Joining (NethServer) member to another NethServer AD/DC

I want to share some implementation details in the hope of evaluating how NS has to be deployed.

In NethServer we run dnsmasq as DNS service daemon. In a typical scenario it’s configured to only forward requests to a primary and a (optional) secondary upstream DNS servers. The local resolv.conf points to 127.0.0.1, so the localhost itself behaves exactly like any host in LAN that uses NethServer as DNS.

When NethServer joins an AD domain (being it local or remote, Samba or MS) DNS requests for the domain are sent to the AD DNS. This is configured by

In the case above, we join a NethServer (member) to another NethServer (dc): what is the DNS IP?

We could pick

  1. any IP address of dc green(s) interfaces, corresponding to dnsmasq that forwards requests to nsdc
  2. the IP address of nsdc container itself, corresponding to the samba4-dc instance

Both should work, but…

  • if we pick 1, the member server also can see any host defined in NethServer dc, from the server-manager DNS page. If it runs as DNS/DHCP server this is desirable, but I don’t know if this leads to problems for AD!

  • if we pick 2, we are surely more compliant with AD, but we lose extra DHCP/DNS records set on the server-manager

Can you help me on investigating this scenarios? :spy: /cc @quality_team @fasttech @JeffBales

2 Likes

I will test it this weekend. I’m also confused because in my Win7 I used the main NethServer IP address and not the IP of the NSDC container itself, and it still connected to the domain. That’s some of the problems I couldn’t sleep last night :sleeping:

so you picked 1! That’s fine, I hope it becomes the standard way… Does Win7 set IP by DHCP? Is NS the DHCP server? Let’s wait until the lease expires and see…

Oh lord… is anyone documenting this… ?

1 Like

It doesn’t seem to matter whether I picked the IP address of the main NethServer or the IP address of nsdc container. They could join the domain by using either one for the DNS IP address of Win7 and NethServer domain member, and they could see all server and they’re shares with either DNS IP.

I rather use IP address of the nsdcs container because is more compliant with AD.

@davidep - you said that if we use the IP address of the nsdc container we lose extra DHCP/DNS records. Microsoft does it allow you more than one DNS record. To make NethServer more competitive, can we add either 1) more DNS records places or 2) something like this: “Click to add more DNS records”?

1 Like

Win7 and the domain member could also see the Internet with either one I picked.

1 Like

Sorry I don’t get you! :confused:

Can you provide an example or an URL to help me? Do you mean setting up a secondary DNS on the client side?

Of course, the Samba provision process in nsdc has the dns forwarder option set. However, once nsdc starts the first time that is never updated! This is configured by

https://github.com/NethServer/nethserver-dc/blob/master/root/etc/e-smith/templates/var/lib/machines/nsdc/etc/sysconfig/samba-provision/10base#L3

and

https://github.com/NethServer/nethserver-dc/blob/master/root/var/lib/machines/nsdc/etc/systemd/system/samba-provision.service#L17


My concerns here are about Kerberos. I guess we must ensure that services of the network are provided by host/IP associations that never change. This is true for services hosted by NS itself, but could be false for other servers of the network.

https://web.mit.edu/kerberos/krb5-1.12/doc/admin/princ_dns.html

After a server has been joined to AD, any modification to the DNS server in nsdc must be done manually, with samba-tool command.

Yes we must find here the best practice and document it on the administrator’s manual! /cc @docs_team

How can we document it? Write an howto isn’t the proper way for me, @davidep what are you suggesting?

As said,

You can add infinity DNS servers for the client and the servers (maybe not infinity :sunglasses:).

Win7:

Microsoft 2016 Essential Server (essentially the newest SBS server for Microsoft):

@davidep and @alefattorini

I think documenting in the administrator’s manual is good way to explain it.

1 Like

What is the windows DNS client behavior when multiple DNS servers are set? Round robin? Parallel queries and the first answer wins?

It goes in order starting at the top. If top DNS doesn’t respond, it goes down one and so on until finds a DNS. After that it stops searching. But that DNS stops responded, I think it starts over again; at least it can find another DNS but whether it start at the top I not sure.

@davidep What are planning to put in the documentation? Can you either one, or the first option, or the second option?

I don’t know… Yesterday I was talking with @giacomo about this. We agree on doing nothing for the moment because we still haven’t enough information.

We saw here both approaches work. Anyway I’d vote for 1, and I add another reason here: Samba builtin DNS is not a caching forwarder like dnsmasq AFAIK.

Let’s keep on testing and see what comes out!

1 Like

+1 for 1