samba - Mar 2023 - multi-site DNS confusion

Greetings,

This is my first attempt at multi-site with unique subnets (actually
first attempt at more than on DC).

I had the existing "defaultFirstSite" then added a second site and
two subnets (that I associated with each site).

I joined a second DC from the second site with the following:

samba-tool domain join ssc.domain.com DC -Uadministrator --realmssc.domain.com
--site=smithCo

DC01 = defaultFirstSite 10.1.211.0/25

[global]
 dns forwarder = 10.1.211.254
netbios name = DC01
realm = SSC.DOMAIN.COM
server role = active directory domain controller
workgroup = SSC
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/ssc.domain.com/scripts
read only = No



DC02 = smithCo 192.168.11.0/24
[global]
dns forwarder = 192.168.11.1
netbios name = DC02
realm = SSC.DOMAIN.COM
server role = active directory domain controller
workgroup = SSC
idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/ssc.domain.com/scripts
        read only = No


Both Forwarders go to each respective router/gateway device.

I'm unsure how to handle DNS management. I thought I would be able to
connect to
DC02 DNS server (as I've done with DC01) using RSAT. I get an error
when trying to add DC02 as a DNS server
Error:
"Access was denied, would you like to add it anyway"

I'm I supposed to manage all DNS via DC01 only?
If so, do I add a reverse zone or any other items directly
to DC01 dns server records? Is there any documentation
on managing multiple DCs (DNS and perhaps DHCP using
multi-sites and subnets)?  I found the docs on how to set it up
but the management part is unknown to me.
This is what I used for the setup:
https://wiki.samba.org/index.php/Active_Directory_Sites

Following this wiki
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Verifying_Directory_Replication

Is the section "Built-in User & Group ID Mappings" still relevant?
I ask
because I thought SAMBA4 has some
built-in replication. I thought everything gets replicated aside from group
policies. Perhaps this is package/distro dependent?

Thanks in advance,

Eric

Greetings,

I'm not sure what else to add. If you need more info please let me know.

Any input is greatly appreciated.

Eric


On Sat, Mar 4, 2023 at 2:58?PM Eric <rvwbug at gmail.com> wrote:
> Greetings,
>
> This is my first attempt at multi-site with unique subnets (actually
> first attempt at more than on DC).
>
> I had the existing "defaultFirstSite" then added a second site
and
> two subnets (that I associated with each site).
>
> I joined a second DC from the second site with the following:
>
> samba-tool domain join ssc.domain.com DC -Uadministrator --realm>
ssc.domain.com --site=smithCo
>
> DC01 = defaultFirstSite 10.1.211.0/25
>
> [global]
>  dns forwarder = 10.1.211.254
> netbios name = DC01
> realm = SSC.DOMAIN.COM
> server role = active directory domain controller
> workgroup = SSC
> idmap_ldb:use rfc2307 = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/ssc.domain.com/scripts
> read only = No
>
>
>
> DC02 = smithCo 192.168.11.0/24
> [global]
> dns forwarder = 192.168.11.1
> netbios name = DC02
> realm = SSC.DOMAIN.COM
> server role = active directory domain controller
> workgroup = SSC
> idmap_ldb:use rfc2307 = yes
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ssc.domain.com/scripts
>         read only = No
>
>
> Both Forwarders go to each respective router/gateway device.
>
> I'm unsure how to handle DNS management. I thought I would be able to
> connect to
> DC02 DNS server (as I've done with DC01) using RSAT. I get an error
> when trying to add DC02 as a DNS server
> Error:
> "Access was denied, would you like to add it anyway"
>
> I'm I supposed to manage all DNS via DC01 only?
> If so, do I add a reverse zone or any other items directly
> to DC01 dns server records? Is there any documentation
> on managing multiple DCs (DNS and perhaps DHCP using
> multi-sites and subnets)?  I found the docs on how to set it up
> but the management part is unknown to me.
> This is what I used for the setup:
> https://wiki.samba.org/index.php/Active_Directory_Sites
>
> Following this wiki
>
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Verifying_Directory_Replication
>
> Is the section "Built-in User & Group ID Mappings" still
relevant? I ask
> because I thought SAMBA4 has some
> built-in replication. I thought everything gets replicated aside from
> group policies. Perhaps this is package/distro dependent?
>
> Thanks in advance,
>
> Eric
>
>