[Samba] samba ADDC dns setup? ( this is same for any MS server )

Wed Aug 17 10:54:09 UTC 2016

I must remind you that the need of using another DCV as first resolver is
due to Microsoft bug which happens on MS Server until 2088R2, in MS Server
2012 (or AD 2012 perhaps, no real idea), this problem is solved.
On these system AD was sending DNS request to prepare the start up of AD
service, including DNS service. So using localhost as resolver fathered to
DNS service wasn't started as others services which depend on DNS (as most
AD services).
The use of a second DC as first resolver make the dumb MS Server recveive
replies to startup DNS requests and then don't waste time before running AD
services (I believe at one moment MS Servers were starting AD services
anyway).

I expect we are speaking here about Samba. Samba should have had that issue
too in older version, that's not the case anymore. Samba is not MS
implementation of AD and behaves differently in lot of manners, including
that one.

On Samba no need to use another DC as first resolver with Bind_DLZ: Bind
does not care about availability of LDAP or AD, it starts, then if it can
it will discuss with AD/LDAP to look into AD zones.
Samba can also starts without issue without Bind started I believe (not at
work right now to test). Without issue for starting, there would be some
issue to serve incoming requests (at least DNS requests as we are speaking
of DC using itself as resolver with no DNS service started).

So the need of using another DC as first resolver is a purely Microsoft
question. Do it on MS Windows Servers running as AD DC but bother with that
on your Samba DC, that's useless.

Another thing which push me to use local DC as local resolver is: when
adding a new DNS entry on DC1 (configured to use DC2 as first resolver) you
will need to wait DC" was synched with DC1 to see this change, this new
entry (without synch done DC2 will reply there is no entry for that name
and the client won't ask the second resolver because the client would have
already received a reply (not found reply is a reply)).
With DC1 using DC1 as resolver, no need to wait for synch.

My 2 cents, do what you like, we're speaking about free software, you're
free : )

