Samba AD Best Practice (DNS)

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba AD Best Practice (DNS)

Samba - General mailing list
Hello,

This question is about best practice of introducing sambda-ad-dc to an
organization that already has networking, and being minimally disruptive
about it. I guess this question applies equally to adding a Windows AD
server, but most people with that setup would let it be the primary DNS,
etc.

For this example:
- Network: 172.18.0.0/24
- Domain: network.ca
- AD server: ad.network.ca, 172.18.0.20
- Gateway/DNS: 172.18.0.1

The gateway is running as the main DNS server, and has the various
underscore ("_") entries required for Windows to find the Active
Directory. It sends "172.18.0.1" as the DNS option over its DHCP server.
The samba AD server has its DNS forwarder set to "172.18.0.1".

Now, the question:

To be able to take full advantage of AD, should DHCP provide the Windows
clients with "172.18.0.20" as the DNS server? I know it dynamically adds
the computers that are on the Active Directory, and possible other
things that help make Windows services run smoothly. That said, the
samba forwarder only seems to forward zones it is not familiar with.
Since the samba server serves up "network.ca", when asked, it does not
resolve "gitlab.network.ca" that the main DNS server knows how to
resolve. This has forced me to just provide 172.18.0.1 as the DNS.

What is the best practice to solve this. Is there actually any benefit
to having the AD server serve up DNS?

I'm sure others have been wondering this, and it would probably be a
decent question to put in the DNS section of the Wiki, as I'm sure there
are many samba mixed-network environments.

Thanks,
--Pat

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
On Thu, 12 Oct 2017 11:00:35 -0400
Pat Suwalski via samba <[hidden email]> wrote:

> Hello,
>
> This question is about best practice of introducing sambda-ad-dc to
> an organization that already has networking, and being minimally
> disruptive about it. I guess this question applies equally to adding
> a Windows AD server, but most people with that setup would let it be
> the primary DNS, etc.
>
> For this example:
> - Network: 172.18.0.0/24
> - Domain: network.ca
> - AD server: ad.network.ca, 172.18.0.20
> - Gateway/DNS: 172.18.0.1
>
> The gateway is running as the main DNS server, and has the various
> underscore ("_") entries required for Windows to find the Active
> Directory. It sends "172.18.0.1" as the DNS option over its DHCP
> server. The samba AD server has its DNS forwarder set to "172.18.0.1".
>
> Now, the question:
>
> To be able to take full advantage of AD, should DHCP provide the
> Windows clients with "172.18.0.20" as the DNS server? I know it
> dynamically adds the computers that are on the Active Directory, and
> possible other things that help make Windows services run smoothly.
> That said, the samba forwarder only seems to forward zones it is not
> familiar with. Since the samba server serves up "network.ca", when
> asked, it does not resolve "gitlab.network.ca" that the main DNS
> server knows how to resolve. This has forced me to just provide
> 172.18.0.1 as the DNS.
>
> What is the best practice to solve this. Is there actually any
> benefit to having the AD server serve up DNS?
>
> I'm sure others have been wondering this, and it would probably be a
> decent question to put in the DNS section of the Wiki, as I'm sure
> there are many samba mixed-network environments.
>
> Thanks,
> --Pat
>

If you already have a domain, I would set up Active Directory as a
subdomain of this, e.g. instead of using 'network.ca', use
'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC.

Point the clients at this for domain DNS and forward anything unknown
to the gateway or other DNS server. There isn't really any point in
using an external server as the DNS server, all the DNS records are in
AD anyway.

You can, if you wish, run a DHCP server on the DC.

See here for AD best practice:

http://www.dell.com/support/article/uk/en/ukbsdt1/sln155801/best-practices-for-dns-configuration-in-an-active-directory-domain?lang=en

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
On 2017-10-12 11:47 AM, Rowland Penny via samba wrote:
> If you already have a domain, I would set up Active Directory as a
> subdomain of this, e.g. instead of using 'network.ca', use
> 'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC.

Thanks for the reply.

I think that ship's already sailed, the domain has been running as
network.ca since Samba4 was in beta, and I can just imagine the headache
of changing that over.

I wouldn't have done it that way, but at the time "dns forwarder" to me
suggested that *all* (unknown) DNS entries would be forwarded to the
main DNS server. Obviously, it's clear now that isn't the case.

I think I'm left with two options:

- Don't point DNS at the AD server.
- Allow some kind of zone copying. Not sure of samba's DNS server
supports this.

Neither seems ideal.

--Pat

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-10-12 11:47 AM, Rowland Penny via samba wrote:
> If you already have a domain, I would set up Active Directory as a
> subdomain of this, e.g. instead of using 'network.ca', use
> 'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC.

