samba - Feb 2016 - which DNS backend ?

On 28/02/16 23:05, Reindl Harald wrote:
>
>
> Am 28.02.2016 um 23:54 schrieb Rowland penny:
>> On 28/02/16 22:42, Reindl Harald wrote:
>>>
>>>
>>> Am 28.02.2016 um 23:10 schrieb Rowland penny:
>>>> On 28/02/16 21:56, Reindl Harald wrote:
>>>>>
>>>>>
>>>>> Am 28.02.2016 um 22:22 schrieb John Gardeniers:
>>>>>> Thanks Rowland. Perhaps because I expected these basic
issues to
>>>>>> have
>>>>>> been resolved long ago I never thought to check the SOA
records.
>>>>>> You are
>>>>>> perfectly correct - the second DC is not listed
>>>>>
>>>>> since when is more than one NS listed in the SOA?
>>>>>
>>>>> http://rscott.org/dns/soa.html
>>>>>
>>>>> MNAME ("Primary NS") - This entry is the domain
name of the name
>>>>> server that was the original source of the data (this entry
MUST be
>>>>> your primary nameserver). This is your primary nameserver,
and
>>>>> MUST be
>>>>> the one and only server that you ever update. You must not
update the
>>>>> secondary server(s) -- they will update automatically,
based on this
>>>>> the SOA record. Problem? This should be a fully qualified
domain
>>>>> name .
>>>>>
>>>> OK, I see where you are coming from, but, this is referring to
a
>>>> normal
>>>> dns server that replicates to other secondary dns servers. AD
dns
>>>> works
>>>> a little differently, all AD dns servers replicate dns records
to each
>>>> other and each AD DC is supposed to be authoritative for the
dns
>>>> domain,
>>>> this does not happen if your first DC goes down when you are
using the
>>>> internal dns server. As an aside, my first DC shutdown for some
>>>> reason,
>>>> I didn't notice for a couple of hours, until I tried to
'ssh' into
>>>> it, I
>>>> didn't notice because *everything* else just kept working
on my
>>>> second DC
>>>
>>> well, that's not the business of the SOA record
>>> it's a matter of NS-records
>>>
>>
>> If you only have one Authoritative nameserver (which is what you have
>> with the internal dns) and it disappears, then you don't have
*anything*
>> that will respond to a request for info about AD dns domain
>
> sorry, but that's not a matter of SOA
>
> all your NS-records are authoritative, no matter if the yare master or
>
> slave, the format of the SOA record is pretty clear
>
> https://support.dnsimple.com/articles/soa-record/
> ns1.dnsimple.com admin.dnsimple.com 2013022001 86400 7200 604800 300
>
> nothing will change the SOA format because it's defined far away from 
> samba and the implementation https://www.ietf.org/rfc/rfc1912.txt
>
> otherwise show me how you imageine a SOA record listing more than one 
> nameserver would look like when the second filed is by defintion the 
> admin contact
>
>
>
Everything you say is valid except for when it comes to AD dns.
When you want data from a zone, you start with the SOA record, you ask 
'who holds the records for this zone?', it replies with the nameserver 
that holds the zone records. OK so far ?

Only problem is that with AD, *every* DC that runs a dns server holds 
the zone records. Now if you have only one NS record in the SOA (or if 
only one NS record is returned, like the internal dns server does), then 
only one DC will be asked for the zone records, if this DC is down, you 
don't have a nameserver to ask!

Every windows DC that runs a dns server is authoritative for the dns 
domain and has a SOA record. The only way I have found of doing this 
with a Samba DC, is to use Bind9 and add the second DCs NS record to the 
SOA, this SOA is stored in AD.

Rowland

Am 29.02.2016 um 10:10 schrieb Rowland penny:
> Everything you say is valid except for when it comes to AD dns.
> When you want data from a zone, you start with the SOA record, you ask
> 'who holds the records for this zone?', it replies with the
nameserver
> that holds the zone records. OK so far ?
>
> Only problem is that with AD, *every* DC that runs a dns server holds
> the zone records. Now if you have only one NS record in the SOA (or if
> only one NS record is returned, like the internal dns server does), then
> only one DC will be asked for the zone records, if this DC is down, you
> don't have a nameserver to ask!
than its a bug in the internal dns server only return one NS record
> Every windows DC that runs a dns server is authoritative for the dns
> domain and has a SOA record. The only way I have found of doing this
> with a Samba DC, is to use Bind9 and add the second DCs NS record to the
> SOA, this SOA is stored in AD
how would a SOA record look like with two NS records?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160229/cbed9d24/signature.sig>