2016-08-17 12:06 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Wed, 17 Aug 2016 10:57:08 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Hai eveyone.
> >
> >
> >
> > I know about the dns "things" in the past. DNS Islanding problems
> > etc.
> >
> > This one is a bit hijacking the subject :
> >
> > “Horrible BIND9_DLZ DNS breakage after DC replaced and samba-tool
> > domain demote --remove-other-dead-server”
> >
> >
> >
> >
> >
> > I would like to suggest a smale change in how we suggest to setup
> > samba ADDC dns things,
> >
> > and i do think this help in the setup of the AD DC, and reduce change
> > on errors.
> >
> >
> >
> > So this is what i suggest, and i explain why, so yeah.. long email
> > again, sorry about that.
> >
> >
> >
> > The loopback address ip should be configured only as a secondary or
> > tertiary DNS server on a domain controller.
> >
> > but in my opionion should be avoided in all times.
> >
> > I’ll address 2 things here. Resolving (orders) and ipv4/ipv6
> > preferences.
> >
> >
> >
> > ---------------------
> >
> > In a single ADDC server setup, resolv.conf suggestions.
> >
> >
> >
> > search ad-dc-subdom.domain.tld ( and maybe others to search.)
> >
> > nameserver IP_OF_DC_AND_NOT_127.0.0.1
> >
> >
> >
> > Only now a localhost ip is optional here but i dont suggest it,
> >
> > when you later add a DC and you move the FSMO roles, this can a
> > problem.
> >
> >
> >
> > Why, simple we forget to change it when needed if we add a dc,
> >
> > or change FSMO roles to other servers.
> >
> > At least this happens, you reboot and you have a dns problem.
> >
> >
> >
> >
> >
> > ---------------------
> >
> > In a 2 server ADDC server setup
> >
> > First Server. ( ADDC with fsmo roles and primary dns zones )
> >
> >
> >
> > search ad-dc-subdom.domain.tld ( and maybe others to search.)
> >
> > nameserver IP_OF_DC1_AND_NOT_127.0.0.1
> >
> > ( and later (optional) add DC2 ip. )
> >
> >
> >
> > DONT CHANGE THE ORDER HERE. First DC1 then DC2.
> >
> > Note : any server should always resolv first to the ADDC dns which
> > contains
> >
> > domain controller locator CNAME record for all the other domain
> > controllers in the root.
> >
> >
> >
> > Second ADDC Server.
> >
> > search ad-dc-subdom.domain.tld ( and maybe others to search.)
> >
> > nameserver IP_OF_DC1_AND_NOT_127.0.0.1
> >
> > nameserver IP_OF_DC2_AND_NOT_127.0.0.1
> >
> >
> >
> > ---------------------
> >
> > In a 3 DC server setup, or more.
> >
> > First Server. ( primary with fsmo roles )
> >
> > search ad-dc-subdom.domain.tld ( and maybe others to search.)
> >
> > nameserver IP_OF_DC1_AND_NOT_127.0.0.1
> >
> > ( optional add DC2 and/or DC3 IP)
> >
> >
> >
> > Second ADDC Server.
> >
> > search ad-dc-subdom.domain.tld ( and maybe others to search.)
> >
> > nameserver IP_OF_DC1_AND_NOT_127.0.0.1
> >
> > nameserver IP_OF_DC3_AND_NOT_127.0.0.1
> >
> > (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1)
> >
> >
> >
> > Third ADDC Server.
> >
> > search ad-dc-subdom.domain.tld ( and maybe others to search.)
> >
> > nameserver IP_OF_DC1
> >
> > nameserver IP_OF_DC2
> >
> > (optional nameserver IP_OF_THIS_ADDC_OR_127.0.0.1)
> >
> >
> >
> > IF you have the room for it, 3 DC setup is the best.
> >
> > For the clients, point to DC2 and DC3, or depending on load of the
> > servers.
> >
> >
> >
> > And for all servers above, NEVER add the own ip of a ADDC AND
> > 127.0.0.1 in resolv.conf.
> >
> > But that should be obvious.
> >
> >
> >
> > ---------------------------------
> >
> > Since MS is change-ing a lot in security and i see lots it pointing
> > to FQDN
> >
> > and not single names like it used to before, so looks to me using
> > ip/hostname with FQDN, more correct, better resolving, less problems
> > in the future.
> >
> > Latest security fixed, badlock things, GPO security fixes changed a
> > lot to FQDN for authentication things (etc).
> >
> >
> >
> >
> >
> > And i think this is one of the best tips for today..
> >
> > Also setup what you preffer IPV4 over IPV6, etc, the clients (win7
> > and win10)
> >
> > ALWAYS prefferer ipv6 over ipv4. thanks to MS.
> >
> > So i can suggest setup a COMPUTER GPO and setup your preferences for
> > the resolve order.
> >
> > I disabled all IPv6 components on my clients since i dont use it in
> > my lan.
> >
> > Look here howto setup.  ( preffered )
> >
> > http://social.technet.microsoft.com/wiki/contents/
> articles/5927.how-to-disable-ipv6-through-group-policy.aspx
> >
> >
> >
> > Or use : https://support.microsoft.com/en-us/kb/929852
> >
> >
> >
> > Last to know, above avoids DNS islanding in all cases.
> >
> >
> >
> > Tell us your thoughts....
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> > p.s.
> >
> >
> >
> > source reverals :
> >
> > https://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx
> >
> > https://support.microsoft.com/en-us/kb/275278
> >
> > http://social.technet.microsoft.com/wiki/contents/
> articles/5927.how-to-disable-ipv6-through-group-policy.aspx
> >
> >
> >
>
>
> Not sure I agree with you Louis, The first of the last links you posted
> seems to be discussing a windows dns server and contains a comment that
> makes posting the second link a waste of time.
>
> Also if I run on a DC: netstat -tulpn | grep ':53'
>
> I get:
>
> tcp        0      0 192.168.0.5:53          0.0.0.0:*
>  LISTEN      28589/named
> tcp        0      0 127.0.0.1:53            0.0.0.0:*
>  LISTEN      28589/named
> udp        0      0 192.168.0.5:53          0.0.0.0:*
>        28589/named
> udp        0      0 127.0.0.1:53            0.0.0.0:*
>        28589/named
>
> Which plainly shows that it is listening on both 192.168.0.5:53 and
> 127.0.0.1:53
>
> Which to me means:
>
> On a single Samba AD DC:
>
> search <your dns domain>
> DC_IP OR 127.0.0.1
>
> With 2 DCs:
>
> First DC:
>
> search <your dns domain>
> IP_OF_OTHER_DC
> DC_IP OR 127.0.0.1
>
> Second DC:
>
> search <your dns domain>
> IP_OF_OTHER_DC
> DC_IP OR 127.0.0.1
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>