On 29/02/16 09:42, Reindl Harald wrote:> > > Am 29.02.2016 um 10:10 schrieb Rowland penny: >> Everything you say is valid except for when it comes to AD dns. >> When you want data from a zone, you start with the SOA record, you ask >> 'who holds the records for this zone?', it replies with the nameserver >> that holds the zone records. OK so far ? >> >> Only problem is that with AD, *every* DC that runs a dns server holds >> the zone records. Now if you have only one NS record in the SOA (or if >> only one NS record is returned, like the internal dns server does), then >> only one DC will be asked for the zone records, if this DC is down, you >> don't have a nameserver to ask! > > than its a bug in the internal dns server only return one NS recordTotally agree> >> Every windows DC that runs a dns server is authoritative for the dns >> domain and has a SOA record. The only way I have found of doing this >> with a Samba DC, is to use Bind9 and add the second DCs NS record to the >> SOA, this SOA is stored in AD > > how would a SOA record look like with two NS records? >There was a thread dealing with this in December, see here for what I posted then: https://lists.samba.org/archive/samba/2015-December/196367.html Rowland> > >
Am 29.02.2016 um 11:28 schrieb Rowland penny:> On 29/02/16 09:42, Reindl Harald wrote: >> >> >> Am 29.02.2016 um 10:10 schrieb Rowland penny: >>> Everything you say is valid except for when it comes to AD dns. >>> When you want data from a zone, you start with the SOA record, you ask >>> 'who holds the records for this zone?', it replies with the nameserver >>> that holds the zone records. OK so far ? >>> >>> Only problem is that with AD, *every* DC that runs a dns server holds >>> the zone records. Now if you have only one NS record in the SOA (or if >>> only one NS record is returned, like the internal dns server does), then >>> only one DC will be asked for the zone records, if this DC is down, you >>> don't have a nameserver to ask! >> >> than its a bug in the internal dns server only return one NS record > > Totally agree > >> >>> Every windows DC that runs a dns server is authoritative for the dns >>> domain and has a SOA record. The only way I have found of doing this >>> with a Samba DC, is to use Bind9 and add the second DCs NS record to the >>> SOA, this SOA is stored in AD >> >> how would a SOA record look like with two NS records? >> > > There was a thread dealing with this in December, see here for what I > posted then: > > https://lists.samba.org/archive/samba/2015-December/196367.htmli just want to see how a "dig SOA example.lan." would look like to contain two nameservers, that below form the thread is as always a SOA containing one origin example.lan origin = testdc1.example.lan mail addr = hostmaster.example.lan serial = 3 refresh = 900 retry = 600 expire = 86400 minimum = 3600 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160229/863e1e45/signature.sig>
On 29/02/16 10:45, Reindl Harald wrote:> > > Am 29.02.2016 um 11:28 schrieb Rowland penny: >> On 29/02/16 09:42, Reindl Harald wrote: >>> >>> >>> Am 29.02.2016 um 10:10 schrieb Rowland penny: >>>> Everything you say is valid except for when it comes to AD dns. >>>> When you want data from a zone, you start with the SOA record, you ask >>>> 'who holds the records for this zone?', it replies with the nameserver >>>> that holds the zone records. OK so far ? >>>> >>>> Only problem is that with AD, *every* DC that runs a dns server holds >>>> the zone records. Now if you have only one NS record in the SOA (or if >>>> only one NS record is returned, like the internal dns server does), >>>> then >>>> only one DC will be asked for the zone records, if this DC is down, >>>> you >>>> don't have a nameserver to ask! >>> >>> than its a bug in the internal dns server only return one NS record >> >> Totally agree >> >>> >>>> Every windows DC that runs a dns server is authoritative for the dns >>>> domain and has a SOA record. The only way I have found of doing this >>>> with a Samba DC, is to use Bind9 and add the second DCs NS record >>>> to the >>>> SOA, this SOA is stored in AD >>> >>> how would a SOA record look like with two NS records? >>> >> >> There was a thread dealing with this in December, see here for what I >> posted then: >> >> https://lists.samba.org/archive/samba/2015-December/196367.html > > i just want to see how a "dig SOA example.lan." would look like to > contain two nameservers, that below form the thread is as always a SOA > containing one origin > > example.lan > origin = testdc1.example.lan > mail addr = hostmaster.example.lan > serial = 3 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > >OK, your wish is my command :-) root at dc1:~# dig SOA samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54539 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc2.samdom.example.com. hostmaster.samdom.example.com. 185 900 600 86400 3600 ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 8 msec ;; SERVER: 192.168.0.6#53(192.168.0.6) ;; WHEN: Mon Feb 29 11:28:10 GMT 2016 ;; MSG SIZE rcvd: 162 Rowland
Apparently Analagous Threads
- which DNS backend ?
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- which DNS backend ?
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline