[Samba] Samba AD with multiple DC and multiple NICs

Stefano Vargiu vstefanoxx at gmail.com
Mon Oct 19 16:56:38 UTC 2020

I add some additional information I didn't give in my previous email,
specifically how I tried to force DC1 and DC2 to contact each other only
with their VPN IPs.
I did so using dnsmasq as a DNS proxy.

# DC1 configuration

search domain.local
domain domain.local

I configured dnsmasq to listen on the VPN interface (while
samba listen on all other interfaces,, and lo

server=  (dnsmasq's dns forwarder: samba is listening on

In this way, any dns lookup to DC2.domain.local from DC1 gives me the VPN
IP of DC2:
$ dig +short DC2.domain.local

All other DNS queries are forwarded by dnsmasq to, where the
Samba's DNS server is listening.

Same configuration in DC2, with dnsmasq that resolve DC1.domain.local to
I'm not sure if domain.local in DC2 should resolve to or to considered they are multi-master, for symmetry maybe better
to use, also if in my first attempts I used the VPN IP of DC1.

> DC is authoritative for the dns domain, this is called multi-master and
means that each DC is the dns master
I know that. Maybe I didn't explain well what I was trying to achieve, but
I already knew most of the information you gave me.

The most important thing I didn't know was that multi-homed is strongly

Is such configuration with a dns proxy going to work?
As I said, with it I was able to make kinit and the join works. Replication
from DC2 to DC1 works, but doesn't work from DC1 to DC2.

I should keep trying it or is it a lost cause?

Il giorno lun 19 ott 2020 alle ore 14:08 Rowland penny via samba <
samba at lists.samba.org> ha scritto:

> On 19/10/2020 12:40, Stefano Vargiu via samba wrote:
> > Hello everyone,
> >
> > I'm trying to add a second DC to a Samba 4 AD: they both have multiple
> NICs
> > and for this reason cannot find a way to make it work.
> > They communicate through VPN and both have one of the bound interfaces
> set
> > to the same IP address,, which doesn't allow me to route to
> the
> > correct DC, and that is only part of the problem.
> >
> > Here is the configuration:
> > * DC1.domain.local
> >    IP NIC1:
> >    IP NIC2:
> >    IP VPN:
> >
> > * DC2.domain.local
> >    IP NIC1:
> >    IP NIC2:
> >    IP VPN:
> >
> I don't think you really understand dns and AD =-O
> You cannot have two computers with the same IP (how would DNS
> differentiate between them), each DC is authoritative for the dns
> domain, this is called multi-master and means that each DC is the dns
> master. Each DC should use itself as its first nameserver and /etc/hosts
> is only used by the DC itself. You seem to be trying to use what is
> called multi-homed devices and this doesn't work very well (if at all)
> with AD. You shouldn't be trying to point VPN at your DC's, VPN should
> just use the DC's for authentication.
> I think you need to explain just what you are trying to achieve and how
> you are doing it now.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list