On Sun, 10 May 2015, Rowland Penny wrote:> can you post your named conf files.Sure. This is samba's: dlz "AD DNS Zone" { database "dlopen /mnt/domain/samba/europa/lib/bind9/dlz_bind9_9.so"; }; and this is BIND's (notice the last line commented out): options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; forwarders {132.236.56.250; 128.253.180.2;}; tkey-gssapi-keytab "/mnt/domain/samba/europa/private/dns.keytab"; allow-recursion { 10.22.200.0/23; 10.84.104.0/26; 192.168.4.0/22; 192.168.12.0/22; 192.168.16.0/22; }; }; controls { inet 127.0.0.1 allow { localhost; }; }; zone "." IN { type hint; file "named.ca"; }; zone "icse.cornell.edu" IN { type master; notify no; file "named.icse.cornell.edu"; }; zone "104.84.10.in-addr.arpa" IN { type master; notify no; file "named.10.84.104"; }; zone "200.22.10.in-addr.arpa" IN { type master; notify no; file "named.10.22.200"; }; zone "201.22.10.in-addr.arpa" IN { type master; notify no; file "named.10.22.201"; }; zone "4.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.4"; }; zone "5.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.5"; }; zone "6.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.6"; }; zone "7.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.7"; }; zone "8.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.8"; }; zone "9.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.9"; }; zone "10.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.10"; }; zone "11.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.11"; }; zone "12.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.12"; }; zone "13.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.13"; }; zone "14.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.14"; }; zone "15.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.15"; }; zone "16.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.16"; }; zone "17.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.17"; }; zone "18.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.18"; }; zone "19.168.192.in-addr.arpa" IN { type master; notify no; file "named.192.168.19"; }; include "/etc/rndc.key"; #include "/mnt/domain/samba/europa/private/named.conf"; -Steve
On 10/05/15 12:49, Steve Thompson wrote:> On Sun, 10 May 2015, Rowland Penny wrote: > >> can you post your named conf files. > > Sure. This is samba's: > > dlz "AD DNS Zone" { > database "dlopen /mnt/domain/samba/europa/lib/bind9/dlz_bind9_9.so"; > }; > > and this is BIND's (notice the last line commented out): > > options { > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > forwarders {132.236.56.250; 128.253.180.2;}; > tkey-gssapi-keytab "/mnt/domain/samba/europa/private/dns.keytab"; > allow-recursion { 10.22.200.0/23; 10.84.104.0/26; 192.168.4.0/22; > 192.168.12.0/22; 192.168.16.0/22; }; > }; > > controls { > inet 127.0.0.1 allow { localhost; }; > }; > > zone "." IN { > type hint; > file "named.ca"; > }; > > zone "icse.cornell.edu" IN { > type master; > notify no; > file "named.icse.cornell.edu"; > }; > > zone "104.84.10.in-addr.arpa" IN { > type master; > notify no; > file "named.10.84.104"; > }; > > zone "200.22.10.in-addr.arpa" IN { > type master; > notify no; > file "named.10.22.200"; > }; > > zone "201.22.10.in-addr.arpa" IN { > type master; > notify no; > file "named.10.22.201"; > }; > > zone "4.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.4"; > }; > > zone "5.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.5"; > }; > > zone "6.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.6"; > }; > > zone "7.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.7"; > }; > > zone "8.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.8"; > }; > > zone "9.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.9"; > }; > > zone "10.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.10"; > }; > > zone "11.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.11"; > }; > > zone "12.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.12"; > }; > > zone "13.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.13"; > }; > > zone "14.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.14"; > }; > > zone "15.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.15"; > }; > > zone "16.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.16"; > }; > > zone "17.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.17"; > }; > > zone "18.