Rowland Penny
2015-Nov-27 15:43 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 27/11/15 15:24, mathias dufresne wrote:> > > 2015-11-27 15:49 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com > <mailto:rowlandpenny241155 at gmail.com>>: > > On 27/11/15 14:30, James wrote: > > On 11/27/2015 9:16 AM, Rowland Penny wrote: > > On 27/11/15 13:23, James wrote: > > On 11/26/2015 11:12 AM, Ole Traupe wrote: > > > Then you re-run your test with only DC2 up > and running. > Note DNS have need time to be updated if > you are using others DNS servers between > clients and AD DCs. > > The SOA RR identifies a primary DNS name > server for the zone as the best source of > information for the data within that zone and > as a entity processing the updates for the zone. > > The NS resource record is used to notate which > DNS servers are designated as authoritative > for the zone. Listing a server in the NS RR, > it becomes known to others as an authoritative > server for the zone. This means that any > server specified in the NS RR is to be > considered an authoritative source by others, > and is able to answer with certainty any > queries made for names included in the zone. > > Much of the above was taken almost verbatim > from online Microsoft tech documents. I don't > believe that DC's create NS records by default. > > > You mean Samba DCs or DCs in general? > > I am not sure I understand the above. Do you > suggest to create another NS record for the > Second_DC, or not to? > > In the resolv.conf on my member servers both DCs > are listed as DNS servers. I like to think that > the member servers eventually ask the second DNS > server, if the first won't respond. This seems to > be reflected by ping taking more than 5 s for the > first packet to arrive. > > BUT what does the second DNS server (Second_DC) > reply? Which logon server does it announce? > > > DNS can be very confusing. You do not need to create a > NS record for your second DC if the zone is directory > integrated. By default the DC is authoritative for > that zone. > > > Probably with windows it is, but not with Samba AD, you > only get one NS and one SOA. The only authoritative Samba > AD DC is the first one, when you join a second DC, it runs > the same code that created the SOA during the first DCs > provision and because the SOA already exists, it fails. > > Rowland > > > Yikes! Are you saying DC's with directory integrated zones are > not authoritative for them? That means a NS record needs to be > created manually for each DC added. > > > Yes, that's about the size of it. no matter how many DCs you join, > you only have one NS, the original DC. > > I have been trying to alter the code, but I am struggling to get > another NS record added during the join, it doesn't help that I > have no idea what a windows DC SOA record looks like, does each DC > have a separate SOA record? or is it like the Samba SOA record and > there is only one with multiple NS records? > > Yes each Windows has SOA record. In fact I expect there is no SOA > record really on MS AD. I expect SOA management is something like when > a DC receive request for SOA it replies "I am SOA". > On MS AD all DC have a NS record. My second mail about that thread > from Sunday the 22nd of November is showing different DNS queries I > did on MS AD domain (a 2008 r2 domain with only 2 DC, Microsoft DC). > > Finally I would look into samba_dnsupdate to add creation of NS > record. I expect this tool is run when samba starts. > Unfortunately I did not find the right option to add to > samba_dnsupdate for it really creates DNS entries. Even with kerberos > ticket already created before running that command. I received a mail > recently about another Samba user using internal DNS for his AD hosted > by Samba. This person was facing same issue has me (missing DNS > entries, samba_dnsupdate not adding entries). To workaround that issue > he modified samba_dnsupdate and he commented that line (line 413): > os.unlink(tmpfile) > > Doing that samba_dnsupdate does not remove tmp file. This tmp file > contains nsupdate commands which are launched by samba_dnsupdate. > Finally he uses these nsupdate commands from tmp files without -g > option and he's DNS entries are now created. > I must say I did yet try that process. >If you follow the 'join' code, you end up at 'add_at_record' in sambadns.py. This is run by the initial provision and again when any DCs are joined. I have tried adding a check to see if the SOA exists and only creating it if it doesn't, otherwise just add the NS records etc, I can add the A record for the subsequent DC bit not its NS record. This is what the initial SOA record looks like: dn: DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20151106115624.0Z uSNCreated: 3657 showInAdvancedViewOnly: TRUE name: @ objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com dc: @ whenChanged: 20151122115408.0Z dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x004f (79) wType : DNS_TYPE_SOA (6) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x00000062 (98) dwTtlSeconds : 0x00000e10 (3600) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00377e73 (3636851) data : union dnsRecordData(case 6) soa: struct dnsp_soa serial : 0x00000063 (99) refresh : 0x00000384 (900) retry : 0x00000258 (600) expire : 0x00015180 (86400) minimum : 0x00000e10 (3600) mname : dc1.samdom.example.com rname : hostmaster.samdom.example.com dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x001a (26) wType : DNS_TYPE_NS (2) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x00000062 (98) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 2) ns : dc1.samdom.example.com dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x00000062 (98) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 1) ipv4 : 192.168.0.5 uSNChanged: 29974 distinguishedName: DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com I can add the NS record for the second DC with samba-tool, but not by modifying the 'add_at_record' code. I tried doing an internet search, but cannot find anything that shows the SOA objects in AD for a windows server, so I don't know if windows uses separate SOA object records for each DC, or is it just one SOA object record (like Samba uses) with an NS record added for each DC. Rowland
James
2015-Nov-27 18:03 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 11/27/2015 10:43 AM, Rowland Penny wrote:> On 27/11/15 15:24, mathias dufresne wrote: >> >> >> 2015-11-27 15:49 GMT+01:00 Rowland Penny >> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>: >> >> On 27/11/15 14:30, James wrote: >> >> On 11/27/2015 9:16 AM, Rowland Penny wrote: >> >> On 27/11/15 13:23, James wrote: >> >> On 11/26/2015 11:12 AM, Ole Traupe wrote: >> >> >> Then you re-run your test with only DC2 up >> and running. >> Note DNS have need time to be updated if >> you are using others DNS servers between >> clients and AD DCs. >> >> The SOA RR identifies a primary DNS name >> server for the zone as the best source of >> information for the data within that zone and >> as a entity processing the updates for the zone. >> >> The NS resource record is used to notate which >> DNS servers are designated as authoritative >> for the zone. Listing a server in the NS RR, >> it becomes known to others as an authoritative >> server for the zone. This means that any >> server specified in the NS RR is to be >> considered an authoritative source by others, >> and is able to answer with certainty any >> queries made for names included in the zone. >> >> Much of the above was taken almost verbatim >> from online Microsoft tech documents. I don't >> believe that DC's create NS records by default. >> >> >> You mean Samba DCs or DCs in general? >> >> I am not sure I understand the above. Do you >> suggest to create another NS record for the >> Second_DC, or not to? >> >> In the resolv.conf on my member servers both DCs >> are listed as DNS servers. I like to think that >> the member servers eventually ask the second DNS >> server, if the first won't respond. This seems to >> be reflected by ping taking more than 5 s for the >> first packet to arrive. >> >> BUT what does the second DNS server (Second_DC) >> reply? Which logon server does it announce? >> >> >> DNS can be very confusing. You do not need to create a >> NS record for your second DC if the zone is directory >> integrated. By default the DC is authoritative for >> that zone. >> >> >> Probably with windows it is, but not with Samba AD, you >> only get one NS and one SOA. The only authoritative Samba >> AD DC is the first one, when you join a second DC, it runs >> the same code that created the SOA during the first DCs >> provision and because the SOA already exists, it fails. >> >> Rowland >> >> >> Yikes! Are you saying DC's with directory integrated zones are >> not authoritative for them? That means a NS record needs to be >> created manually for each DC added. >> >> >> Yes, that's about the size of it. no matter how many DCs you join, >> you only have one NS, the original DC. >> >> I have been trying to alter the code, but I am struggling to get >> another NS record added during the join, it doesn't help that I >> have no idea what a windows DC SOA record looks like, does each DC >> have a separate SOA record? or is it like the Samba SOA record and >> there is only one with multiple NS records? >> >> Yes each Windows