[Samba] DCs in multiple VLANs

Stefan G. Weichinger lists at xunil.at
Fri Jan 20 09:59:31 UTC 2023 

Am 20.01.23 um 10:34 schrieb Rowland Penny via samba:

> Whilst it is best to only have one active dhcp server, you can use 
> failover, which is easy with the now EOL isc-dhcp-server, but is 
> probably possible with the kea server. The problem with the kea server 
> is, in my opinion, it is a bit like using a sledgehammer to crack a nut, 
> it is just too complex.

The kea-cluster runs in that "hot-standby" mode: one node is the active 
DHCP server, the other takes over if the primary fails. Nice to have.

But I agree: complex ...

If I now switch over to using DHCP relay, I can only enter one IP in 
that pfsense tab (I have a pfsense there as router/firewall):

https://docs.netgate.com/pfsense/en/latest/services/dhcp/relay.html

This breaks things if the first DHCP node goes down: the DHCP relay 
would then point to the broken node and the secondary DHCP node would 
take over but never see the requests.

Doesn't sound good to me.

> Now that the isc-dhcp-server is EOL (it will hang about a bit in 
> distro's), I will have to rewrite my dhcp script and it will not be 
> using kea, even though the changes would be minimal to do so. In my 
> opinion, you would have to criminally insane to fully understand kea and 
> I need to understand something before I use it.
> 
>>
>> Or could I simply remove the multiple DNS-records created for the DC 
>> after enabling it on all VLAN-interfaces, so that there is only one 
>> record pointing to its LAN IP?
> 
> Your DC should only have one ipaddress, it should not be multi-homed.

Yes. Thanks for this.

I didn't touch it in the last days but back then I noticed that samba 
would create one DNS-record per interface, right?

So my approach with binding only to the LAN interface is OK, right?

So far things work mostly.

It's just that a windows client in a VLAN fails to pull group policies 
for example: the asymmetric routing breaks that.

So far I don't see a nice solution (aside from putting the DHCP cluster 
elsewhere), this might be related to the fact that I am currently sick 
and should stay in bed.

Thanks all for any help, Stefan

More information about the samba mailing list