[Samba] Samba AD with multiple DC and multiple NICs

[Stefano Vargiu]

Thank you for the quick reply, Rowland.

> I don't think you really understand dns and AD =-O
Evidently not ;)

I thought this was a common situation and it seemed to me it made sense.

This is what I want to achieve:
* I have a branch with DC1.domain.local, which provides file services to a
couple of local networks (172.16.0.0/16 and 172.20.0.0/16)
* some time later I want to join a second DC located in a second branch
which provides file services to a couple of local networks (in 2nd branch
obviously), one of which happens to have the same addressing of one local
network in 1st branch (172.20.0.0/16)
* to let DC1 and DC2 communicate I set a VPN up

Now probably comes my lack of understanding how it really works, but I
simply would like the DC2 contact DC1 and join the AD domain while
continuing to serve his local networks. Conceptually I imagine PCs in 1st
branch can query the domain server DC1 with his local IPs 172.16.0.2 and
172.20.0.2, while the remote DC2 in 2nd branch could contact DC1 only
through his VPN address 172.19.1.173 and not try to contact it through his
others IPs.
Because PCs on the 1st branch only need to contact DC1 and not DC2, I
thought, this configuration should work if only DC1 and DC2 are forced to
contact each other with their VPN IPs.

> You cannot have two computers with the same IP
They happen to have the same private IP in two different branches: nothing
prevented me from doing that before deciding to join them to the same AD
domain.

> Each DC should use itself as its first nameserver and /etc/hosts is only
used by the DC itself
I agree, that's what I did after the join (before the join the nameserver
for DC2 was the VPN IP of DC1)

> You shouldn't be trying to point VPN at your DC's, VPN should just use
the DC's for authentication.
I couldn't bind samba to VPN's tun interface (it didn't works, if it's what
you are referring to), but with NAT rules I redirect connection from VPN to
another interface: at that point it seemed to start working well, apart the
replication from DC2 to DC1: but again, I'm not sure if it's going to work
in the long run, and judging from your answer probably not.

Thank you
Stefano

Il giorno lun 19 ott 2020 alle ore 14:08 Rowland penny via samba <
samba at lists.samba.org> ha scritto:

> On 19/10/2020 12:40, Stefano Vargiu via samba wrote:
> > Hello everyone,
> >
> > I'm trying to add a second DC to a Samba 4 AD: they both have multiple
> NICs
> > and for this reason cannot find a way to make it work.
> > They communicate through VPN and both have one of the bound interfaces
> set
> > to the same IP address, 172.20.0.1, which doesn't allow me to route to
> the
> > correct DC, and that is only part of the problem.
> >
> > Here is the configuration:
> > * DC1.domain.local
> >    IP NIC1: 172.16.0.2
> >    IP NIC2: 172.20.0.1
> >    IP VPN: 172.19.1.173
> >
> > * DC2.domain.local
> >    IP NIC1: 192.168.0.1
> >    IP NIC2: 172.20.0.1
> >    IP VPN: 172.19.1.174
> >
> I don't think you really understand dns and AD =-O
>
> You cannot have two computers with the same IP (how would DNS
> differentiate between them), each DC is authoritative for the dns
> domain, this is called multi-master and means that each DC is the dns
> master. Each DC should use itself as its first nameserver and /etc/hosts
> is only used by the DC itself. You seem to be trying to use what is
> called multi-homed devices and this doesn't work very well (if at all)
> with AD. You shouldn't be trying to point VPN at your DC's, VPN should
> just use the DC's for authentication.
>
> I think you need to explain just what you are trying to achieve and how
> you are doing it now.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>