Thanks for the reply.

I think that ship's already sailed, the domain has been running as
network.ca since Samba4 was in beta, and I can just imagine the headache
of changing that over.

I wouldn't have done it that way, but at the time "dns forwarder" to me
suggested that *all* (unknown) DNS entries would be forwarded to the
main DNS server. Obviously, it's clear now that isn't the case.

I think I'm left with two options:

- Don't point DNS at the AD server.
- Allow some kind of zone copying. Not sure of samba's DNS server
supports this.

Neither seems ideal.

--Pat

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
On Thu, 12 Oct 2017 12:07:17 -0400
Pat Suwalski via samba <[hidden email]> wrote:

> On 2017-10-12 11:47 AM, Rowland Penny via samba wrote:
> > If you already have a domain, I would set up Active Directory as a
> > subdomain of this, e.g. instead of using 'network.ca', use
> > 'ad.network.ca' and the FQDN 'dc1.ad.network.ca' for the DC.
>
> Thanks for the reply.
>
> I think that ship's already sailed, the domain has been running as
> network.ca since Samba4 was in beta, and I can just imagine the
> headache of changing that over.

Not sure you could :-(

>
> I wouldn't have done it that way, but at the time "dns forwarder" to
> me suggested that *all* (unknown) DNS entries would be forwarded to
> the main DNS server. Obviously, it's clear now that isn't the case.

To AD, 'unknown' usually means anything outside the AD domain.

>
> I think I'm left with two options:
>
> - Don't point DNS at the AD server.
> - Allow some kind of zone copying. Not sure of samba's DNS server
> supports this.
>
> Neither seems ideal.

I don't think you will be able to do the second at all, even if you
used BIND9 instead of the internal dns server.

It might help if you described your network.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
On 2017-10-12 12:30 PM, Rowland Penny via samba wrote:
> It might help if you described your network.

I thought I went into detail in the first message:


For this example:
- Network: 172.18.0.0/24
- Domain: network.ca
- AD server: ad.network.ca, 172.18.0.20
- Gateway/DNS: 172.18.0.1

The gateway is running as the main DNS server, and has the various
underscore ("_") entries required for Windows to find the Active
Directory. It sends "172.18.0.1" as the DNS option over its DHCP server.
The samba AD server has its DNS forwarder set to "172.18.0.1".


The only thing to add is that 172.18.0.1 runs dnsmasq. samba is used
with Windows Desktops for AD and home shares, and with Linux servers for
AD with sssd (sambda's Winbind wasn't quite there when this was set up).
Nothing really relies on DNS from samba; unless you know something about
this point that I do not.

I could also manually add the local entries to samba's DNS. Not crazy
about this option.

Thanks,
--Pat

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
Here's what we do for our school district:

- Each site is in its own isolated network
- Each site has two DCs and a file server
- The DHCP server hands out the DCs of the site as both DNS servers (i.e.
dc1 = 192.168.0.2, 192.168.0.3)
- The DNS server runs from the Samba DCs (using bind9 or the Internal DNS,
does not matter)
- If we want something else to resolve, we add an A record (i.e.
mail.ad.district.com IN A 192.168.0.5) or a CNAME record (i.e.
mail.ad.district.com IN CNAME mail.district.com)

The clients need to point their DNS servers to the AD DCs for everything to
work "correctly", especially with name resolution. You need the DC servers
to point their DNS forwarders to either your network DNS Servers, or your
ISP / other DNS servers.

On Thu, Oct 12, 2017 at 11:00 AM, Pat Suwalski via samba <
[hidden email]> wrote:

> On 2017-10-12 12:30 PM, Rowland Penny via samba wrote:
>
>> It might help if you described your network.
>>
>
> I thought I went into detail in the first message:
>
>
> For this example:
> - Network: 172.18.0.0/24
> - Domain: network.ca
> - AD server: ad.network.ca, 172.18.0.20
> - Gateway/DNS: 172.18.0.1
>
> The gateway is running as the main DNS server, and has the various
> underscore ("_") entries required for Windows to find the Active Directory.
> It sends "172.18.0.1" as the DNS option over its DHCP server. The samba AD
> server has its DNS forwarder set to "172.18.0.1".
>
>
> The only thing to add is that 172.18.0.1 runs dnsmasq. samba is used with
> Windows Desktops for AD and home shares, and with Linux servers for AD with
> sssd (sambda's Winbind wasn't quite there when this was set up). Nothing
> really relies on DNS from samba; unless you know something about this point
> that I do not.
>
> I could also manually add the local entries to samba's DNS. Not crazy
> about this option.
>
> Thanks,
> --Pat
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
On 2017-10-12 02:26 PM, Luke Barone via samba wrote:
> - If we want something else to resolve, we add an A record (i.e.
> mail.ad.district.com IN A 192.168.0.5) or a CNAME record (i.e.
> mail.ad.district.com IN CNAME mail.district.com)

Right, so you have the ad.x subdomain as well. That's what we don't
have, and it seems it would require starting from scratch to implement it.