On 29/02/16 09:42, Reindl Harald wrote:
>
>
> Am 29.02.2016 um 10:10 schrieb Rowland penny:
>> Everything you say is valid except for when it comes to AD dns.
>> When you want data from a zone, you start with the SOA record, you ask
>> 'who holds the records for this zone?', it replies with the
nameserver
>> that holds the zone records. OK so far ?
>>
>> Only problem is that with AD, *every* DC that runs a dns server holds
>> the zone records. Now if you have only one NS record in the SOA (or if
>> only one NS record is returned, like the internal dns server does),
then
>> only one DC will be asked for the zone records, if this DC is down, you
>> don't have a nameserver to ask!
>
> than its a bug in the internal dns server only return one NS record
Totally agree
>
>> Every windows DC that runs a dns server is authoritative for the dns
>> domain and has a SOA record. The only way I have found of doing this
>> with a Samba DC, is to use Bind9 and add the second DCs NS record to
the
>> SOA, this SOA is stored in AD
>
> how would a SOA record look like with two NS records?
>
There was a thread dealing with this in December, see here for what I 
posted then:

https://lists.samba.org/archive/samba/2015-December/196367.html

Rowland
>
>
>

On 2/29/2016 4:10 AM, Rowland penny wrote:
> On 28/02/16 23:05, Reindl Harald wrote:
>>
>>
>> Am 28.02.2016 um 23:54 schrieb Rowland penny:
>>> On 28/02/16 22:42, Reindl Harald wrote:
>>>>
>>>>
>>>> Am 28.02.2016 um 23:10 schrieb Rowland penny:
>>>>> On 28/02/16 21:56, Reindl Harald wrote:
>>>>>>
>>>>>>
>>>>>> Am 28.02.2016 um 22:22 schrieb John Gardeniers:
>>>>>>> Thanks Rowland. Perhaps because I expected these
basic issues to
>>>>>>> have
>>>>>>> been resolved long ago I never thought to check the
SOA records.
>>>>>>> You are
>>>>>>> perfectly correct - the second DC is not listed
>>>>>>
>>>>>> since when is more than one NS listed in the SOA?
>>>>>>
>>>>>> http://rscott.org/dns/soa.html
>>>>>>
>>>>>> MNAME ("Primary NS") - This entry is the
domain name of the name
>>>>>> server that was the original source of the data (this
entry MUST be
>>>>>> your primary nameserver). This is your primary
nameserver, and
>>>>>> MUST be
>>>>>> the one and only server that you ever update. You must
not update
>>>>>> the
>>>>>> secondary server(s) -- they will update automatically,
based on this
>>>>>> the SOA record. Problem? This should be a fully
qualified domain
>>>>>> name .
>>>>>>
>>>>> OK, I see where you are coming from, but, this is referring
to a
>>>>> normal
>>>>> dns server that replicates to other secondary dns servers.
AD dns
>>>>> works
>>>>> a little differently, all AD dns servers replicate dns
records to
>>>>> each
>>>>> other and each AD DC is supposed to be authoritative for
the dns
>>>>> domain,
>>>>> this does not happen if your first DC goes down when you
are using
>>>>> the
>>>>> internal dns server. As an aside, my first DC shutdown for
some
>>>>> reason,
>>>>> I didn't notice for a couple of hours, until I tried to
'ssh' into
>>>>> it, I
>>>>> didn't notice because *everything* else just kept
working on my
>>>>> second DC
>>>>
>>>> well, that's not the business of the SOA record
>>>> it's a matter of NS-records
>>>>
>>>
>>> If you only have one Authoritative nameserver (which is what you
have
>>> with the internal dns) and it disappears, then you don't have 
>>> *anything*
>>> that will respond to a request for info about AD dns domain
>>
>> sorry, but that's not a matter of SOA
>>
>> all your NS-records are authoritative, no matter if the yare master or
>>
>> slave, the format of the SOA record is pretty clear
>>
>> https://support.dnsimple.com/articles/soa-record/
>> ns1.dnsimple.com admin.dnsimple.com 2013022001 86400 7200 604800 300
>>
>> nothing will change the SOA format because it's defined far away
from
>> samba and the implementation https://www.ietf.org/rfc/rfc1912.txt
>>
>> otherwise show me how you imageine a SOA record listing more than one 
>> nameserver would look like when the second filed is by defintion the 
>> admin contact
>>
>>
>>
>
> Everything you say is valid except for when it comes to AD dns.
> When you want data from a zone, you start with the SOA record, you ask 
> 'who holds the records for this zone?', it replies with the
nameserver
> that holds the zone records. OK so far ?
>
> Only problem is that with AD, *every* DC that runs a dns server holds 
> the zone records. Now if you have only one NS record in the SOA (or if 
> only one NS record is returned, like the internal dns server does), 
> then only one DC will be asked for the zone records, if this DC is 
> down, you don't have a nameserver to ask!
>
> Every windows DC that runs a dns server is authoritative for the dns 
> domain and has a SOA record. The only way I have found of doing this 
> with a Samba DC, is to use Bind9 and add the second DCs NS record to 
> the SOA, this SOA is stored in AD.
>
> Rowland
>
When I read this discussion about DNS, I got my big problem fixed which 
involves two DCs(I use samba internal DNS).
I want to share my experience with you:
The big problem is when the first DC is down, users cannot log in to 
win7 machine, while the second DC is still working.
The problem is that the internal DNS doesn't have a NS record for the 
second DC. After I use windows tool to add this record, shutdown the 
first DC and users can log in without any  issue.
The SOA record is set up correctly when I build the DC. So nothing is 
wrong with the SOA stuff in samba internal DNS.