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.18"; > }; > > zone "19.168.192.in-addr.arpa" IN { > type master; > notify no; > file "named.192.168.19"; > }; > > include "/etc/rndc.key"; > #include "/mnt/domain/samba/europa/private/named.conf"; > > -SteveHave you really got 19 reverse zones for your samba 4 active directory ? I use Debian and this is my named conf files: options { directory "/var/cache/bind"; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; include "/var/lib/samba/private/named.conf"; /var/lib/samba/private/named.conf: dlz "AD DNS Zone" { database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so"; }; Never had a problem, not that this helps you :-) Can you try running 'samba-tool ldapcmp ldap://<YOUR_FIRST_DC> ldap://<YOUR_SECOND_DC> Check if you actually have dns records: My laptop is called Thinkpad and this command will show its dns record in AD (run on the DC) ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb '(&(objectClass=dnsNode)(name=ThinkPad))' # record 1 dn: DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20140812120544.0Z uSNCreated: 3780 showInAdvancedViewOnly: TRUE name: ThinkPad objectGUID: 66cce7bf-5d9c-445d-bb44-73caac0d7966 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com dc: ThinkPad whenChanged: 20150510115457.0Z dnsRecord:: BAABAAXwAACqAAAAAAAOEAAAAAATbDcAwKgAdw=dNSTombstoned: FALSE uSNChanged: 39718 distinguishedName: DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,D C=example,DC=com Its IP is 192.168.0.119, so to find its record: ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb '(&(objectClass=dnsNode)(name=119))' # record 1 dn: DC=119,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20150401131744.0Z uSNCreated: 32019 showInAdvancedViewOnly: TRUE name: 119 objectGUID: 217523f1-34a8-44a3-8448-530aebc0cfe7 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com dc: 119 whenChanged: 20150510115457.0Z dnsRecord:: FQAMAAXwAACqAAAAAAAOEAAAAAATbDcAEwMIVGhpbmtQYWQEaG9tZQNsYW4A dNSTombstoned: FALSE uSNChanged: 39720 distinguishedName: DC=119,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainD nsZones,DC=example,DC=com To see defined zones: samba-tool dns zonelist 127.0.0.1 Password for [Administrator at EXAMPLE.COM]: 3 zone(s) found pszZoneName : 0.168.192.in-addr.arpa Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.example.com pszZoneName : example.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.example.com pszZoneName : _msdcs.example.com Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.example.com To see dns server info: samba-tool dns serverinfo 127.0.0.1 Password for [Administrator at EXAMPLE.COM]: dwVersion : 0xece0205 fBootMethod : DNS_BOOT_METHOD_DIRECTORY fAdminConfigured : FALSE fAllowUpdate : TRUE fDsAvailable : TRUE pszServerName : DC01.example.com pszDsContainer : CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com aipServerAddrs : ['192.168.0.2'] aipListenAddrs : ['192.168.0.2'] aipForwarders : [] dwLogLevel : 0 dwDebugLevel : 0 dwForwardTimeout : 3 dwRpcPrototol : 0x5 dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES cAddressAnswerLimit : 0 dwRecursionRetry : 3 dwRecursionTimeout : 8 dwMaxCacheTtl : 86400 dwDsPollingInterval : 180 dwScavengingInterval : 0 dwDefaultRefreshInterval : 168 dwDefaultNoRefreshInterval : 168 fAutoReverseZones : FALSE fAutoCacheUpdate : FALSE fRecurseAfterForwarding : FALSE fForwardDelegations : TRUE fNoRecursion : FALSE fSecureResponses : FALSE fRoundRobin : TRUE fLocalNetPriority : FALSE fBindSecondaries : FALSE fWriteAuthorityNs : FALSE fStrictFileParsing : FALSE fLooseWildcarding : FALSE fDefaultAgingState : FALSE dwRpcStructureVersion : 0x2 aipLogFilter : [] pwszLogFilePath : None pszDomainName : example.com pszForestName : example.com pszDomainDirectoryPartition : DC=DomainDnsZones,DC=example,DC=com pszForestDirectoryPartition : DC=ForestDnsZones,DC=example,DC=com dwLocalNetPriorityNetMask : 0xff dwLastScavengeTime : 0 dwEventLogLevel : 4 dwLogFileMaxSize : 0 dwDsForestVersion : 2 dwDsDomainVersion : 2 dwDsDsaVersion : 4 fReadOnlyDC : FALSE HTH Rowland