--Pat

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
Yes, as changing the domain name is not supported (without unjoining and
rejoining the machines). Depending on your infrastructure, you can try a
couple things:

1. If you have an imaging solution, you can setup the new name (
ad.example.com) on the new (even virtual!) DC (dc1.ad.example.com), and
have your new images join the new domain
2. Use the AD DNS as your network's main DNS server, and simply have it
forward requests it doesn't know to your ISP (or other) DNS server. This
requires the least amount of downtime for your users, and they likely won't
notice a change.

On Thu, Oct 12, 2017 at 11:35 AM, Pat Suwalski via samba <
[hidden email]> wrote:

> On 2017-10-12 02:26 PM, Luke Barone via samba wrote:
>
>> - If we want something else to resolve, we add an A record (i.e.
>> mail.ad.district.com IN A 192.168.0.5) or a CNAME record (i.e.
>> mail.ad.district.com IN CNAME mail.district.com)
>>
>
> Right, so you have the ad.x subdomain as well. That's what we don't have,
> and it seems it would require starting from scratch to implement it.
>
>
> --Pat
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD Best Practice (DNS)

Samba - General mailing list
In reply to this post by Samba - General mailing list
Pat

There's no such thing as "best practice" - there's good and bad
practice and I hope that here (Samba ML) you will get some good advice,
in return for a good question.

The environment you describe, to me, implies that it would be best if
you simply "fit in". You can but it will take a bit of work (not too
much).  It does not matter where DNS comes from, provided it gives the
correct answers to client queries.  So, you will have to get your new
Samba DC's DNS records set up on the dnsmasq system.  I don't think
that dnsmasq can do dynamic DNS apart from perhaps registering DHCP
leases as DNS entries.  You will also have to set the gateway as your
Samba box's DNS in /etc/resolv.conf (or via resolvconf) and not use the
Samba DNS implementation.

The whole point of this is that is is generally a good (may be not the
best in all cases) idea to have all systems on one network to have a
single view of DNS.  Your colleagues seem to have already stipulated
dnsmasq and I would roll with that - fit in.  Its not my preferred
solution but will work fine with some care.

Before you get going with Samba, the box must have time in sync with
the other DCs and be able to DNS resolve all the relevent addresses.

# ntpq -p

$ dig example.co.uk

Should return DC IPs

You'll need this lot:

https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-tha
t-are-required-for-proper-functionality-of-active-directory/

Test with eg:

$ dig _ldap._tcp.pdc._msdcs.example.co.uk SRV

That should return the IP address of the box with the PDC emulator
role.  That box probably should also be your preferred ntp host unless
everything is virtual and you have a well designed ntp setup on
physical hosts with decent clocks and ntp sync.  Don't get too hung up
on this bit though - a second or two either way is good enough for now.

# net ads info

This should imply that things are good to go before based on your
smb.conf, resolv.conf and probably krb5.conf before you do any AD
fiddling.

Now, for my money, I'd be content with being a domin member first
before adding another DC unless you are doing it for redundancy
reasons.

Cheers
Jon


On Thu, 2017-10-12 at 14:00 -0400, Pat Suwalski via samba wrote:

> On 2017-10-12 12:30 PM, Rowland Penny via samba wrote:
> > It might help if you described your network.
>
> I thought I went into detail in the first message:
>
>
> For this example:
> - Network: 172.18.0.0/24
> - Domain: network.ca
> - AD server: ad.network.ca, 172.18.0.20
> - Gateway/DNS: 172.18.0.1
>
> The gateway is running as the main DNS server, and has the various
> underscore ("_") entries required for Windows to find the Active
> Directory. It sends "172.18.0.1" as the DNS option over its DHCP
> server.
> The samba AD server has its DNS forwarder set to "172.18.0.1".
>
>
> The only thing to add is that 172.18.0.1 runs dnsmasq. samba is used
> with Windows Desktops for AD and home shares, and with Linux servers
> for
> AD with sssd (sambda's Winbind wasn't quite there when this was set
> up).
> Nothing really relies on DNS from samba; unless you know something
> about
> this point that I do not.
>
> I could also manually add the local entries to samba's DNS. Not
> crazy
> about this option.
>
> Thanks,
> --Pat
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba