[Samba] samba ADDC dns setup? ( this is same for any MS server )

Rowland Penny rpenny at samba.org
Wed Aug 17 10:06:16 UTC 2016 

On Wed, 17 Aug 2016 10:57:08 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai eveyone.
> 
>  
> 
> I know about the dns "things" in the past. DNS Islanding problems
> etc. 
> 
> This one is a bit hijacking the subject :
> 
> “Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool
> domain demote --remove-other-dead-server” 
> 
>  
> 
>  
> 
> I would like to suggest a smale change in how we suggest to setup
> samba ADDC dns things, 
> 
> and i do think this help in the setup of the AD DC, and reduce change
> on errors. 
> 
>  
> 
> So this is what i suggest, and i explain why, so yeah.. long email
> again, sorry about that. 
> 
>  
> 
> The loopback address ip should be configured only as a secondary or
> tertiary DNS server on a domain controller.
> 
> but in my opionion should be avoided in all times. 
> 
> I’ll address 2 things here. Resolving (orders) and ipv4/ipv6
> preferences.
> 
>  
> 
> ---------------------
> 
> In a single ADDC server setup, resolv.conf suggestions. 
> 
>  
> 
> search ad-dc-subdom.domain.tld ( and maybe others to search.) 
> 
> nameserver IP_OF_DC_AND_NOT_127.0.0.1
> 
>  
> 
> Only now a localhost ip is optional here but i dont suggest it, 
> 
> when you later add a DC and you move the FSMO roles, this can a
> problem. 
> 
>  
> 
> Why, simple we forget to change it when needed if we add a dc, 
> 
> or change FSMO roles to other servers. 
> 
> At least this happens, you reboot and you have a dns problem. 
> 
>  
> 
>  
> 
> ---------------------
> 
> In a 2 server ADDC server setup
> 
> First Server. ( ADDC with fsmo roles and primary dns zones )
> 
>  
> 
> search ad-dc-subdom.domain.tld ( and maybe others to search.) 
> 
> nameserver IP_OF_DC1_AND_NOT_127.0.0.1
> 
> ( and later (optional) add DC2 ip. ) 
> 
>  
> 
> DONT CHANGE THE ORDER HERE. First DC1 then DC2. 
> 
> Note : any server should always resolv first to the ADDC dns which
> contains 
> 
> domain controller locator CNAME record for all the other domain
> controllers in the root.
> 
>  
> 
> Second ADDC Server.
> 
> search ad-dc-subdom.domain.tld ( and maybe others to search.) 
> 
> nameserver IP_OF_DC1_AND_NOT_127.0.0.1
> 
> nameserver IP_OF_DC2_AND_NOT_127.0.0.1
> 
>  
> 
> ---------------------
> 
> In a 3 DC server setup, or more. 
> 
> First Server. ( primary with fsmo roles )
> 
> search ad-dc-subdom.domain.tld ( and maybe others to search.) 
> 
> nameserver IP_OF_DC1_AND_NOT_127.0.0.1
> 
> ( optional add DC2 and/or DC3 IP) 
> 
>  
> 
> Second ADDC Server.
> 
> search ad-dc-subdom.domain.tld ( and maybe others to search.) 
> 
> nameserver IP_OF_DC1_AND_NOT_127.0.0.1
> 
> nameserver IP_OF_DC3_AND_NOT_127.0.0.1
> 
> (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1)
> 
>  
> 
> Third ADDC Server.
> 
> search ad-dc-subdom.domain.tld ( and maybe others to search.) 
> 
> nameserver IP_OF_DC1
> 
> nameserver IP_OF_DC2
> 
> (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1)
> 
>  
> 
> IF you have the room for it, 3 DC setup is the best. 
> 
> For the clients, point to DC2 and DC3, or depending on load of the
> servers.
> 
>  
> 
> And for all servers above, NEVER add the own ip of a ADDC AND
> 127.0.0.1 in resolv.conf.
> 
> But that should be obvious. 
> 
>  
> 
> ---------------------------------
> 
> Since MS is change-ing a lot in security and i see lots it pointing
> to FQDN 
> 
> and not single names like it used to before, so looks to me using
> ip/hostname with FQDN, more correct, better resolving, less problems
> in the future. 
> 
> Latest security fixed, badlock things, GPO security fixes changed a
> lot to FQDN for authentication things (etc).
> 
>  
> 
>  
> 
> And i think this is one of the best tips for today..
> 
> Also setup what you preffer IPV4 over IPV6, etc, the clients (win7
> and win10) 
> 
> ALWAYS prefferer ipv6 over ipv4. thanks to MS. 
> 
> So i can suggest setup a COMPUTER GPO and setup your preferences for
> the resolve order. 
> 
> I disabled all IPv6 components on my clients since i dont use it in
> my lan. 
> 
> Look here howto setup.  ( preffered ) 
> 
> http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
> 
>  
> 
> Or use : https://support.microsoft.com/en-us/kb/929852 
> 
>  
> 
> Last to know, above avoids DNS islanding in all cases. 
> 
>  
> 
> Tell us your thoughts.... 
> 
>  
> 
> Greetz, 
> 
>  
> 
> Louis
> 
>  
> 
> p.s. 
> 
>  
> 
> source reverals : 
> 
> https://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx 
> 
> https://support.microsoft.com/en-us/kb/275278 
> 
> http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
> 
>  
> 


Not sure I agree with you Louis, The first of the last links you posted
seems to be discussing a windows dns server and contains a comment that
makes posting the second link a waste of time.

Also if I run on a DC: netstat -tulpn | grep ':53'

I get:

tcp        0      0 192.168.0.5:53          0.0.0.0:*               LISTEN      28589/named     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      28589/named     
udp        0      0 192.168.0.5:53          0.0.0.0:*                           28589/named     
udp        0      0 127.0.0.1:53            0.0.0.0:*                           28589/named     

Which plainly shows that it is listening on both 192.168.0.5:53 and
127.0.0.1:53

Which to me means:

On a single Samba AD DC:

search <your dns domain>
DC_IP OR 127.0.0.1

With 2 DCs:

First DC:

search <your dns domain>
IP_OF_OTHER_DC
DC_IP OR 127.0.0.1

Second DC:

search <your dns domain>
IP_OF_OTHER_DC
DC_IP OR 127.0.0.1

Rowland

More information about the samba mailing list