Hi, yesterday i tried to join a domain as a DC with bind9 as dns-backend on Debian Wheezy with samba 4.1.11 from backports. I followed the tutorial in the wiki https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but didn' find the instruction completely clear, so perhaps i made a mistake during the join. It is written there: "If you choose BIND as DNS backend, instead of the internal DNS, then you, of course, have to finish this before you continue" I could not figure out how to finish configuring bind as a backend, when the keytab file and the other bind-related files get created after joining the domain. So i ran the join command first, and with the files created in this step, i was able to get the DC up and running... I had to manually create the A and CNAME records on the old DC like it is written in the wiki in the part "Check required DNS entries of the new host". my guess was, that those entries should be replicated later on to the new DC seems not to work. When i check the name resolving of the A record on the newly joined DC it does not resolve whereas on the old one it works fine. AD-Domain is ad.hueper.de old DC is dns2.ad.hueper.de new DC is dns1.ad.hueper.de dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de Using domain server: Name: dns2.ad.hueper.de Address: 192.168.0.2#53 Aliases: dns1.ad.hueper.de has address 192.168.0.1 dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de Using domain server: Name: dns1.ad.hueper.de Address: 192.168.0.1#53 Aliases: Host dns1.ad.hueper.de not found: 3(NXDOMAIN) When i look at the servers using RSAT DNS-Manager i can see the A-Record on both DNS-Servers, so i wonder why doesn't it resolve on the new DC ? Is it save to delete the A and CNAME Records and recreate them using RSAT ? kind regards Tom
On 16/10/14 10:35, Thomas Kempf wrote:> Hi, > yesterday i tried to join a domain as a DC with bind9 as dns-backend > on Debian Wheezy with samba 4.1.11 from backports. I followed the > tutorial in the wiki > https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but didn' find > the instruction completely clear, so perhaps i made a mistake during > the join. > It is written there: > "If you choose BIND as DNS backend, instead of the internal DNS, then > you, of course, have to finish this before you continue"As far as I am concerned this is incorrect, I just install the required packages: apt-get -t wheezy-backports install samba attr krb5-config krb5-user ntp bind9 bind9utils dnsutils winbind libpam-winbind libpam-krb5 libnss-winbind libsmbclient smbclient Then stop any samba daemons and bind9, mv smb.conf and then join the domain as a DC: samba-tool domain join example.com DC --realm=example.com --dns-backend=BIND9_DLZ -U administrator --password=P4ssw0rd* This should get the DC joined to the domain, you then start samba: service samba-ad-dc start Now configure bind9, once this is configured, you can start bind9, at this point you should only have to make the server use itself as the nameserver by altering /etc/resolv.conf and finally add the server to the reverse zone (if you have created one) All the dns tests should work as expected. Rowland> I could not figure out how to finish configuring bind as a backend, > when the keytab file and the other bind-related files get created > after joining the domain. > So i ran the join command first, and with the files created in this > step, i was able to get the DC up and running... > I had to manually create the A and CNAME records on the old DC like it > is written in the wiki in the part "Check required DNS entries of the > new host". my guess was, that those entries should be replicated later > on to the new DC seems not to work. > When i check the name resolving of the A record on the newly joined DC > it does not resolve whereas on the old one it works fine. > > AD-Domain is ad.hueper.de > old DC is dns2.ad.hueper.de > new DC is dns1.ad.hueper.de > > dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de > Using domain server: > Name: dns2.ad.hueper.de > Address: 192.168.0.2#53 > Aliases: > > dns1.ad.hueper.de has address 192.168.0.1 > > dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de > Using domain server: > Name: dns1.ad.hueper.de > Address: 192.168.0.1#53 > Aliases: > > Host dns1.ad.hueper.de not found: 3(NXDOMAIN) > > When i look at the servers using RSAT DNS-Manager i can see the > A-Record on both DNS-Servers, so i wonder why doesn't it resolve on > the new DC ? > Is it save to delete the A and CNAME Records and recreate them using > RSAT ? > > kind regards > Tom > > >
