samba - Jan 2023 - DCs in multiple VLANs

On 20/01/2023 09:16, Stefan G. Weichinger via samba
wrote:
> Am 20.01.23 um 09:26 schrieb Stefan G. Weichinger via samba:
>> Am 19.01.23 um 22:26 schrieb Allen Chen:
>>> To make less headache, remove vlans from DCs and create a separate 
>>> DHCP proxy server instead(or use your switch DHCP forward feature).
>>
>> Something like a DHCP relay (we have a pfsense there)?
>>
>> I get the idea but I don't yet fully understand how the target DHCP
>> server would know which VLANs the requests belong to.
> 
> What I don't like about that idea:
> 
> I could only forward to one DHCP-Server IP ... that would make my nice 
> 2-node-Kea-cluster a bit less useful. No failover then, right?
Whilst it is best to only have one active dhcp server, you can use 
failover, which is easy with the now EOL isc-dhcp-server, but is 
probably possible with the kea server. The problem with the kea server 
is, in my opinion, it is a bit like using a sledgehammer to crack a nut, 
it is just too complex.

Now that the isc-dhcp-server is EOL (it will hang about a bit in 
distro's), I will have to rewrite my dhcp script and it will not be 
using kea, even though the changes would be minimal to do so. In my 
opinion, you would have to criminally insane to fully understand kea and 
I need to understand something before I use it.
> 
> Or could I simply remove the multiple DNS-records created for the DC 
> after enabling it on all VLAN-interfaces, so that there is only one 
> record pointing to its LAN IP?
Your DC should only have one ipaddress, it should not be multi-homed.

Rowland

Am 20.01.23 um 10:34 schrieb Rowland Penny via samba:
> Whilst it is best to only have one active dhcp server, you can use 
> failover, which is easy with the now EOL isc-dhcp-server, but is 
> probably possible with the kea server. The problem with the kea server 
> is, in my opinion, it is a bit like using a sledgehammer to crack a nut, 
> it is just too complex.
The kea-cluster runs in that "hot-standby" mode: one node is the
active
DHCP server, the other takes over if the primary fails. Nice to have.

But I agree: complex ...

If I now switch over to using DHCP relay, I can only enter one IP in 
that pfsense tab (I have a pfsense there as router/firewall):

https://docs.netgate.com/pfsense/en/latest/services/dhcp/relay.html

This breaks things if the first DHCP node goes down: the DHCP relay 
would then point to the broken node and the secondary DHCP node would 
take over but never see the requests.

Doesn't sound good to me.
> Now that the isc-dhcp-server is EOL (it will hang about a bit in 
> distro's), I will have to rewrite my dhcp script and it will not be 
> using kea, even though the changes would be minimal to do so. In my 
> opinion, you would have to criminally insane to fully understand kea and 
> I need to understand something before I use it.
> 
>>
>> Or could I simply remove the multiple DNS-records created for the DC 
>> after enabling it on all VLAN-interfaces, so that there is only one 
>> record pointing to its LAN IP?
> 
> Your DC should only have one ipaddress, it should not be multi-homed.
Yes. Thanks for this.

I didn't touch it in the last days but back then I noticed that samba 
would create one DNS-record per interface, right?

So my approach with binding only to the LAN interface is OK, right?

So far things work mostly.

It's just that a windows client in a VLAN fails to pull group policies 
for example: the asymmetric routing breaks that.

So far I don't see a nice solution (aside from putting the DHCP cluster 
elsewhere), this might be related to the fact that I am currently sick 
and should stay in bed.

Thanks all for any help, Stefan