[Samba] Samba Bind DLZ Slow queries

L.P.H. van Belle belle at bazuin.nl
Fri Feb 28 09:24:44 UTC 2020 

Add in resolv.conf
options rotate 
Or only the first 3 nameservers are used. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Eben 
> Victor via samba
> Verzonden: vrijdag 28 februari 2020 10:21
> Aan: Rowland penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
> 
> Thanks Rowland, I have removed from options, and amended the 
> forwarders.
> 
> [global]
>         workgroup = <MYDOMAIN>
>         realm = <MYDOMAIN>.CORP
>         netbios name = <HOSTNAME>
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : range = 3000-7999 ----------> If I remove the
> portion I get errors -> idmap range not specified for domain '*'
>         guest account = nobody
>         restrict anonymous = 1
>         winbind max clients = 2000
>         log level = 1 auth_audit:3 auth_json_audit:3 dns:10 
> dsdb_audit:3
> dsdb_json_audit:3
>         max log size = 10000
>         ldap server require strong auth = no
>         ntlm auth = mschapv2-and-ntlmv2-only
>         template homedir = /home/<mydomain>.corp/%U
>         template shell = /bin/bash
>         interfaces = lo ens192
>         bind interfaces only = yes
>         server services = -dns
>         prefork children = 8
> 
> # Disable printer share
>         load printers = No
>         printcap name = /dev/null
>         disable spoolss = Yes
> 
> # Enable Vodadealers TLS
>         tls enabled  = yes
>         tls keyfile  = tls/key.pem
>         tls certfile = tls/cert.pem
>         tls cafile   = tls/ca.pem
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/<mydomain>.corp/scripts
>         read only = Yes
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = Yes
> 
> Also see below resolv.conf
> 
> search mydomain.corp otherdomain.corp otherdomain.net 
> otherdomain.co.za
> mydomain.co.za
> nameserver DC2
> nameserver DC3
> nameserver DC1
> nameserver DC5
> nameserver DC6
> nameserver DC4
> 
> Regards
> 
> On Fri, Feb 28, 2020 at 11:07 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On 28/02/2020 08:46, Eben Victor via samba wrote:
> > > Hello All,
> > >
> > > I hope you can assist me,
> > > I'm running Bind DLZ with our Samba AD DC environment
> > >
> > > Is there anything I might be missing in my named config?
> > Well, yes and then again, no ;-)
> > > See below bind config,
> > > # cat /etc/named.conf
> > > # Global Configuration Options
> > >
> > >      statistics-channels {
> > >          inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
> > >      };
> > >
> > >          include "/var/lib/samba/bind-dns/named.conf";
> > >
> > > options {
> > >
> > >      version "";
> > >      dump-file   "/var/named/data/cache_dump.db";
> > >      statistics-file "/var/named/data/named_stats.txt";
> > >      memstatistics-file "/var/named/data/named_mem_stats.txt";
> > >      auth-nxdomain yes;
> > >      directory "/var/named";
> > >      notify no;
> > >      empty-zones-enable no;
> > >      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> > >      minimal-responses yes;
> > >
> > >      dnssec-validation no;
> > >      dnssec-enable no;
> > >      dnssec-lookaside no;
> > >
> > >      listen-on port 53 { <Server IP>; 127.0.0.1; };
> > >
> > >      # IP addresses and network ranges allowed to query 
> the DNS server:
> > >      allow-query { any; };
> > >
> > >      # IP addresses and network ranges allowed to run 
> recursive queries:
> > >      # (Zones not served by this DNS server)
> > >      allow-recursion { any; };
> > >
> > >      # Forward queries that can not be answered from own zones
> > >      # to these DNS servers:
> > >      forwarders {
> > >          DC1;
> > >          DC2;
> > >          DC3;
> > >          DC4;
> > >          DC5;
> > >      };
> > >   };
> >
> > OK, i have removed lines from 'options' that you do not need ;-)
> >
> > The one thing I haven't changed and you definitely need to, are the
> > forwarders, you cannot forward to another DC. you need to 
> forward to DNS
> > servers outside your AD dns domain, Googles for example.
> >
> > Everything else in named.conf is okay
> >
> > It may help if you also post your smb.conf file.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> -- 
> Eben Victor
> Cell:  +27 82 759 5266
> Email: eben.victor at gmail.com
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list