[Samba] Samba Bind DLZ Slow queries

Eben Victor eben.victor at gmail.com
Fri Feb 28 09:21:23 UTC 2020


Thanks Rowland, I have removed from options, and amended the forwarders.

[global]
        workgroup = <MYDOMAIN>
        realm = <MYDOMAIN>.CORP
        netbios name = <HOSTNAME>
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        idmap config * : range = 3000-7999 ----------> If I remove the
portion I get errors -> idmap range not specified for domain '*'
        guest account = nobody
        restrict anonymous = 1
        winbind max clients = 2000
        log level = 1 auth_audit:3 auth_json_audit:3 dns:10 dsdb_audit:3
dsdb_json_audit:3
        max log size = 10000
        ldap server require strong auth = no
        ntlm auth = mschapv2-and-ntlmv2-only
        template homedir = /home/<mydomain>.corp/%U
        template shell = /bin/bash
        interfaces = lo ens192
        bind interfaces only = yes
        server services = -dns
        prefork children = 8

# Disable printer share
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes

# Enable Vodadealers TLS
        tls enabled  = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem

[netlogon]
        path = /var/lib/samba/sysvol/<mydomain>.corp/scripts
        read only = Yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = Yes

Also see below resolv.conf

search mydomain.corp otherdomain.corp otherdomain.net otherdomain.co.za
mydomain.co.za
nameserver DC2
nameserver DC3
nameserver DC1
nameserver DC5
nameserver DC6
nameserver DC4

Regards

On Fri, Feb 28, 2020 at 11:07 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 28/02/2020 08:46, Eben Victor via samba wrote:
> > Hello All,
> >
> > I hope you can assist me,
> > I'm running Bind DLZ with our Samba AD DC environment
> >
> > Is there anything I might be missing in my named config?
> Well, yes and then again, no ;-)
> > See below bind config,
> > # cat /etc/named.conf
> > # Global Configuration Options
> >
> >      statistics-channels {
> >          inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
> >      };
> >
> >          include "/var/lib/samba/bind-dns/named.conf";
> >
> > options {
> >
> >      version "";
> >      dump-file   "/var/named/data/cache_dump.db";
> >      statistics-file "/var/named/data/named_stats.txt";
> >      memstatistics-file "/var/named/data/named_mem_stats.txt";
> >      auth-nxdomain yes;
> >      directory "/var/named";
> >      notify no;
> >      empty-zones-enable no;
> >      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> >      minimal-responses yes;
> >
> >      dnssec-validation no;
> >      dnssec-enable no;
> >      dnssec-lookaside no;
> >
> >      listen-on port 53 { <Server IP>; 127.0.0.1; };
> >
> >      # IP addresses and network ranges allowed to query the DNS server:
> >      allow-query { any; };
> >
> >      # IP addresses and network ranges allowed to run recursive queries:
> >      # (Zones not served by this DNS server)
> >      allow-recursion { any; };
> >
> >      # Forward queries that can not be answered from own zones
> >      # to these DNS servers:
> >      forwarders {
> >          DC1;
> >          DC2;
> >          DC3;
> >          DC4;
> >          DC5;
> >      };
> >   };
>
> OK, i have removed lines from 'options' that you do not need ;-)
>
> The one thing I haven't changed and you definitely need to, are the
> forwarders, you cannot forward to another DC. you need to forward to DNS
> servers outside your AD dns domain, Googles for example.
>
> Everything else in named.conf is okay
>
> It may help if you also post your smb.conf file.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Eben Victor
Cell:  +27 82 759 5266
Email: eben.victor at gmail.com


More information about the samba mailing list