Allen

On 05/03/16 04:54, Allen Chen wrote:
> On 2/29/2016 4:10 AM, Rowland penny wrote:
>> On 28/02/16 23:05, Reindl Harald wrote:
>>>
>>>
>>> Am 28.02.2016 um 23:54 schrieb Rowland penny:
>>>> On 28/02/16 22:42, Reindl Harald wrote:
>>>>>
>>>>>
>>>>> Am 28.02.2016 um 23:10 schrieb Rowland penny:
>>>>>> On 28/02/16 21:56, Reindl Harald wrote:
>>>>>>>
>>>>>>>
>>>>>>> Am 28.02.2016 um 22:22 schrieb John Gardeniers:
>>>>>>>> Thanks Rowland. Perhaps because I expected
these basic issues
>>>>>>>> to have
>>>>>>>> been resolved long ago I never thought to check
the SOA records.
>>>>>>>> You are
>>>>>>>> perfectly correct - the second DC is not listed
>>>>>>>
>>>>>>> since when is more than one NS listed in the SOA?
>>>>>>>
>>>>>>> http://rscott.org/dns/soa.html
>>>>>>>
>>>>>>> MNAME ("Primary NS") - This entry is the
domain name of the name
>>>>>>> server that was the original source of the data
(this entry MUST be
>>>>>>> your primary nameserver). This is your primary
nameserver, and
>>>>>>> MUST be
>>>>>>> the one and only server that you ever update. You
must not
>>>>>>> update the
>>>>>>> secondary server(s) -- they will update
automatically, based on
>>>>>>> this
>>>>>>> the SOA record. Problem? This should be a fully
qualified domain
>>>>>>> name .
>>>>>>>
>>>>>> OK, I see where you are coming from, but, this is
referring to a
>>>>>> normal
>>>>>> dns server that replicates to other secondary dns
servers. AD dns
>>>>>> works
>>>>>> a little differently, all AD dns servers replicate dns
records to
>>>>>> each
>>>>>> other and each AD DC is supposed to be authoritative
for the dns
>>>>>> domain,
>>>>>> this does not happen if your first DC goes down when
you are
>>>>>> using the
>>>>>> internal dns server. As an aside, my first DC shutdown
for some
>>>>>> reason,
>>>>>> I didn't notice for a couple of hours, until I
tried to 'ssh'
>>>>>> into it, I
>>>>>> didn't notice because *everything* else just kept
working on my
>>>>>> second DC
>>>>>
>>>>> well, that's not the business of the SOA record
>>>>> it's a matter of NS-records
>>>>>
>>>>
>>>> If you only have one Authoritative nameserver (which is what
you have
>>>> with the internal dns) and it disappears, then you don't
have
>>>> *anything*
>>>> that will respond to a request for info about AD dns domain
>>>
>>> sorry, but that's not a matter of SOA
>>>
>>> all your NS-records are authoritative, no matter if the yare master
or
>>>
>>> slave, the format of the SOA record is pretty clear
>>>
>>> https://support.dnsimple.com/articles/soa-record/
>>> ns1.dnsimple.com admin.dnsimple.com 2013022001 86400 7200 604800
300
>>>
>>> nothing will change the SOA format because it's defined far
away
>>> from samba and the implementation
https://www.ietf.org/rfc/rfc1912.txt
>>>
>>> otherwise show me how you imageine a SOA record listing more than 
>>> one nameserver would look like when the second filed is by
defintion
>>> the admin contact
>>>
>>>
>>>
>>
>> Everything you say is valid except for when it comes to AD dns.
>> When you want data from a zone, you start with the SOA record, you 
>> ask 'who holds the records for this zone?', it replies with the
>> nameserver that holds the zone records. OK so far ?
>>
>> Only problem is that with AD, *every* DC that runs a dns server holds 
>> the zone records. Now if you have only one NS record in the SOA (or 
>> if only one NS record is returned, like the internal dns server 
>> does), then only one DC will be asked for the zone records, if this 
>> DC is down, you don't have a nameserver to ask!
>>
>> Every windows DC that runs a dns server is authoritative for the dns 
>> domain and has a SOA record. The only way I have found of doing this 
>> with a Samba DC, is to use Bind9 and add the second DCs NS record to 
>> the SOA, this SOA is stored in AD.
>>
>> Rowland
>>
> When I read this discussion about DNS, I got my big problem fixed 
> which involves two DCs(I use samba internal DNS).
> I want to share my experience with you:
> The big problem is when the first DC is down, users cannot log in to 
> win7 machine, while the second DC is still working.
> The problem is that the internal DNS doesn't have a NS record for the 
> second DC. After I use windows tool to add this record, shutdown the 
> first DC and users can log in without any  issue.
> The SOA record is set up correctly when I build the DC. So nothing is 
> wrong with the SOA stuff in samba internal DNS.
>
>
> Allen
>
>
Now that is interesting, when I tested, even when you added the second 
NS record to the SOA, you only got one NS record (the first DC) and you 
couldn't login anywhere if the first DC went down.

What version of Samba are you using ?

Rowland