has SOA record. In fact I expect there is no SOA >> record really on MS AD. I expect SOA management is something like >> when a DC receive request for SOA it replies "I am SOA". >> On MS AD all DC have a NS record. My second mail about that thread >> from Sunday the 22nd of November is showing different DNS queries I >> did on MS AD domain (a 2008 r2 domain with only 2 DC, Microsoft DC). >> >> Finally I would look into samba_dnsupdate to add creation of NS >> record. I expect this tool is run when samba starts. >> Unfortunately I did not find the right option to add to >> samba_dnsupdate for it really creates DNS entries. Even with kerberos >> ticket already created before running that command. I received a mail >> recently about another Samba user using internal DNS for his AD >> hosted by Samba. This person was facing same issue has me (missing >> DNS entries, samba_dnsupdate not adding entries). To workaround that >> issue he modified samba_dnsupdate and he commented that line (line 413): >> os.unlink(tmpfile) >> >> Doing that samba_dnsupdate does not remove tmp file. This tmp file >> contains nsupdate commands which are launched by samba_dnsupdate. >> Finally he uses these nsupdate commands from tmp files without -g >> option and he's DNS entries are now created. >> I must say I did yet try that process. >> > > If you follow the 'join' code, you end up at 'add_at_record' in > sambadns.py. This is run by the initial provision and again when any > DCs are joined. I have tried adding a check to see if the SOA exists > and only creating it if it doesn't, otherwise just add the NS records > etc, I can add the A record for the subsequent DC bit not its NS > record. This is what the initial SOA record looks like: > > dn: > DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > objectClass: top > objectClass: dnsNode > instanceType: 4 > whenCreated: 20151106115624.0Z > uSNCreated: 3657 > showInAdvancedViewOnly: TRUE > name: @ > objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d > objectCategory: > CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com > dc: @ > whenChanged: 20151122115408.0Z > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x004f (79) > wType : DNS_TYPE_SOA (6) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000e10 (3600) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00377e73 (3636851) > data : union dnsRecordData(case 6) > soa: struct dnsp_soa > serial : 0x00000063 (99) > refresh : 0x00000384 (900) > retry : 0x00000258 (600) > expire : 0x00015180 (86400) > minimum : 0x00000e10 (3600) > mname : dc1.samdom.example.com > rname : hostmaster.samdom.example.com > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x001a (26) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : dc1.samdom.example.com > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.5 > > uSNChanged: 29974 > distinguishedName: > DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > > I can add the NS record for the second DC with samba-tool, but not by > modifying the 'add_at_record' code. > > I tried doing an internet search, but cannot find anything that shows > the SOA objects in AD for a windows server, so I don't know if windows > uses separate SOA object records for each DC, or is it just one SOA > object record (like Samba uses) with an NS record added for each DC. > > Rowland >Rowland, This is what I have been able to dig up but nothing concrete. https://www.petri.com/forums/forum/microsoft-networking-services/active-directory/18697-ad-zones-and-dns-soa-records and http://www.dell.com/support/article/us/en/19/SLN156678/en Both state that each DC should have it's own SOA if it's directory integrated. However looking here http://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/ says that the SOA should rotate. -- -James
Rowland Penny
2015-Nov-27 18:43 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 27/11/15 18:03, James wrote:> On 11/27/2015 10:43 AM, Rowland Penny wrote: >> On 27/11/15 15:24, mathias dufresne wrote: >>> >>> >>> 2015-11-27 15:49 GMT+01:00 Rowland Penny >>> <rowlandpenny241155 at gmail.com <mailto:rowlandpenny241155 at gmail.com>>: >>> >>> On 27/11/15 14:30, James wrote: >>> >>> On 11/27/2015 9:16 AM, Rowland Penny wrote: >>> >>> On 27/11/15 13:23, James wrote: >>> >>> On 11/26/2015 11:12 AM, Ole Traupe wrote: >>> >>> >>> Then you re-run your test with only DC2 up >>> and running. >>> Note DNS have need time to be updated if >>> you are using others DNS servers between >>> clients and AD DCs. >>> >>> The SOA RR identifies a primary DNS name >>> server for the zone as the best source of >>> information for the data within that zone and >>> as a entity processing the updates for the >>> zone. >>> >>> The NS resource record is used to notate which >>> DNS servers are designated as authoritative >>> for the zone. Listing a server in the NS RR, >>> it becomes known to others as an authoritative >>> server for the zone. This means that any >>> server specified in the NS RR is to be >>> considered an authoritative source by others, >>> and is able to answer with certainty any >>> queries made for names included in the zone. >>> >>> Much of the above was taken almost verbatim >>> from online Microsoft tech documents. I don't >>> believe that DC's create NS records by default. >>> >>> >>> You mean Samba DCs or DCs in general? >>> >>> I am not sure I understand the above. Do you >>> suggest to create another NS record for the >>> Second_DC, or not to? >>> >>> In the resolv.conf on my member servers both DCs >>> are listed as DNS servers. I like to think that >>> the member servers eventually ask the second DNS >>> server, if the first won't respond. This seems to >>> be reflected by ping taking more than 5 s for the >>> first packet to arrive. >>> >>> BUT what does the second DNS server (Second_DC) >>> reply? Which logon server does it announce? >>> >>> >>> DNS can be very confusing. You do not need to create a >>> NS record for your second DC if the zone is directory >>> integrated. By default the DC is authoritative for >>> that zone. >>> >>> >>> Probably with windows it is, but not with Samba AD, you >>> only get one NS and one SOA. The only authoritative Samba >>> AD DC is the first one, when you join a second DC, it runs >>> the same code that created the SOA during the first DCs >>> provision and because the SOA already exists, it fails. >>> >>> Rowland >>> >>> >>> Yikes! Are you saying DC's with directory integrated zones are >>> not authoritative for them? That means a NS record needs to be >>> created manually for each DC added. >>> >>> >>> Yes, that's about the size of it. no matter how many DCs you join, >>> you only have one NS, the original DC. >>> >>> I have been trying to alter the code, but I am struggling to get >>> another NS record added during the join, it doesn't help that I >>> have no idea what a windows DC SOA record looks like, does each DC >>> have a separate SOA record? or is it like the Samba SOA record and >>> there is only one with multiple NS records? >>> >>> Yes each Windows has SOA record. In fact I expect there is no SOA >>> record really on MS AD. I expect SOA management is something like >>> when a DC receive request for SOA it replies "I am SOA". >>> On MS AD all DC have a NS record. My second mail about that thread >>> from Sunday the 22nd of November is showing different DNS queries I >>> did on MS AD domain (a 2008 r2 domain with only 2 DC, Microsoft DC). >>> >>> Finally I would look into samba_dnsupdate to add creation of NS >>> record. I expect this tool is run when samba starts. >>> Unfortunately I did not find the right option to add to >>> samba_dnsupdate for it really creates DNS entries. Even with >>> kerberos ticket already created before running that command. I >>> received a mail recently about another Samba user using internal DNS >>> for his AD hosted by Samba. This person was facing same issue has me >>> (missing DNS entries, samba_dnsupdate not adding entries). To >>> workaround that issue he modified samba_dnsupdate and he commented >>> that line (line 413): >>> os.unlink(tmpfile) >>> >>> Doing that samba_dnsupdate does not remove tmp file. This tmp file >>> contains nsupdate commands which are launched by samba_dnsupdate. >>> Finally he uses these nsupdate commands from tmp files without -g >>> option and he's DNS entries are now created. >>> I must say I did yet try that process. >>> >> >> If you follow the 'join' code, you end up at 'add_at_record' in >> sambadns.py. This is run by the initial provision and again when any >> DCs are joined. I have tried adding a check to see if the SOA exists >> and only creating it if it doesn't, otherwise just add the NS records >> etc, I can add the A record for the subsequent DC bit not its NS >> record. This is what the initial SOA record looks like: >> >> dn: >> DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> objectClass: top >> objectClass: dnsNode >> instanceType: 4 >> whenCreated: 20151106115624.0Z >> uSNCreated: 3657 >> showInAdvancedViewOnly: TRUE >> name: @ >> objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d >> objectCategory: >> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com >> dc: @ >> whenChanged: 20151122115408.0Z >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x004f (79) >> wType : DNS_TYPE_SOA (6) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000e10 (3600) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00377e73 (3636851) >> data : union dnsRecordData(case 6) >> soa: struct dnsp_soa >> serial : 0x00000063 (99) >> refresh : 0x00000384 (900) >> retry : 0x00000258 (600) >> expire : 0x00015180 (86400) >> minimum : 0x00000e10 (3600) >> mname : dc1.samdom.example.com >> rname : hostmaster.samdom.example.com >> >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x001a (26) >> wType : DNS_TYPE_NS (2) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000384 (900) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00000000 (0) >> data : union dnsRecordData(case 2) >> ns : dc1.samdom.example.com >> >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x0004 (4) >> wType : DNS_TYPE_A (1) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000384 (900) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00000000 (0) >> data : union dnsRecordData(case 1) >> ipv4 : 192.168.0.5 >> >> uSNChanged: 29974 >> distinguishedName: >> DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> >> I can add the NS record for the second DC with samba-tool, but not by >> modifying the 'add_at_record' code. >> >> I tried doing an internet search, but cannot find anything that shows >> the SOA objects in AD for a windows server, so I don't know if >> windows uses separate SOA object records for each DC, or is it just >> one SOA object record (like Samba uses) with an NS record added for >> each DC. >> >> Rowland >> > Rowland, > > This is what I have been able to dig up but nothing concrete. > > https://www.petri.com/forums/forum/microsoft-networking-services/active-directory/18697-ad-zones-and-dns-soa-records > > > and > > http://www.dell.com/support/article/us/en/19/SLN156678/en > > Both state that each DC should have it's own SOA if it's directory > integrated. However looking here > > http://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/ > > > says that the SOA should rotateHi, thanks for that, but I am fairly sure I have already seen them, or others just like them, the problem is that windows is a point & click OS and that is all I have been able to find. I cannot find anywhere an example of what a SOA record looks like in a windows AD database. All I can find says that every DC should have a SOA record, now does this mean one like Samba's, where it is just one AD object with multiple NS records (one per DC), or should there actually be an individual SOA record per DC, if so, then Samba's DNS server is very possibly broken. Does anybody have an ldif from a windows AD domain showing the SOA records and are they willing to share it?? Rowland
mathias dufresne
2015-Dec-02 09:28 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
2015-11-27 16:43 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 27/11/15 15:24, mathias dufresne wrote: > >> >> >> 2015-11-27 15:49 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com>>: >> >> >> On 27/11/15 14:30, James wrote: >> >> On 11/27/2015 9:16 AM, Rowland Penny wrote: >> >> On 27/11/15 13:23, James wrote: >> >> On 11/26/2015 11:12 AM, Ole Traupe wrote: >> >> >> Then you re-run your test with only DC2 up >> and running. >> Note DNS have need time to be updated if >> you are using others DNS servers between >> clients and AD DCs. >> >> The SOA RR identifies a primary DNS name >> server for the zone as the best source of >> information for the data within that zone and >> as a entity processing the updates for the zone. >> >> The NS resource record is used to notate which >> DNS servers are designated as authoritative >> for the zone. Listing a server in the NS RR, >> it becomes known to others as an authoritative >> server for the zone. This means that any >> server specified in the NS RR is to be >> considered an authoritative source by others, >> and is able to answer with certainty any >> queries made for names included in the zone. >> >> Much of the above was taken almost verbatim >> from online Microsoft tech documents. I don't >> believe that DC's create NS records by default. >> >> >> You mean Samba DCs or DCs in general? >> >> I am not sure I understand the above. Do you >> suggest to create another NS record for the >> Second_DC, or not to? >> >> In the resolv.conf on my member servers both DCs >> are listed as DNS servers. I like to think that >> the member servers eventually ask the second DNS >> server, if the first won't respond. This seems to >> be reflected by ping taking more than 5 s for the >> first packet to arrive. >> >> BUT what does the second DNS server (Second_DC) >> reply? Which logon server does it announce? >> >> >> DNS can be very confusing. You do not need to create a >> NS record for your second DC if the zone is directory >> integrated. By