Maybe this is a stupid idea, but what we are doing here is using just the domain name for all sorts of services, i.e. LDAP. So instead of pointing a client to dc1.somedom.contoso.com or dc2.somedom.contoso.com, we point them to somedom.contoso.com which is then resolved to both and the client can pick. Best regards Johannes Am Mo., 23. Nov. 2020 um 17:02 Uhr schrieb Rowland penny via samba < samba at lists.samba.org>:> On 23/11/2020 15:47, Sven Wick via samba wrote: > > Hi, > > > > I have a setup with 2 DCs > > which works just fine. > > > > Since we have some legacy systems > > which can't deal with 2 DNS Names > > I used ctdb to manage a floating IP (in addition to the fixed IPs) > > between the DCs which works great also. > You cannot use CTDB with AD DCs > > If your 'legacy' system cannot deal with 2 dns names (not entirely sure > what you mean by this), then just point them at one DC. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 23/11/2020 16:18, Johannes Engel via samba wrote:> Maybe this is a stupid idea, but what we are doing here is using just the > domain name for all sorts of services, i.e. LDAP. > So instead of pointing a client to dc1.somedom.contoso.com or > dc2.somedom.contoso.com, we point them to somedom.contoso.com which is then > resolved to both and the client can pick. >OK, you really should be only using the DC's for authentication and you sound like you are also using them as fileservers etc. This isn't a good idea, but sometimes you have to do this, just as long as you understand the limitations. What you shouldn't do is use multiple DC's for the same thing, as a mailserver for instance. You can have the mailserver objects in AD and these will be available on all DC's, but you shouldn't use all DC's as a mailserver. I think it might be an idea if you could explain your setup in a bit more detail. If you must use a cluster, then you need to use Unix domain members to create the cluster and then join these to the domain. Rowland
> we point them to somedom.contoso.com which is then > resolved to both and the client can pickI want to avoid Round-Robin DNS> You cannot use CTDB with AD DCsYou can. /etc/ctdb/nodes 192.168.30.11 192.168.30.12 /etc/ctdb/public_addresses 192.168.30.10/24 ens18 /etc/ctdb/events/legacy/20.samba-ad.script #!/usr/bin/env bash function monitor_ldap() { ldbsearch -H ldap://127.0.0.1 -s base -b "" vendorName 2>/dev/null | grep -qi samba if [[ $? -eq 0 ]]; then return 0 else echo "ldbsearch received no info" return 1 fi } case "$1" in monitor) monitor_ldap || exit 1 ;; esac exit 0 I used to use keepalived for this kind of setups but ctdb is a neat solution so I switched. When I change /etc/ctdb/public_addresses from 192.168.30.10/24 ens18 to 192.168.60.10/24 ens18 the replication does not break because x.x.60.0 is not the internal DNS Zone This setup allows me to upgrade, reboot each DC without downtime because ctdb checks for samba and moves the floating IP.
Hi Rowland, your advice is much appreciated, but this is a misunderstanding. DCs are used only for authentication and AD-based identity management. That includes the standard services any DC offers, i.e. KRB5, LDAP etc. Nonetheless, even those services need to be contacted by clients, and here we use the model described in my post. Best regards Johannes Am Mo., 23. Nov. 2020 um 17:43 Uhr schrieb Rowland penny via samba < samba at lists.samba.org>:> On 23/11/2020 16:18, Johannes Engel via samba wrote: > > Maybe this is a stupid idea, but what we are doing here is using just the > > domain name for all sorts of services, i.e. LDAP. > > So instead of pointing a client to dc1.somedom.contoso.com or > > dc2.somedom.contoso.com, we point them to somedom.contoso.com which is > then > > resolved to both and the client can pick. > > > OK, you really should be only using the DC's for authentication and you > sound like you are also using them as fileservers etc. This isn't a good > idea, but sometimes you have to do this, just as long as you understand > the limitations. What you shouldn't do is use multiple DC's for the same > thing, as a mailserver for instance. You can have the mailserver objects > in AD and these will be available on all DC's, but you shouldn't use all > DC's as a mailserver. > > I think it might be an idea if you could explain your setup in a bit > more detail. If you must use a cluster, then you need to use Unix domain > members to create the cluster and then join these to the domain. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >