DNS/AD/steam cache for multiple subnets

alpha754293 · January 2, 2024, 9:11am

I am trying to centralise the user account management with Active Directory (currently using the turnkey-linux-domain-controller LXC container) across two different subnets and so far, I have been able to get my dc1 to respond to AD requests from one of my subnets, but not the other.

How do I make the LDAP DSE lookup check the AD server via two different subnets?

If the turnkey-domain-controller isn’t the best software to use, I am open to using something else like Zentyal if need be. (Or Pi-Hole).

Ultimately, I would like to have:

Over two different subnets:

lancache.net (steam cache) to be able to respond to requests coming in from either and/or both subnets
AD to serve user accounts requests coming in from either and/or both subnets
Host my own local DNS for locally hosted services (again, need to be accessible from two subnets)
Connect to the outside internet

I appreciate any suggestions or thoughts that you might be able to provide.

Thank you.

risk · January 2, 2024, 11:23am

Steam supports lancache In short, all you need is to configure the DNS server you get with Windows AD to resolve lancache.steamcontent.com to go to your lancache server/address.

You could use a hosts file entry on the client, and it’ll work.

… if you don’t want to do that, then it gets more complex.

The next simplest way to get lancache for steam working is to setup windows dns server to upstream forward all .lancache.net to the DNS server that lancache ships with.

But, … if you want to do many other things with DNS, you probably want a DNS server that isn’t the Windows DNS server, and have it just send all upstream stuff to your own DNS server (e.g. I just run AdGuard Home in a container) which takes care of internet stuff reasonably well, has a web ui for configuration, and lets me put in just enough overrides in place, like for example I have [/tail12345.ts.net/]100.100.100.100 in place in AdGuard - in order to get Tailscale MagicDNS to work

You could do [/lancache.steamcontent.com/]192.168.123.234 in AdGuard Home.

alpha754293 · January 2, 2024, 3:29pm

That’s what I figured that I would have to do.

The question is “how do I get everything working/playing nicely together?” (i.e. the sequence of the DNS requests)

Should it be AD first (to login) → then lancache (steam) → then DNS (for everything else, local and WAN sites/services) or would it be backwards?

This is the part that I am not so sure on.

I would imagine that running Pi-Hole would be similar to running AdGuard, correct?

Is there a reason why you went with AdGuard instead of running with Pi-Hole? (I’m not married to any particular solution. I just want to learn the pros and cons of each solution – and why people pick one over another or if they are, effectively, identical in features, performance, and capabilities.)

risk · January 2, 2024, 6:03pm

probably easier, yes. (see Configure Forwarders section)

Supports dnssec, and DoT/DoH, dnscrypt, etc out of the box.
Does parallel requests to multiple upstreams using whichever is quicker.
Isn’t a full blown operating system, basically it’s just a single binary and it runs just fine in a simple docker container without needing a VM or tons of ram or a complex setup process.

I run caddy in front of it to get auth and https for its web ui, but you definitely don’t have to do that, just follow the install instructions.

alpha754293 · January 3, 2024, 2:45am

Thank you.

I’ll look into that.

alpha754293 · January 3, 2024, 5:55am

The issue that I am running into now is that there are quite a number of tutorials and videos on how to set up and configure the FIRST AD DC in Linux (various flavours of Linux), but so far, I haven’t found a single tutorial/video on how to make sure that the second AD DC joins the first one properly, especially if they reside/work on/with different subnets.

(I’ve tried both the turnkey linux domain controller and I am now testing out Zentyal in a VM and both of them has been given dual NICs with the hope/theory that they should be able to “talk” to each other on the different, respective subnets; but I haven’t had a lot of luck with that.)

With that being said, how do people have multiple AD DCs work with/on different subnets???

Or should I bite the bullet and deploy it “properly” with some flavour of Windows Server?

alpha754293 · January 3, 2024, 6:57am

Does this necessarily imply that Pi-Hole can’t do these things or can’t do these things as well as AdGuard?

I’m just curious.

lackonius · January 3, 2024, 7:29am

Maybe a routing issue? I’m more familiar with Windows networking, but basically you want to make sure that a ping will reach the other subnet. If it doesn’t, then take a look at the route table i.e. route print should have the gateway that it’s going to send the traffic through. In a dual NIC setup you may need to add a route through the secondary NIC as, by default, ALL traffic will go through your default gateway on the primary NIC,

I can see having a dual NIC setup as an option but if your router is doing it’s job correctly then you shouldn’t to bother with it. Both subnets should be reachable via the router, every machine on every subnet with its default gateway, and then all traffic is centralized to the router which then orchestrates the subnet routing.

alpha754293 · January 4, 2024, 5:03am

Thank you.

Two things:

I was wanting the AD DC to be the “central point” where the two subnets would come together.
The two subnets are physically separated with two physically separate routers. One subnet goes through a VPN and the other doesn’t.

For what I am trying to do with centralising the user accounts, DNS, and steam cache – (which the latter two are closely interconnected) – what I am trying to avoid needing to do, because one subnet goes through a VPN and the other doesn’t – is that I would need two separate AD DCs (one for each subnet) and then I would have to manually sync up the two AD DCs. (which 6 user accounts, isn’t terrible, but if there is a smarter way to do this, then I would prefer to learn from the experts).

It is my understanding that because of this layout - that even managed L2 switches with VLAN tagging won’t be able to effectively separate out traffic that runs through said VPN from traffic that doesn’t. (I don’t think that I can connect two routers to a single 48-port GbE L2 managed switch and VLAN tag the traffic such that it will understand that half of it goes through a VPN whilst the other half does not.)

But if I am incorrect in my assumptions, please educate me as this is all a learning experience for me.

Thank you.

(sidebar: I’ve now tried both the Turnkey linux domain controller and Zentyal.

Turnkey linux domain controller – I can’t get the second DC to join the first AD DC.

I get the NT_STATUS_NO_TRUST_SAM_ACCOUNT error message. Tried googling that and then tried manually enabling and also read and tried to deploy Samba as the AD DC and then having the second one join the first (manually) from Samba wiki and none of that worked.

For Zentyal, I was able to get the second AD DC to join the first AD DC, so that part worked.

But in Ubuntu 20.04, I think the success rate of a domain user being able to log in successfully is something like 2% right now. Something like that. (Out of about 50 attempts, only 1 went through.)

I did install the required packages for sssd and adcli, etc. and I was able to join the realm, but that’s about as far as that goes, in any consistent manner.

Logging on with Ubuntu is mostly a no-go.

Windows 10, on the other hand – I have no problems with that.

Might have to bite the bullet and deploy Windows Server 2019 to see if I might have more luck with that.)