default the DC is authoritative for >> that zone. >> >> >> Probably with windows it is, but not with Samba AD, you >> only get one NS and one SOA. The only authoritative Samba >> AD DC is the first one, when you join a second DC, it runs >> the same code that created the SOA during the first DCs >> provision and because the SOA already exists, it fails. >> >> Rowland >> >> >> Yikes! Are you saying DC's with directory integrated zones are >> not authoritative for them? That means a NS record needs to be >> created manually for each DC added. >> >> >> Yes, that's about the size of it. no matter how many DCs you join, >> you only have one NS, the original DC. >> >> I have been trying to alter the code, but I am struggling to get >> another NS record added during the join, it doesn't help that I >> have no idea what a windows DC SOA record looks like, does each DC >> have a separate SOA record? or is it like the Samba SOA record and >> there is only one with multiple NS records? >> >> Yes each Windows has SOA record. In fact I expect there is no SOA record >> really on MS AD. I expect SOA management is something like when a DC >> receive request for SOA it replies "I am SOA". >> On MS AD all DC have a NS record. My second mail about that thread from >> Sunday the 22nd of November is showing different DNS queries I did on MS AD >> domain (a 2008 r2 domain with only 2 DC, Microsoft DC). >> >> Finally I would look into samba_dnsupdate to add creation of NS record. I >> expect this tool is run when samba starts. >> Unfortunately I did not find the right option to add to samba_dnsupdate >> for it really creates DNS entries. Even with kerberos ticket already >> created before running that command. I received a mail recently about >> another Samba user using internal DNS for his AD hosted by Samba. This >> person was facing same issue has me (missing DNS entries, samba_dnsupdate >> not adding entries). To workaround that issue he modified samba_dnsupdate >> and he commented that line (line 413): >> os.unlink(tmpfile) >> >> Doing that samba_dnsupdate does not remove tmp file. This tmp file >> contains nsupdate commands which are launched by samba_dnsupdate. >> Finally he uses these nsupdate commands from tmp files without -g option >> and he's DNS entries are now created. >> I must say I did yet try that process. >> >> > If you follow the 'join' code, you end up at 'add_at_record' in > sambadns.py. This is run by the initial provision and again when any DCs > are joined. I have tried adding a check to see if the SOA exists and only > creating it if it doesn't, otherwise just add the NS records etc, I can add > the A record for the subsequent DC bit not its NS record. This is what the > initial SOA record looks like: > > dn: DC=@,DC=samdom.example.com > ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > objectClass: top > objectClass: dnsNode > instanceType: 4 > whenCreated: 20151106115624.0Z > uSNCreated: 3657 > showInAdvancedViewOnly: TRUE > name: @ > objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d > objectCategory: > CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com > dc: @ > whenChanged: 20151122115408.0Z > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x004f (79) > wType : DNS_TYPE_SOA (6) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000e10 (3600) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00377e73 (3636851) > data : union dnsRecordData(case 6) > soa: struct dnsp_soa > serial : 0x00000063 (99) > refresh : 0x00000384 (900) > retry : 0x00000258 (600) > expire : 0x00015180 (86400) > minimum : 0x00000e10 (3600) > mname : dc1.samdom.example.com > rname : hostmaster.samdom.example.com > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x001a (26) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : dc1.samdom.example.com > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.5 > > uSNChanged: 29974 > distinguishedName: DC=@,DC=samdom.example.com > ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > > I can add the NS record for the second DC with samba-tool, but not by > modifying the 'add_at_record' code. > > I tried doing an internet search, but cannot find anything that shows the > SOA objects in AD for a windows server, so I don't know if windows uses > separate SOA object records for each DC, or is it just one SOA object > record (like Samba uses) with an NS record added for each DC. > > > Rowland,I'll have a look on both MS DC I prepared 10 days ago to see if there is a LDAP for SOA in MS AD database. As shown 10 days ago MS DC always reply "I am SOA" when they have DNS service started which is not mandatory if you have already a DNS infrastructure (from DCs or any other DNS).
