[Samba] Recommended DNS configuration on Domain Controllers causes share by IP name to fail

lingpanda101 lingpanda101 at gmail.com
Wed Nov 30 14:21:05 UTC 2016


On 11/30/2016 8:09 AM, Rowland Penny via samba wrote:
> On Wed, 30 Nov 2016 13:17:18 +0100
> Izan Díez Sánchez via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> Following DNS configuration of multiple DCs recommended on the wiki
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Di
>> rectory#DNS_Configuration_on_Domain_Controllers , clients are unable
>> to open windows shares based on the server IP, for example
>> \\133.1.1.24 . However they work fine opening either the netbios name
>> or the DNS name, for example \\FILESERVER1 or
>> \\FILESERVER1.domain.local
>>
>> Here it is what the article says:
>>
>> ------------------------------------------------------------------
>> DNS Configuration on Domain Controllers
>>
>> The DNS configuration on domain controllers (DC) is important,
>> because if it is unable to locate other DCs the replication will
>> fail. The following is a best practice for DNS configuration on
>> domain controllers (DC): Set the local IP of a DC as secondary or
>> tertiary nameserver entry in its /etc/resolv.conf file and use a
>> different Active Directory (AD) DNS server IP from the forest as
>> primary name server. For example: On the new joined DC, use the
>> 10.99.0.1 IP of the existing DC as primary and the local 10.99.0.2 IP
>> as secondary nameserver entry: nameserver 10.99.0.1
>> nameserver 10.99.0.2       # IP of the new joined DC as secondary
>> entry search samdom.example.com
>> If you are running more than two DCs, you can configure the IPs in
>> crosswise direction.
>> ------------------------------------------------------------------
>>
>> This only occurs with Windows File Servers and never with other Samba
>> members of the AD. If tried to access via the graphical interface the
>> explorer just takes forever and hangs. The following error is thrown
>> in the command line:
>>
>> C:\Users\ids>net view \\133.1.1.24
>> System error 53.
>>
>> The network path was not found.
>>
>>
>> Changing the configuration of /etc/resolv.conf to the following:
>>
>> nameserver 10.99.0.2 	# IP of the new joined DC as secondary
>> entry nameserver 10.99.0.1
>> search samdom.example.com
>>
>> That is, always the first name server as itself in every DC of the
>> domain. Makes the shares referred as the IP to work as expected. I
>> tested in a pure Windows AD and this is the normal behavior.
>>
>> It seems that is some kind of dns query loop trying to do the reverse
>> name resolution, but I wasn’t able to debug further.
>>
>> Has anyone experienced something similar?
> I am now beginning to think the wiki is wrong. The new DC needs to
> point to an existing DC during the join, this way it will replicate
> correctly, but once the replication has occurred, it should point to
> its own IP.
>
> The wiki was written the way it is because of concerns over
> 'islanding', I do not think this is a real concern, because every DC
> holds all the domain DNS records and should be able to find any other
> machine in the domain.
>
> Rowland
>
>     
>
>

I think the wiki is correct but see comment below.

     I don't believe islanding to be a big concern either but what about 
the possibility of a "race condition" between DNS and AD? In a Microsoft 
environment, AD has the possibility of starting first before DNS has 
started. This of course creates failure in name resolution during boot. 
Is this a concern using Bind or Samba internal DNS?  If not then I see 
no issue setting a DC to itself as a primary DNS server.

-- 
- James




More information about the samba mailing list