[Samba] Order of Dcs resolv.conf [ RESOLVED ]

L.P.H. van Belle belle at bazuin.nl
Wed Apr 11 07:32:16 UTC 2018 

> >
> > so seems to me that adding 'localhost' as a first choice is a good
> > choice.
> >
> > Or not?!

Better Not.. It may give some problems in the long run. 
Because if a "something" is using kerberos auth and it uses localhost, it may fail. 

Just prevent this, by setting the ip of dc, it really helps in the long run.
So in my optinion, dont use localhost, use the ip of the DC itself for any regular DC of Member setup. 

I like to do it as followed. At install time, 2+ DC.s

DC1
nameserver IP_OF_DC_FSMO. 

DC2
nameserver IP_OF_DC_FSMO. 
nameserver IP_OF_DC2

DC3
nameserver IP_OF_DC_FSMO. 
nameserver IP_OF_D3

When finished installing/configuring the DC, reboot 1-2 times, if everthing is still ok, 
think here in tests with dbcheck replications etc, now change the resolv.conf again ( see below), 
reboot and check again. 

DC1
nameserver IP_OF_DC_FSMO. 
nameserver IP_OF_DC2
nameserver IP_OF_DC3

DC2
nameserver IP_OF_DC2
nameserver IP_OF_DC3
nameserver IP_OF_DC_FSMO. 

DC3
nameserver IP_OF_DC3
nameserver IP_OF_DC2
nameserver IP_OF_DC_FSMO. 

And now for any member server setup you can add. I dont advice this for the DC's. ! 
In resolv.conf add : 
Set timeout:n to 1-3 sec. 
Set attempts:n to 1-3 
And set : rotate
Optional: edns0 0
Add max 3 dns server in your resolv.conf.
Example resolv.conf
nameserver 192.168.1.2 #DC2
nameserver 192.168.1.1 #DC1
options rotate
options timeout:1
options edns0

The exeptions for me are. And only these use localhost in resolv.conf. ( optional with 1 internal and one external dns server ) 
Mail server,	since this one is very important here, this one uses a bind9 slave setup, where the primary is the DC with FSMO.
If all my DC's ( and with that my DNS servers) are down my mail keeps processing.. 

Mail relay server,	this one used a caching+forwarding setup, 
	i forward the request internal.domain.tld to my dc's and domain.tld and other requests to my ISP DNS servers.
	optional, setup a slave zone for the internal.domain.tld, but i dont need it here.

Web server	, like a regular member, but with a forwarding for my external domains.
Proxy server, this one used a caching+forwarding setup, squid like the caching setup. 

The forwarding to external is use so i always match the correct SPF DKIM TLSA setting, things like that.

This is how i run it all, and it works, as i noticed here, the best for me. 
For you, just try it. 
If one can find improvements in my setup, of any disadvantages, 
Let met know, post to the list and we learn all from it. 

Most of you also know i only run Debian. 
Now i noticed that, after the upgrade from Jessie to Stretch and with the use of samba 4.7.6 as DC's. 
My complete network is resolving much quicker also, servers are faster, and the "look/feel" when working on them improved a lot imo. 
Just an observation i wanted you to know also. 


Greetz, 

Louis

More information about the samba mailing list