samba - Sep 2014 - Starting second DC makes named to freeze on primary DC

hey,

first, i user bind 9.8.1 as my DNS backend

Well, I have a domain controller, dc1.example.com, running correctly and 
with the following configurations...

== smb.conf =
[global]
         workgroup = EXAMPLE
         realm = EXAMPLE.COM
         netbios name = DC1
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes

         server services = -dns

         dsdb:schema update allowed = true

         dos charset = ISO8859-1
         unix charset = cp850

         interfaces = vlan2
         bind interfaces only = Yes

         allow dns updates = nonsecure
         #nsupdate command = nsupdate
         #nsupdate command = /usr/bin/nsupdate -g -t 5

== named.conf =
options {
         listen-on port 53 { 127.0.0.1; 10.1.11.2; };
         listen-on-v6 port 53 { ::1; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query     { any; };
         recursion yes;

         # just example
         forwarders { 8.8.8.8; };

         dnssec-enable no;
         dnssec-validation no;
         dnssec-lookaside auto;

         bindkeys-file "/etc/named.iscdlv.key";
         managed-keys-directory "/var/named/dynamic";
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

zone "." IN {
         type hint;
         file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/private/named.conf";

And I have  second DC with configurations:

== smb.conf =
[global]
         workgroup = EXAMPLE
         realm = EXAMPLE.COM
         netbios name = DC2
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate

         interfaces = eth1
         bind interfaces only = Yes

         dsdb:schema update allowed = true

         dos charset = ISO8859-1
         unix charset = cp850

         allow dns updates = nonsecure
         #nsupdate command = nsupdate
         #nsupdate command = /usr/bin/nsupdate -g -t 5

== named.conf =
options {
         listen-on port 53 { 127.0.0.1; 10.1.1.150; };
         listen-on-v6 port 53 { ::1; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query     { any; };
         recursion yes;

         forwarders { 10.1.11.2; };

         dnssec-enable no;
         dnssec-validation no;
         dnssec-lookaside auto;

         /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

zone "." IN {
         type hint;
         file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/private/named.conf";

DC1 works fine until I start samba on DC2... then named on DC1 freezes 
and some logs related to DNS failed updates appear on the logs.

Both DCs have samba 4.1.6 installed and bind 9.8.2.

Is there anyone with some problems related to this.

best regards,
Bruno.

On 08/09/14 16:33, Bruno Andrade wrote:
> hey,
>
> first, i user bind 9.8.1 as my DNS backend
>
> Well, I have a domain controller, dc1.example.com, running correctly 
> and with the following configurations...
>
> == smb.conf =>
> [global]
>         workgroup = EXAMPLE
>         realm = EXAMPLE.COM
>         netbios name = DC1
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>
>         server services = -dns
>
>         dsdb:schema update allowed = true
>
>         dos charset = ISO8859-1
>         unix charset = cp850
>
>         interfaces = vlan2
>         bind interfaces only = Yes
>
>         allow dns updates = nonsecure
>         #nsupdate command = nsupdate
>         #nsupdate command = /usr/bin/nsupdate -g -t 5
>
> == named.conf =>
> options {
>         listen-on port 53 { 127.0.0.1; 10.1.11.2; };
>         listen-on-v6 port 53 { ::1; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>         allow-query     { any; };
>         recursion yes;
>
>         # just example
>         forwarders { 8.8.8.8; };
>
>         dnssec-enable no;
>         dnssec-validation no;
>         dnssec-lookaside auto;
>
>         bindkeys-file "/etc/named.iscdlv.key";
>         managed-keys-directory "/var/named/dynamic";
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> include "/var/lib/samba/private/named.conf";
>
> And I have  second DC with configurations:
>
> == smb.conf =>
> [global]
>         workgroup = EXAMPLE
>         realm = EXAMPLE.COM
>         netbios name = DC2
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate
>
>         interfaces = eth1
>         bind interfaces only = Yes
>
>         dsdb:schema update allowed = true
>
>         dos charset = ISO8859-1
>         unix charset = cp850
>
>         allow dns updates = nonsecure
>         #nsupdate command = nsupdate
>         #nsupdate command = /usr/bin/nsupdate -g -t 5
>
> == named.conf =>
> options {
>         listen-on port 53 { 127.0.0.1; 10.1.1.150; };
>         listen-on-v6 port 53 { ::1; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>         allow-query     { any; };
>         recursion yes;
>
>         forwarders { 10.1.11.2; };
>
>         dnssec-enable no;
>         dnssec-validation no;
>         dnssec-lookaside auto;
>
>         /* Path to ISC DLV key */
>         bindkeys-file "/etc/named.iscdlv.key";
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> include "/var/lib/samba/private/named.conf";
>
> DC1 works fine until I start samba on DC2... then named on DC1 freezes 
> and some logs related to DNS failed updates appear on the logs.
>
> Both DCs have samba 4.1.6 installed and bind 9.8.2.
>
> Is there anyone with some problems related to this.
>
> best regards,
> Bruno.
>
>
>
Hi, can you let us know what OS you are using, I did spot one potential 
problem, though this shouldn't give the problems you are having:

On dc1:

listen-on port 53 { 127.0.0.1; 10.1.11.2; };

forwarders { 8.8.8.8; };

on dc2:

listen-on port 53 { 127.0.0.1; 10.1.1.150; };

forwarders { 10.1.11.2; };

I think that this means your DC's have the address's of 
'10.1.11.2' &
'10.1.1.150' and that you are forwarding anything that dc2 knows nothing
about to dc1. dc2 should know what dc1 knows, so you need to change 
this, they should both forward to outside the samba AD domain.

How did you join the second DC to the first and did you get any errors 
when you did so, did you follow this page on the wiki:

https://wiki.samba.org/index.php/Join_a_domain_as_a_DC

Rowland