Rowland Penny
2015-Dec-02 09:51 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 02/12/15 09:28, mathias dufresne wrote:> 2015-11-27 16:43 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 27/11/15 15:24, mathias dufresne wrote: >> >>> >>> 2015-11-27 15:49 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com >>> <mailto:rowlandpenny241155 at gmail.com>>: >>> >>> >>> On 27/11/15 14:30, James wrote: >>> >>> On 11/27/2015 9:16 AM, Rowland Penny wrote: >>> >>> On 27/11/15 13:23, James wrote: >>> >>> On 11/26/2015 11:12 AM, Ole Traupe wrote: >>> >>> >>> Then you re-run your test with only DC2 up >>> and running. >>> Note DNS have need time to be updated if >>> you are using others DNS servers between >>> clients and AD DCs. >>> >>> The SOA RR identifies a primary DNS name >>> server for the zone as the best source of >>> information for the data within that zone and >>> as a entity processing the updates for the zone. >>> >>> The NS resource record is used to notate which >>> DNS servers are designated as authoritative >>> for the zone. Listing a server in the NS RR, >>> it becomes known to others as an authoritative >>> server for the zone. This means that any >>> server specified in the NS RR is to be >>> considered an authoritative source by others, >>> and is able to answer with certainty any >>> queries made for names included in the zone. >>> >>> Much of the above was taken almost verbatim >>> from online Microsoft tech documents. I don't >>> believe that DC's create NS records by default. >>> >>> >>> You mean Samba DCs or DCs in general? >>> >>> I am not sure I understand the above. Do you >>> suggest to create another NS record for the >>> Second_DC, or not to? >>> >>> In the resolv.conf on my member servers both DCs >>> are listed as DNS servers. I like to think that >>> the member servers eventually ask the second DNS >>> server, if the first won't respond. This seems to >>> be reflected by ping taking more than 5 s for the >>> first packet to arrive. >>> >>> BUT what does the second DNS server (Second_DC) >>> reply? Which logon server does it announce? >>> >>> >>> DNS can be very confusing. You do not need to create a >>> NS record for your second DC if the zone is directory >>> integrated. By default the DC is authoritative for >>> that zone. >>> >>> >>> Probably with windows it is, but not with Samba AD, you >>> only get one NS and one SOA. The only authoritative Samba >>> AD DC is the first one, when you join a second DC, it runs >>> the same code that created the SOA during the first DCs >>> provision and because the SOA already exists, it fails. >>> >>> Rowland >>> >>> >>> Yikes! Are you saying DC's with directory integrated zones are >>> not authoritative for them? That means a NS record needs to be >>> created manually for each DC added. >>> >>> >>> Yes, that's about the size of it. no matter how many DCs you join, >>> you only have one NS, the original DC. >>> >>> I have been trying to alter the code, but I am struggling to get >>> another NS record added during the join, it doesn't help that I >>> have no idea what a windows DC SOA record looks like, does each DC >>> have a separate SOA record? or is it like the Samba SOA record and >>> there is only one with multiple NS records? >>> >>> Yes each Windows has SOA record. In fact I expect there is no SOA record >>> really on MS AD. I expect SOA management is something like when a DC >>> receive request for SOA it replies "I am SOA". >>> On MS AD all DC have a NS record. My second mail about that thread from >>> Sunday the 22nd of November is showing different DNS queries I did on MS AD >>> domain (a 2008 r2 domain with only 2 DC, Microsoft DC). >>> >>> Finally I would look into samba_dnsupdate to add creation of NS record. I >>> expect this tool is run when samba starts. >>> Unfortunately I did not find the right option to add to samba_dnsupdate >>> for it really creates DNS entries. Even with kerberos ticket already >>> created before running that command. I received a mail recently about >>> another Samba user using internal DNS for his AD hosted by Samba. This >>> person was facing same issue has me (missing DNS