[Samba] Samba AD /dns /dhcp

Rowland Penny rpenny at samba.org
Thu Nov 30 15:45:32 UTC 2017 

See inline commments:


On Thu, 30 Nov 2017 14:55:43 +0000
Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:

> Hello there.  I hope I'm in the right place for some Samba AD advice.
> 
> I recently added two extra ADs to a setup I inherited.
> Originally there was a single Samba AD  with BIND9_DLS config.  DHCP
> was separate.
> Subsequently I installed Samba on two Raspberry Pis to act as backup
> servers.
> 
> Basically, I followd this set of instructions:
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> I have run into several problems.
> 
>    1. The new DCs were not automatically added to the master zone A
> record, i.e. "host -t A samdom.example.com localhost" would only
> return the original host.  all of the other records (including GUIDS)
> were inserted fine.  I ended up adding these manually.

It is probably down to the version of Samba running on the rpi's, later
versions should do this.

>    2. The SOA record for my dns zones seem to have migrated to point
> to the last DC that I set up.  New zones get the orignal one (the one
> with the master token).  I am unsure what this means, but from what I
> can tell, dnsupdate contacts the host in the SOA record to make
> updates.  What is the recommended practice here?  Does it matter
> which of my now three redundant DNS hosts is the SOA?  How can I
> change it? 

Again, later versions of Samba will make all Samba DCs authoritative.

>3. I was unable to the dynamic DNS updates from DHCPD to
> work without adding an "allow-update {any;};" clause (or similar) to
> named.conf.  This was not documented anywhere and caused me a lot of
> headaches, particularly since this setting was in the original DC and
> so dynamic updates would work or not, based on the SOA record for the
> zones.  What is the recommended practice here?

You shouldn't need that line, at least, I never have.
It might help if you post your bind conf files.

> 
> 
> I was unable to find on the samba wiki an overview over a recommended
> setup of the combination of SambaAD/BIND/DHCP which is sort of a
> minimum to maintain a site.  Particularly how they interact.
> From what I can tell, Samba AD and BIND always go hand in hand, but
> there are at most two DHCPD servers on the net, running on two of the
> DCs.  Is this correct?

Can I suggest you read again the Samba wikipage that you couldn't
find:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

it changed yesterday because of a bug.

> 
> Finally, dynamic NDS updates from the DHCP server seem to take some 8
> or nine seconds, during which time a cliend does not get a DHCPD ack.
> Sometimes the client gives up waiting.
> I'm currently looking into this, but here is a log:

I feel this must be down to the rpi's, less than a second on my DCs

Rowland

More information about the samba mailing list