On Sun, 10 May 2015, Rowland Penny wrote:> Have you really got 19 reverse zones for your samba 4 active directory ?Yep :-)> Can you try running 'samba-tool ldapcmp ldap://<YOUR_FIRST_DC> ldap://<YOUR_SECOND_DC>Interesting. DC1 and DC2 have many differences; DC1 and DC3 are the same. Maybe I will demote DC2 and join it again.> Check if you actually have dns records:For DC1 (host name baxter): dn: DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20150430150532.0Z whenChanged: 20150430150532.0Z uSNCreated: 4725 uSNChanged: 4725 showInAdvancedViewOnly: TRUE name: baxter objectGUID: 739a5762-719a-44d2-968e-f8b12f5bc07b dnsRecord:: BAABAAXwAAAWAAAAAAADhAAAAAAnazcAChbICw=objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu dc: baxter distinguishedName: DC=baxter,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu For DC2 (host name bear): dn: DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20150504141356.0Z whenChanged: 20150504141356.0Z uSNCreated: 4897 uSNChanged: 4897 showInAdvancedViewOnly: TRUE name: bear objectGUID: 93d1aaa6-8c41-4754-8b27-370870b9129d dnsRecord:: BAABAAXwAAA1AAAAAAADhAAAAACGazcAChbIDA=objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu dc: bear distinguishedName: DC=bear,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu and for DC3 (host name benford): dn: DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20150504150126.0Z whenChanged: 20150504150126.0Z uSNCreated: 4996 uSNChanged: 4996 showInAdvancedViewOnly: TRUE name: benford objectGUID: 6701ab99-d883-44da-8ebf-769a98274a2c dnsRecord:: BAABAAXwAABGAAAAAAADhAAAAACHazcAChbIDQ=objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=europa,DC=icse,DC=cornell,DC=edu dc: benford distinguishedName: DC=benford,DC=europa.icse.cornell.edu,CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu> To see defined zones:2 zone(s) found pszZoneName : europa.icse.cornell.edu Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.europa.icse.cornell.edu pszZoneName : _msdcs.europa.icse.cornell.edu Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.europa.icse.cornell.edu with identical output from all three DC's.> To see dns server info:dwVersion : 0xece0205 fBootMethod : DNS_BOOT_METHOD_DIRECTORY fAdminConfigured : FALSE fAllowUpdate : TRUE fDsAvailable : TRUE pszServerName : BAXTER.europa.icse.cornell.edu pszDsContainer : CN=MicrosoftDNS,DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu aipServerAddrs : ['10.22.200.11', '127.0.0.1'] aipListenAddrs : ['10.22.200.11', '127.0.0.1'] aipForwarders : [] dwLogLevel : 0 dwDebugLevel : 0 dwForwardTimeout : 3 dwRpcPrototol : 0x5 dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES cAddressAnswerLimit : 0 dwRecursionRetry : 3 dwRecursionTimeout : 8 dwMaxCacheTtl : 86400 dwDsPollingInterval : 180 dwScavengingInterval : 0 dwDefaultRefreshInterval : 168 dwDefaultNoRefreshInterval : 168 fAutoReverseZones : FALSE fAutoCacheUpdate : FALSE fRecurseAfterForwarding : FALSE fForwardDelegations : TRUE fNoRecursion : FALSE fSecureResponses : FALSE fRoundRobin : TRUE fLocalNetPriority : FALSE fBindSecondaries : FALSE fWriteAuthorityNs : FALSE fStrictFileParsing : FALSE fLooseWildcarding : FALSE fDefaultAgingState : FALSE dwRpcStructureVersion : 0x2 aipLogFilter : [] pwszLogFilePath : None pszDomainName : europa.icse.cornell.edu pszForestName : europa.icse.cornell.edu pszDomainDirectoryPartition : DC=DomainDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu pszForestDirectoryPartition : DC=ForestDnsZones,DC=europa,DC=icse,DC=cornell,DC=edu dwLocalNetPriorityNetMask : 0xff dwLastScavengeTime : 0 dwEventLogLevel : 4 dwLogFileMaxSize : 0 dwDsForestVersion : 2 dwDsDomainVersion : 2 dwDsDsaVersion : 4 fReadOnlyDC : FALSE and on DC2 and DC3 they are the same, except for host names and IP addresses. There were two DC's that were members of the copnfiguration for about two years; these two were demoted and the three that I have now were added recently. Maybe something went wrong with the demotion of the original two, but the BIND problem did not surface until yesterday evening; the BIND servers had been restarted multiple times before then (and after the demotion of the original two). -Steve -- ---------------------------------------------------------------------------- Steve Thompson E-mail: smt AT vgersoft DOT com Voyager Software LLC Web: http://www DOT vgersoft DOT com 39 Smugglers Path VSW Support: support AT vgersoft DOT com Ithaca, NY 14850 "186,282 miles per second: it's not just a good idea, it's the law" ----------------------------------------------------------------------------