entries, samba_dnsupdate >>> not adding entries). To workaround that issue he modified samba_dnsupdate >>> and he commented that line (line 413): >>> os.unlink(tmpfile) >>> >>> Doing that samba_dnsupdate does not remove tmp file. This tmp file >>> contains nsupdate commands which are launched by samba_dnsupdate. >>> Finally he uses these nsupdate commands from tmp files without -g option >>> and he's DNS entries are now created. >>> I must say I did yet try that process. >>> >>> >> If you follow the 'join' code, you end up at 'add_at_record' in >> sambadns.py. This is run by the initial provision and again when any DCs >> are joined. I have tried adding a check to see if the SOA exists and only >> creating it if it doesn't, otherwise just add the NS records etc, I can add >> the A record for the subsequent DC bit not its NS record. This is what the >> initial SOA record looks like: >> >> dn: DC=@,DC=samdom.example.com >> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> objectClass: top >> objectClass: dnsNode >> instanceType: 4 >> whenCreated: 20151106115624.0Z >> uSNCreated: 3657 >> showInAdvancedViewOnly: TRUE >> name: @ >> objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d >> objectCategory: >> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com >> dc: @ >> whenChanged: 20151122115408.0Z >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x004f (79) >> wType : DNS_TYPE_SOA (6) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000e10 (3600) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00377e73 (3636851) >> data : union dnsRecordData(case 6) >> soa: struct dnsp_soa >> serial : 0x00000063 (99) >> refresh : 0x00000384 (900) >> retry : 0x00000258 (600) >> expire : 0x00015180 (86400) >> minimum : 0x00000e10 (3600) >> mname : dc1.samdom.example.com >> rname : hostmaster.samdom.example.com >> >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x001a (26) >> wType : DNS_TYPE_NS (2) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000384 (900) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00000000 (0) >> data : union dnsRecordData(case 2) >> ns : dc1.samdom.example.com >> >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x0004 (4) >> wType : DNS_TYPE_A (1) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000384 (900) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00000000 (0) >> data : union dnsRecordData(case 1) >> ipv4 : 192.168.0.5 >> >> uSNChanged: 29974 >> distinguishedName: DC=@,DC=samdom.example.com >> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> >> I can add the NS record for the second DC with samba-tool, but not by >> modifying the 'add_at_record' code. >> >> I tried doing an internet search, but cannot find anything that shows the >> SOA objects in AD for a windows server, so I don't know if windows uses >> separate SOA object records for each DC, or is it just one SOA object >> record (like Samba uses) with an NS record added for each DC. >> >> >> Rowland, > I'll have a look on both MS DC I prepared 10 days ago to see if there is a > LDAP for SOA in MS AD database. > As shown 10 days ago MS DC always reply "I am SOA" when they have DNS > service started which is not mandatory if you have already a DNS > infrastructure (from DCs or any other DNS).This would help with what I am trying to find out. I can find on the internet multiple instances of 'every DC running dns should have a SOA record', but I cannot find any concrete examples of an ldif that shows this. Does each DC have a separate SOA record in AD, or is there just one SOA record and the DC just claims to be the SOA, or is there just one SOA record with an NS record for each DC. Samba would seem to be the later, but I am struggling with adding the NS record for a new DC during the join, I think what happens is that the NS record does get added, but is wiped out when replication kicks in. It is very easy to add the NS record after the join with samba-tool. Rowland
Reasonably Related Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Samba + BIND9 DLZ. DNS dosen't resolve FQDN, only short hostname
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- which DNS backend ?