[Samba] samba ADDC dns setup? ( this is same for any MS server )
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 17 08:57:08 UTC 2016
Hai eveyone.
I know about the dns "things" in the past. DNS Islanding problems etc.
This one is a bit hijacking the subject :
“Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool domain demote --remove-other-dead-server”
I would like to suggest a smale change in how we suggest to setup samba ADDC dns things,
and i do think this help in the setup of the AD DC, and reduce change on errors.
So this is what i suggest, and i explain why, so yeah.. long email again, sorry about that.
The loopback address ip should be configured only as a secondary or tertiary DNS server on a domain controller.
but in my opionion should be avoided in all times.
I’ll address 2 things here. Resolving (orders) and ipv4/ipv6 preferences.
---------------------
In a single ADDC server setup, resolv.conf suggestions.
search ad-dc-subdom.domain.tld ( and maybe others to search.)
nameserver IP_OF_DC_AND_NOT_127.0.0.1
Only now a localhost ip is optional here but i dont suggest it,
when you later add a DC and you move the FSMO roles, this can a problem.
Why, simple we forget to change it when needed if we add a dc,
or change FSMO roles to other servers.
At least this happens, you reboot and you have a dns problem.
---------------------
In a 2 server ADDC server setup
First Server. ( ADDC with fsmo roles and primary dns zones )
search ad-dc-subdom.domain.tld ( and maybe others to search.)
nameserver IP_OF_DC1_AND_NOT_127.0.0.1
( and later (optional) add DC2 ip. )
DONT CHANGE THE ORDER HERE. First DC1 then DC2.
Note : any server should always resolv first to the ADDC dns which contains
domain controller locator CNAME record for all the other domain controllers in the root.
Second ADDC Server.
search ad-dc-subdom.domain.tld ( and maybe others to search.)
nameserver IP_OF_DC1_AND_NOT_127.0.0.1
nameserver IP_OF_DC2_AND_NOT_127.0.0.1
---------------------
In a 3 DC server setup, or more.
First Server. ( primary with fsmo roles )
search ad-dc-subdom.domain.tld ( and maybe others to search.)
nameserver IP_OF_DC1_AND_NOT_127.0.0.1
( optional add DC2 and/or DC3 IP)
Second ADDC Server.
search ad-dc-subdom.domain.tld ( and maybe others to search.)
nameserver IP_OF_DC1_AND_NOT_127.0.0.1
nameserver IP_OF_DC3_AND_NOT_127.0.0.1
(optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1)
Third ADDC Server.
search ad-dc-subdom.domain.tld ( and maybe others to search.)
nameserver IP_OF_DC1
nameserver IP_OF_DC2
(optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1)
IF you have the room for it, 3 DC setup is the best.
For the clients, point to DC2 and DC3, or depending on load of the servers.
And for all servers above, NEVER add the own ip of a ADDC AND 127.0.0.1 in resolv.conf.
But that should be obvious.
---------------------------------
Since MS is change-ing a lot in security and i see lots it pointing to FQDN
and not single names like it used to before, so looks to me using ip/hostname with FQDN, more correct, better resolving, less problems in the future.
Latest security fixed, badlock things, GPO security fixes changed a lot to FQDN for authentication things (etc).
And i think this is one of the best tips for today..
Also setup what you preffer IPV4 over IPV6, etc, the clients (win7 and win10)
ALWAYS prefferer ipv6 over ipv4. thanks to MS.
So i can suggest setup a COMPUTER GPO and setup your preferences for the resolve order.
I disabled all IPv6 components on my clients since i dont use it in my lan.
Look here howto setup. ( preffered )
http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
Or use : https://support.microsoft.com/en-us/kb/929852
Last to know, above avoids DNS islanding in all cases.
Tell us your thoughts....
Greetz,
Louis
p.s.
source reverals :
https://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx
https://support.microsoft.com/en-us/kb/275278
http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
More information about the samba
mailing list