[Samba] multi-site DNS confusion

Rowland Penny rpenny at samba.org
Mon Mar 20 16:04:31 UTC 2023 


On 20/03/2023 15:31, Eric via samba wrote:
> Greetings,
> 
> I'm not sure what else to add. If you need more info please let me know.
> 
> Any input is greatly appreciated.
> 
> Eric
> 
> 
> On Sat, Mar 4, 2023 at 2:58 PM Eric <rvwbug at gmail.com> wrote:
> 
>> Greetings,
>>
>> This is my first attempt at multi-site with unique subnets (actually
>> first attempt at more than on DC).
>>
>> I had the existing "defaultFirstSite" then added a second site and
>> two subnets (that I associated with each site).
>>
>> I joined a second DC from the second site with the following:
>>
>> samba-tool domain join ssc.domain.com DC -Uadministrator --realm=
>> ssc.domain.com --site=smithCo
>>
>> DC01 = defaultFirstSite 10.1.211.0/25
>>
>> [global]
>>   dns forwarder = 10.1.211.254
>> netbios name = DC01
>> realm = SSC.DOMAIN.COM
>> server role = active directory domain controller
>> workgroup = SSC
>> idmap_ldb:use rfc2307 = yes
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/ssc.domain.com/scripts
>> read only = No
>>
>>
>>
>> DC02 = smithCo 192.168.11.0/24
>> [global]
>> dns forwarder = 192.168.11.1
>> netbios name = DC02
>> realm = SSC.DOMAIN.COM
>> server role = active directory domain controller
>> workgroup = SSC
>> idmap_ldb:use rfc2307 = yes
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/ssc.domain.com/scripts
>>          read only = No
>>
>>
>> Both Forwarders go to each respective router/gateway device.
>>
>> I'm unsure how to handle DNS management. I thought I would be able to
>> connect to
>> DC02 DNS server (as I've done with DC01) using RSAT. I get an error
>> when trying to add DC02 as a DNS server
>> Error:
>> "Access was denied, would you like to add it anyway"
>>
>> I'm I supposed to manage all DNS via DC01 only?
>> If so, do I add a reverse zone or any other items directly
>> to DC01 dns server records? Is there any documentation
>> on managing multiple DCs (DNS and perhaps DHCP using
>> multi-sites and subnets)?  I found the docs on how to set it up
>> but the management part is unknown to me.
>> This is what I used for the setup:
>> https://wiki.samba.org/index.php/Active_Directory_Sites
>>
>> Following this wiki
>>
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Verifying_Directory_Replication
>>
>> Is the section "Built-in User & Group ID Mappings" still relevant? I ask
>> because I thought SAMBA4 has some
>> built-in replication. I thought everything gets replicated aside from
>> group policies. Perhaps this is package/distro dependent?
>>
>> Thanks in advance,
>>
>> Eric
>>
>>

I didn't reply last time because I do not know a lot about sites, but 
what little about them I do know is, all computers in a domain have to 
be able to find each other, this includes DC's, probably especially DC's.

This means that you should be able to use things like ping, host, 
nslookup etc to contact each domain member. Whilst it isn't strictly 
required to have reverse records, it doesn't hurt either.

As for idmap.ldb, yes, you still need to sync these from the DC with the 
PDC_Emulator FSMO role to every other DC.

Rowland

More information about the samba mailing list