Is your first DC a Samba4 host? Did you: samba-tool domain join YOURDOMAIN DC -Uadministrator --realm=your.realm --dns-backend=BIND9_DLZ samba-tool dns add your.master.dc your.realm YOUR.NEW.DC A your.new.dc.ip -Uadministrator host -t A YOUR.NEW.DC. must show no errors!! What about your krb5.conf? What about : samba-tool drs kcc -Uadministrator Your.domain.controllers ? Ex: samba-tool drs kcc -Uadministrator s4master.tplk.loc Password for [TPLK\administrator]: Consistency check on s4master.tplk.loc successful. EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Thomas Kempf Gesendet: Donnerstag, 16. Oktober 2014 11:35 An: samba at lists.samba.org Betreff: [Samba] DNS Issues when joining a Domain as a DC Hi, yesterday i tried to join a domain as a DC with bind9 as dns-backend on Debian Wheezy with samba 4.1.11 from backports. I followed the tutorial in the wiki https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but didn' find the instruction completely clear, so perhaps i made a mistake during the join. It is written there: "If you choose BIND as DNS backend, instead of the internal DNS, then you, of course, have to finish this before you continue" I could not figure out how to finish configuring bind as a backend, when the keytab file and the other bind-related files get created after joining the domain. So i ran the join command first, and with the files created in this step, i was able to get the DC up and running... I had to manually create the A and CNAME records on the old DC like it is written in the wiki in the part "Check required DNS entries of the new host". my guess was, that those entries should be replicated later on to the new DC seems not to work. When i check the name resolving of the A record on the newly joined DC it does not resolve whereas on the old one it works fine. AD-Domain is ad.hueper.de old DC is dns2.ad.hueper.de new DC is dns1.ad.hueper.de dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de Using domain server: Name: dns2.ad.hueper.de Address: 192.168.0.2#53 Aliases: dns1.ad.hueper.de has address 192.168.0.1 dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de Using domain server: Name: dns1.ad.hueper.de Address: 192.168.0.1#53 Aliases: Host dns1.ad.hueper.de not found: 3(NXDOMAIN) When i look at the servers using RSAT DNS-Manager i can see the A-Record on both DNS-Servers, so i wonder why doesn't it resolve on the new DC ? Is it save to delete the A and CNAME Records and recreate them using RSAT ? kind regards Tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
the debian version os samba in backports 4.1.11 does not create the DC Hostname not correcly in the DNS. the first DC is ok, but every other join is missing important dns settings. I advice to use sernet samba version 4.1.12 which works perfect for the DC Servers. A member server can be samba backports. i have tested this a week ago. you may want to try my scripts or have a look in the scripts what is done there. https://secure.bazuin.nl/scripts/ Greetz, Louis>-----Oorspronkelijk bericht----- >Van: listen at hueper.de [mailto:samba-bounces at lists.samba.org] >Namens Thomas Kempf >Verzonden: donderdag 16 oktober 2014 11:35 >Aan: samba at lists.samba.org >Onderwerp: [Samba] DNS Issues when joining a Domain as a DC > >Hi, >yesterday i tried to join a domain as a DC with bind9 as >dns-backend on >Debian Wheezy with samba 4.1.11 from backports. I followed the >tutorial >in the wiki https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but >didn' find the instruction completely clear, so perhaps i made >a mistake >during the join. >It is written there: >"If you choose BIND as DNS backend, instead of the internal DNS, then >you, of course, have to finish this before you continue" >I could not figure out how to finish configuring bind as a >backend, when >the keytab file and the other bind-related files get created after >joining the domain. >So i ran the join command first, and with the files created in this >step, i was able to get the DC up and running... >I had to manually create the A and CNAME records on the old DC like it >is written in the wiki in the part "Check required DNS entries of the >new host". my guess was, that those entries should be replicated later >on to the new DC seems not to work. >When i check the name resolving of the A record on the newly joined DC >it does not resolve whereas on the old one it works fine. > >AD-Domain is ad.hueper.de >old DC is dns2.ad.hueper.de >new DC is dns1.ad.hueper.de > >dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de >Using domain server: >Name: dns2.ad.hueper.de >Address: 192.168.0.2#53 >Aliases: > >dns1.ad.hueper.de has address 192.168.0.1 > >dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de >Using domain server: >Name: dns1.ad.hueper.de >Address: 192.168.0.1#53 >Aliases: > >Host dns1.ad.hueper.de not found: 3(NXDOMAIN) > >When i look at the servers using RSAT DNS-Manager i can see >the A-Record >on both DNS-Servers, so i wonder why doesn't it resolve on the new DC ? >Is it save to delete the A and CNAME Records and recreate them >using RSAT ? > >kind regards >Tom > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Hello Thomas, Am 16.10.2014 um 11:35 schrieb Thomas Kempf:> yesterday i tried to join a domain as a DC with bind9 as dns-backend on > Debian Wheezy with samba 4.1.11 from backports. I followed the tutorial > in the wiki https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but > didn' find the instruction completely clear, so perhaps i made a mistake > during the join. > > It is written there: > "If you choose BIND as DNS backend, instead of the internal DNS, then > you, of course, have to finish this before you continue"You are right. I fixed the wording: If you choose BIND as DNS backend, instead of the internal DNS, then you, of course, have to install BIND before you continue. Regards, Marc