[Samba] Samba Bind DLZ Slow queries
Eben Victor
eben.victor at gmail.com
Fri Feb 28 09:21:23 UTC 2020
Thanks Rowland, I have removed from options, and amended the forwarders.
[global]
workgroup = <MYDOMAIN>
realm = <MYDOMAIN>.CORP
netbios name = <HOSTNAME>
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
idmap config * : range = 3000-7999 ----------> If I remove the
portion I get errors -> idmap range not specified for domain '*'
guest account = nobody
restrict anonymous = 1
winbind max clients = 2000
log level = 1 auth_audit:3 auth_json_audit:3 dns:10 dsdb_audit:3
dsdb_json_audit:3
max log size = 10000
ldap server require strong auth = no
ntlm auth = mschapv2-and-ntlmv2-only
template homedir = /home/<mydomain>.corp/%U
template shell = /bin/bash
interfaces = lo ens192
bind interfaces only = yes
server services = -dns
prefork children = 8
# Disable printer share
load printers = No
printcap name = /dev/null
disable spoolss = Yes
# Enable Vodadealers TLS
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
[netlogon]
path = /var/lib/samba/sysvol/<mydomain>.corp/scripts
read only = Yes
[sysvol]
path = /var/lib/samba/sysvol
read only = Yes
Also see below resolv.conf
search mydomain.corp otherdomain.corp otherdomain.net otherdomain.co.za
mydomain.co.za
nameserver DC2
nameserver DC3
nameserver DC1
nameserver DC5
nameserver DC6
nameserver DC4
Regards
On Fri, Feb 28, 2020 at 11:07 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 28/02/2020 08:46, Eben Victor via samba wrote:
> > Hello All,
> >
> > I hope you can assist me,
> > I'm running Bind DLZ with our Samba AD DC environment
> >
> > Is there anything I might be missing in my named config?
> Well, yes and then again, no ;-)
> > See below bind config,
> > # cat /etc/named.conf
> > # Global Configuration Options
> >
> > statistics-channels {
> > inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
> > };
> >
> > include "/var/lib/samba/bind-dns/named.conf";
> >
> > options {
> >
> > version "";
> > dump-file "/var/named/data/cache_dump.db";
> > statistics-file "/var/named/data/named_stats.txt";
> > memstatistics-file "/var/named/data/named_mem_stats.txt";
> > auth-nxdomain yes;
> > directory "/var/named";
> > notify no;
> > empty-zones-enable no;
> > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> > minimal-responses yes;
> >
> > dnssec-validation no;
> > dnssec-enable no;
> > dnssec-lookaside no;
> >
> > listen-on port 53 { <Server IP>; 127.0.0.1; };
> >
> > # IP addresses and network ranges allowed to query the DNS server:
> > allow-query { any; };
> >
> > # IP addresses and network ranges allowed to run recursive queries:
> > # (Zones not served by this DNS server)
> > allow-recursion { any; };
> >
> > # Forward queries that can not be answered from own zones
> > # to these DNS servers:
> > forwarders {
> > DC1;
> > DC2;
> > DC3;
> > DC4;
> > DC5;
> > };
> > };
>
> OK, i have removed lines from 'options' that you do not need ;-)
>
> The one thing I haven't changed and you definitely need to, are the
> forwarders, you cannot forward to another DC. you need to forward to DNS
> servers outside your AD dns domain, Googles for example.
>
> Everything else in named.conf is okay
>
> It may help if you also post your smb.conf file.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Eben Victor
Cell: +27 82 759 5266
Email: eben.victor at gmail.com
More information about the samba
mailing list