-secure?internal.domain.tld no;
????????//dnssec-must-be-secure 168.192.in-addr.arpa no;

????????// listen-on-v6 { ::1; };? // test what works best, if not all?ipv6 is
disabled also?enable this one. just the responce.
??????? listen-on-v6 { "none"; };

??????? listen-on port 53 { 127.0.0.1; 192.168.xxx.xxx; };
??????? version "Go Away 0.0.7"; // change bind version 

??????? allow-query { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
??????? allow-query-cache { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
??????? // make sure bind does not eat all the ram
??????? max-cache-size 32M;

?

?

Van: Eben Victor [mailto:eben.victor at gmail.com] 
Verzonden: vrijdag 28 februari 2020 12:10
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries



Thanks Louis, FW configured as below


53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 636/tcp 3268/tcp 3269/tcp
49152-65535/tcp 123/udp 53/udp 88/udp 137/udp 138/udp 389/udp 464/udp 22/tcp



On Fri, Feb 28, 2020 at 12:36 PM L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:

Ow and i forgot.. 

If the server is firewalled, make sure you allow udp AND tcp on port 53. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 28 februari 2020 10:39
> Aan: sambalist
> Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
> 
> On 28/02/2020 09:21, Eben Victor wrote:
> > Thanks Rowland, I have removed from options, and amended 
> the forwarders.
> >
> > [global]
> > ? ? ? ? workgroup = <MYDOMAIN>
> > ? ? ? ? realm = <MYDOMAIN>.CORP
> > ? ? ? ? netbios name = <HOSTNAME>
> > ? ? ? ? server role = active directory domain controller
> > ? ? ? ? idmap_ldb:use rfc2307 = yes
> > ? ? ? ? idmap config * : range = 3000-7999 ----------> If I 
> remove the 
> > portion I get errors -> idmap range not specified for domain
'*'
> Yes, I know, remove the line and ignore the error, it is 
> meaningless ;-)
> > Also see below resolv.conf
> >
> > search mydomain.corp otherdomain.corp otherdomain.net 
> > <http://otherdomain.net> otherdomain.co.za 
> <http://otherdomain.co.za> 
> > mydomain.co.za <http://mydomain.co.za>
> Remove all domains except for the AD dns domain
> > nameserver DC2
> > nameserver DC3
> > nameserver DC1
> > nameserver DC5
> > nameserver DC6
> > nameserver DC4
> >
> The DC should use itself as its nameserver, whether you have other 
> nameservers is debatable, if Samba crashes, do you want it contacting 
> another DC ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba



-- 
Eben Victor

Cell:? +27 82 759 5266
Email: eben.victor at gmail.com