[Samba] samba ADDC dns setup? ( this is same for any MS server )
Rowland Penny
rpenny at samba.org
Wed Aug 17 10:06:16 UTC 2016
On Wed, 17 Aug 2016 10:57:08 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai eveyone.
>
>
>
> I know about the dns "things" in the past. DNS Islanding problems
> etc.
>
> This one is a bit hijacking the subject :
>
> “Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool
> domain demote --remove-other-dead-server”
>
>
>
>
>
> I would like to suggest a smale change in how we suggest to setup
> samba ADDC dns things,
>
> and i do think this help in the setup of the AD DC, and reduce change
> on errors.
>
>
>
> So this is what i suggest, and i explain why, so yeah.. long email
> again, sorry about that.
>
>
>
> The loopback address ip should be configured only as a secondary or
> tertiary DNS server on a domain controller.
>
> but in my opionion should be avoided in all times.
>
> I’ll address 2 things here. Resolving (orders) and ipv4/ipv6
> preferences.
>
>
>
> ---------------------
>
> In a single ADDC server setup, resolv.conf suggestions.
>
>
>
> search ad-dc-subdom.domain.tld ( and maybe others to search.)
>
> nameserver IP_OF_DC_AND_NOT_127.0.0.1
>
>
>
> Only now a localhost ip is optional here but i dont suggest it,
>
> when you later add a DC and you move the FSMO roles, this can a
> problem.
>
>
>
> Why, simple we forget to change it when needed if we add a dc,
>
> or change FSMO roles to other servers.
>
> At least this happens, you reboot and you have a dns problem.
>
>
>
>
>
> ---------------------
>
> In a 2 server ADDC server setup
>
> First Server. ( ADDC with fsmo roles and primary dns zones )
>
>
>
> search ad-dc-subdom.domain.tld ( and maybe others to search.)
>
> nameserver IP_OF_DC1_AND_NOT_127.0.0.1
>
> ( and later (optional) add DC2 ip. )
>
>
>
> DONT CHANGE THE ORDER HERE. First DC1 then DC2.
>
> Note : any server should always resolv first to the ADDC dns which
> contains
>
> domain controller locator CNAME record for all the other domain
> controllers in the root.
>
>
>
> Second ADDC Server.
>
> search ad-dc-subdom.domain.tld ( and maybe others to search.)
>
> nameserver IP_OF_DC1_AND_NOT_127.0.0.1
>
> nameserver IP_OF_DC2_AND_NOT_127.0.0.1
>
>
>
> ---------------------
>
> In a 3 DC server setup, or more.
>
> First Server. ( primary with fsmo roles )
>
> search ad-dc-subdom.domain.tld ( and maybe others to search.)
>
> nameserver IP_OF_DC1_AND_NOT_127.0.0.1
>
> ( optional add DC2 and/or DC3 IP)
>
>
>
> Second ADDC Server.
>
> search ad-dc-subdom.domain.tld ( and maybe others to search.)
>
> nameserver IP_OF_DC1_AND_NOT_127.0.0.1
>
> nameserver IP_OF_DC3_AND_NOT_127.0.0.1
>
> (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1)
>
>
>
> Third ADDC Server.
>
> search ad-dc-subdom.domain.tld ( and maybe others to search.)
>
> nameserver IP_OF_DC1
>
> nameserver IP_OF_DC2
>
> (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1)
>
>
>
> IF you have the room for it, 3 DC setup is the best.
>
> For the clients, point to DC2 and DC3, or depending on load of the
> servers.
>
>
>
> And for all servers above, NEVER add the own ip of a ADDC AND
> 127.0.0.1 in resolv.conf.
>
> But that should be obvious.
>
>
>
> ---------------------------------
>
> Since MS is change-ing a lot in security and i see lots it pointing
> to FQDN
>
> and not single names like it used to before, so looks to me using
> ip/hostname with FQDN, more correct, better resolving, less problems
> in the future.
>
> Latest security fixed, badlock things, GPO security fixes changed a
> lot to FQDN for authentication things (etc).
>
>
>
>
>
> And i think this is one of the best tips for today..
>
> Also setup what you preffer IPV4 over IPV6, etc, the clients (win7
> and win10)
>
> ALWAYS prefferer ipv6 over ipv4. thanks to MS.
>
> So i can suggest setup a COMPUTER GPO and setup your preferences for
> the resolve order.
>
> I disabled all IPv6 components on my clients since i dont use it in
> my lan.
>
> Look here howto setup. ( preffered )
>
> http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
>
>
>
> Or use : https://support.microsoft.com/en-us/kb/929852
>
>
>
> Last to know, above avoids DNS islanding in all cases.
>
>
>
> Tell us your thoughts....
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
> p.s.
>
>
>
> source reverals :
>
> https://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx
>
> https://support.microsoft.com/en-us/kb/275278
>
> http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
>
>
>
Not sure I agree with you Louis, The first of the last links you posted
seems to be discussing a windows dns server and contains a comment that
makes posting the second link a waste of time.
Also if I run on a DC: netstat -tulpn | grep ':53'
I get:
tcp 0 0 192.168.0.5:53 0.0.0.0:* LISTEN 28589/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 28589/named
udp 0 0 192.168.0.5:53 0.0.0.0:* 28589/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 28589/named
Which plainly shows that it is listening on both 192.168.0.5:53 and
127.0.0.1:53
Which to me means:
On a single Samba AD DC:
search <your dns domain>
DC_IP OR 127.0.0.1
With 2 DCs:
First DC:
search <your dns domain>
IP_OF_OTHER_DC
DC_IP OR 127.0.0.1
Second DC:
search <your dns domain>
IP_OF_OTHER_DC
DC_IP OR 127.0.0.1
Rowland
More information about the samba
mailing list