[Samba] Samba4 DC with Secondary Questions

Rowland Penny rpenny at samba.org
Wed Jun 7 18:01:11 UTC 2017 

On Wed, 7 Jun 2017 10:29:12 -0700
Nowell Morris via samba <samba at lists.samba.org> wrote:

> Hello all.
> 
> I am currently working on setting an S4 domain to replace our aging
> samba 3 setup.  We have found many answers on the net, in various
> documentation, but when it comes to setting up beyond one node
> documentation becomes a little thinner.

Have you by any chance read the Samba wiki ?
See here if you haven't:

https://wiki.samba.org/index.php/Main_Page
> 
> We are setting up a Primary DC with AD

No you aren't, you will set up your first DC ;-)

> , using BIND9_DLZ, also serving
> dhcp from Primary, 

This is documented on the Samba wiki.

> and we want to setup a Secondary

Again, no you don't, you want to set up another DC, all DCs are equal.

> that is both a
> DNS(bind9_dlz) slave 

All AD DCs (if they run a dns server) are authoritative, there are no
slave dns servers, or are thinking of using bind with flatfiles ? If
so, think again, the dns records go into AD.

>, a kerberos slave, and AD secondary. 

No such things.

> Our
> Secondary will be our file serve, and perhaps a third "member" as our
> cups server. 

You would probably better running the third machine as a Unix domain
member, with this as a print and file server.

> We run no Windows in house, except on the desktop,
> hence the desire for a domain.  We have been using samba 3 with
> openldap for some years now and successfully sync with Google Apps
> for our mail.
> 
> My examples of hostnames in here and related are in my sandbox, so
> they are fun names :)
> 
> On to the questions.  I cannot seem to find a good answer to these.
> 
> First, When doing a join of the Secondary to the domain created by the
> Primary, (using this command):
> 
> samba-tool domain join hobbiton.shire.middleearth DC
> -U"HOBBITON\Administrator" --dns-backend=BIND9_DLZ --server
> bagend.shire.middleearth
> 
> does this type of join command automatically create this Seconday as
> kerberos slave?  

No, as I said above, all DCs are equal.

> The reason I want a slave is so that I have some
> redundancy in the network, where Primary (bagend) lives on one VM
> hypervisor, and Secondary (bywater) lives on a different VM
> Hypervisor. If this does not automatically create Secondary/bywater
> as a kerberos slave, are there any 'gotchya's I need to watch our for
> when I manually add this secondary as a kerberos slave?  Will doing
> so automatically update the domain?

All DCs replicate AD between themselves, so all DCs hold the same AD
records.

> 
> I wondered if during samba install through apt, dpkg prompts to know
> the kerberos realm, admin server, and 'space separated list' of
> kerberos servers.  Should I have designate during install that this
> would become a slave?  I know you guys are samba and not ubuntu
> support ;)  But I could not find anywhere on the net an example of
> anybody using more than just their kdc for this entry.

You do not set the kdc to do anything.

> 
> I have a lot of linux experience, but my AD knowledge is thin and
> mostly from a client perspective.

All the info you require is on the wiki, but if you don't understand
something, ask here.

> 
> Second big question, When you join (as in above example) and the
> Secondary becomes a domain secondary dc, how should I most
> appropriately update the bind zone files to designate that this
> secondary is also a NS name server? Or should I at all?

See this wiki page:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

> 
> I wasnt sure so what I did do was extend my zone file by adding this
> as a second NS like this:
> 
> $ORIGIN shire.middleearth.
> $TTL 86400      ; 1 day
> 
> @ 	    	IN 		SOA
> bagend.shire.middleearth. root.bagend.shire.middleearth.
> ( 1706031458	 ; serial YYMMDDHHmm 5400       ; refresh (1 hour
> 30 minutes) 1800       ; retry (30 minutes)
>                                 1814400    ; expire (3 weeks)
>                                 14400      ; minimum (4 hours)
>                                 )
> 
> ; name server NS record and following A record
> 				      IN        NS
> bagend.shire.middleearth. IN	NS
> bywater.shire.middleearth.
> 
> bagend.shire.middleearth. 	      IN	A
> 192.168.222.10 bywater.shire.middleearth.	      IN
> A	192.168.222.11
> 
> 
> Did I do this correctly? 

No
 
> Should I have left it alone? 

Yes

> thoughts?  We
> will be using bind intentionally because we have about a dozen
> subnets in production that rely on existing DNS and future dns
> entries.  Resolutions do work with this currently set as is, but I am
> asking if this is best practice.  I would rather not be bit in the
> future because I did something unwise now.

If you have your own dns domain, you will need to make your AD dns
domain a sub domain of this, i.e. if your domain is 'example.com', your
AD domain should be something like 'ad.example.com'. Your AD clients
should be part of this dns domain.

Now awaiting lots of questions ;-)

Rowland

More information about the samba mailing list