[Samba] Samba4 DC with Secondary Questions

Nowell Morris nowell29 at gmail.com
Wed Jun 7 22:47:31 UTC 2017 

Rowland,  thank you for the reply.

I must have misstated.  We have successfully setup our first DC.  It works
great with DHCP and BIND9_DLZ and updates nicely as it is designed to,
kerberos and all.

The question is about the second server.  Perhaps MY understanding of what
I have read on the samba wiki, and others, is different than actual
reality.  http://bit.ly/2r3IOjt   ;)

Perhaps if I show you the information I have gathered it will help you
understand what I am asking.

I have written this couple wiki pages to help me keep track.  I have gone
through the steps and ironed out most of the bugs.  I CAN follow these
steps repeatedly to have functioning DC's functioning Kerberos, and
functioning DNS.  I am just not sure that I have done as best-practice.
The 'second' server is also up, but I am not sure it is as it ought to be.

Please be gentle in your review :)
http://wiki.nowell29.com/w/index.php/Samba_Setup

I am confident on what I am calling my 'Primary', but not as confident on
what I call my 'secondary'.

--
Nowell Morris
nowell29 at gmail.com
480-255-3491

On Wed, Jun 7, 2017 at 11:01 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Wed, 7 Jun 2017 10:29:12 -0700
> Nowell Morris via samba <samba at lists.samba.org> wrote:
>
> > Hello all.
> >
> > I am currently working on setting an S4 domain to replace our aging
> > samba 3 setup.  We have found many answers on the net, in various
> > documentation, but when it comes to setting up beyond one node
> > documentation becomes a little thinner.
>
> Have you by any chance read the Samba wiki ?
> See here if you haven't:
>
> https://wiki.samba.org/index.php/Main_Page
> >
> > We are setting up a Primary DC with AD
>
> No you aren't, you will set up your first DC ;-)
>
> > , using BIND9_DLZ, also serving
> > dhcp from Primary,
>
> This is documented on the Samba wiki.
>
> > and we want to setup a Secondary
>
> Again, no you don't, you want to set up another DC, all DCs are equal.
>
> > that is both a
> > DNS(bind9_dlz) slave
>
> All AD DCs (if they run a dns server) are authoritative, there are no
> slave dns servers, or are thinking of using bind with flatfiles ? If
> so, think again, the dns records go into AD.
>
> >, a kerberos slave, and AD secondary.
>
> No such things.
>
> > Our
> > Secondary will be our file serve, and perhaps a third "member" as our
> > cups server.
>
> You would probably better running the third machine as a Unix domain
> member, with this as a print and file server.
>
> > We run no Windows in house, except on the desktop,
> > hence the desire for a domain.  We have been using samba 3 with
> > openldap for some years now and successfully sync with Google Apps
> > for our mail.
> >
> > My examples of hostnames in here and related are in my sandbox, so
> > they are fun names :)
> >
> > On to the questions.  I cannot seem to find a good answer to these.
> >
> > First, When doing a join of the Secondary to the domain created by the
> > Primary, (using this command):
> >
> > samba-tool domain join hobbiton.shire.middleearth DC
> > -U"HOBBITON\Administrator" --dns-backend=BIND9_DLZ --server
> > bagend.shire.middleearth
> >
> > does this type of join command automatically create this Seconday as
> > kerberos slave?
>
> No, as I said above, all DCs are equal.
>
> > The reason I want a slave is so that I have some
> > redundancy in the network, where Primary (bagend) lives on one VM
> > hypervisor, and Secondary (bywater) lives on a different VM
> > Hypervisor. If this does not automatically create Secondary/bywater
> > as a kerberos slave, are there any 'gotchya's I need to watch our for
> > when I manually add this secondary as a kerberos slave?  Will doing
> > so automatically update the domain?
>
> All DCs replicate AD between themselves, so all DCs hold the same AD
> records.
>
> >
> > I wondered if during samba install through apt, dpkg prompts to know
> > the kerberos realm, admin server, and 'space separated list' of
> > kerberos servers.  Should I have designate during install that this
> > would become a slave?  I know you guys are samba and not ubuntu
> > support ;)  But I could not find anywhere on the net an example of
> > anybody using more than just their kdc for this entry.
>
> You do not set the kdc to do anything.
>
> >
> > I have a lot of linux experience, but my AD knowledge is thin and
> > mostly from a client perspective.
>
> All the info you require is on the wiki, but if you don't understand
> something, ask here.
>
> >
> > Second big question, When you join (as in above example) and the
> > Secondary becomes a domain secondary dc, how should I most
> > appropriately update the bind zone files to designate that this
> > secondary is also a NS name server? Or should I at all?
>
> See this wiki page:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_
> DNS_records_with_BIND9
>
> >
> > I wasnt sure so what I did do was extend my zone file by adding this
> > as a second NS like this:
> >
> > $ORIGIN shire.middleearth.
> > $TTL 86400      ; 1 day
> >
> > @             IN              SOA
> > bagend.shire.middleearth. root.bagend.shire.middleearth.
> > ( 1706031458   ; serial YYMMDDHHmm 5400       ; refresh (1 hour
> > 30 minutes) 1800       ; retry (30 minutes)
> >                                 1814400    ; expire (3 weeks)
> >                                 14400      ; minimum (4 hours)
> >                                 )
> >
> > ; name server NS record and following A record
> >                                     IN        NS
> > bagend.shire.middleearth. IN  NS
> > bywater.shire.middleearth.
> >
> > bagend.shire.middleearth.           IN        A
> > 192.168.222.10 bywater.shire.middleearth.           IN
> > A     192.168.222.11
> >
> >
> > Did I do this correctly?
>
> No
>
> > Should I have left it alone?
>
> Yes
>
> > thoughts?  We
> > will be using bind intentionally because we have about a dozen
> > subnets in production that rely on existing DNS and future dns
> > entries.  Resolutions do work with this currently set as is, but I am
> > asking if this is best practice.  I would rather not be bit in the
> > future because I did something unwise now.
>
> If you have your own dns domain, you will need to make your AD dns
> domain a sub domain of this, i.e. if your domain is 'example.com', your
> AD domain should be something like 'ad.example.com'. Your AD clients
> should be part of this dns domain.
>
> Now awaiting lots of questions ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list