[Samba] declaring Bind9 DNS servers as slaves when using Samba AD/DC with BIND9_DLZ
vincent at cojot.name
vincent at cojot.name
Mon Apr 25 23:28:08 UTC 2022
Hi all,
I have a small isolated 'island' made of two Samba AD/DC VMs. It works
fine but is not really fault-tolerant (if one hypervisor crashes, every
Windows client will time out for 50% of DNS requests.
I was trying to setup my bind infra as DNS 'slaves' of the AD/DC zones but
I'm struggling to make it work. I suspect this might be related to having
to list my bind DNS servers as authoritative 'NS' servers for my AD DC
zones.. Here's what I have:
On a RHEL8 bind DNS server, I have declarations such as:
zone "_msdcs.ad.lasthome.solace.krynn" IN {
type slave;
masters { 10.0.131.248; 10.0.131.249; };
notify yes;
file "zonedb/named.KRYNN_AD._msdcs";
allow-transfer { any; };
allow-query { any; };
};
(and the same kind of declaration for _sites, _tcp, _udp...)
On my samba, AD/DC servers, I made sure to have:
allow-transfer { any; };
Alas, on the BIND9 dns servers, I see this:
25-Apr-2022 19:16:43.809 xfer-in: info: transfer of '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer status: REFUSED
25-Apr-2022 19:16:43.809 xfer-in: info: transfer of '_msdcs.ad.lasthome.solace.krynn/IN' from 10.0.131.249#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
This can be matched to these logs on the Samba AD/DC servers:
25-Apr-2022 16:38:01.528 notify: notice: client @0x7f0a341063f0 10.0.128.242#12714: received notify for zone '_msdcs.ad.lasthome.solace.krynn': not authoritative
so communication works but dc01 refuses the zone transfer because it is
coming from a server which is not authoritative:
Sure enough, when querying the SOA for any of these sub-domains, only my
AD/DC servers are listed:
# dig @dc00 -t SOA _msdcs.ad.lasthome.solace.krynn
[...]
;; AUTHORITY SECTION:
_msdcs.ad.lasthome.solace.krynn. 900 IN NS dc01.ad.lasthome.solace.krynn.
_msdcs.ad.lasthome.solace.krynn. 900 IN NS dc00.ad.lasthome.solace.krynn.
So I have a few questions:
- How do I add my bind servers as 'proper' authoritative NS servers for
the DNS zones hosted on my AD/DC bind servers. What is the proper way to
do this? I tried using RSAT/DNS manager and enabling 'Bind secondaries'
but this did not work with Samba AD/DC.
- Is it a Bad idea to do this (add bind servers as authoritative DNS
servers to my AD zones)? Might it break something in the future?
All comments/ideas needed.
Thank you,
Vincent
More information about the samba
mailing list