Hi Marc, I appreciate that you reply, but I got it resolved by following the advice of Mathias. I was aware of the links below, however the first is about using the BIND9_DLZ backend, and at the time I experienced the issue I was using the internal one. Marc & Mathias, The 2nd link that Marc references is about a DC should not use itself for DNS queries is exactly the opposite of your recommendation to use localhost. In fact I am not really decided yet, given the fact that using the other DC is long term via a VPN connection, albeit at least slow if not unreliable, and also relying on both DCs up at the same time, whereas using the local instance for sure requires some extra monitoring in order to prevent stuck replications. Any idea? Thanks & Best regards, Joachim -----Ursprüngliche Nachricht----- Von: Marc Muehlfeld [mailto:mmuehlfeld at samba.org] Gesendet: Donnerstag, 26. Mai 2016 17:16 An: Jo L <j.o.l at live.com> Betreff: Re: [Samba] DC2: TKEY is unacceptable, Failed DNS update? Hello, Am 15.05.2016 um 22:36 schrieb Jo L:> /usr/sbin/samba_dnsupdate: > dns_tkey_negotiategss: TKEY is unacceptableHave you checked https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable> When DC2 joined DC1, resolv.conf was pointing to DC1. > I changed that later on as I want to be able to continue to operate > DC2 while DC1 is down.It's better if you use the local IP only as _secondary_ nameserver entry in your resolv.conf. https://blogs.technet.microsoft.com/askds/2010/07/17/friday-mail-sack-saturday-edition/#dnsbest Regards, Marc
Andrew Bartlett
2016-May-26 19:11 UTC
[Samba] DC2: TKEY is unacceptable, Failed DNS update?
On Thu, 2016-05-26 at 17:32 +0200, Jo wrote:> Hi Marc, > I appreciate that you reply, but I got it resolved by following the > advice of Mathias. I was aware of the links below, however the first > is about using the BIND9_DLZ backend, and at the time I experienced > the issue I was using the internal one. > Marc & Mathias, > The 2nd link that Marc references is about a DC should not use itself > for DNS queries is exactly the opposite of your recommendation to use > localhost. In fact I am not really decided yet, given the fact that > using the other DC is long term via a VPN connection, albeit at least > slow if not unreliable, and also relying on both DCs up at the same > time, whereas using the local instance for sure requires some extra > monitoring in order to prevent stuck replications. > Any idea? > Thanks & Best regards, JoachimYes, it should use itself as the DNS server, once the initial registration work is done. We know this area isn't ideal, and we are actively working to improve it. I expect Samba 4.5 to be much more sensible in this regard, given the patches I've seen from other Samba team members and the work my team at Catalyst is currently doing for our clients. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew, thanks for the clarification. Makes me feel more comfortable with what I would have preferred. Until that´s improved in software - what do you recommend to monitor in order to verify the forest is not going to split into individual trees? Thanks & Best regards, Joachim -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Andrew Bartlett Gesendet: Donnerstag, 26. Mai 2016 21:11 An: Jo <j.o.l at live.com>; 'Marc Muehlfeld' <mmuehlfeld at samba.org>; 'mathias dufresne' <infractory at gmail.com> Cc: 'samba' <samba at lists.samba.org> Betreff: Re: [Samba] DC2: TKEY is unacceptable, Failed DNS update? On Thu, 2016-05-26 at 17:32 +0200, Jo wrote:> Hi Marc, > I appreciate that you reply, but I got it resolved by following the > advice of Mathias. I was aware of the links below, however the first > is about using the BIND9_DLZ backend, and at the time I experienced > the issue I was using the internal one. > Marc & Mathias, > The 2nd link that Marc references is about a DC should not use itself > for DNS queries is exactly the opposite of your recommendation to use > localhost. In fact I am not really decided yet, given the fact that > using the other DC is long term via a VPN connection, albeit at least > slow if not unreliable, and also relying on both DCs up at the same > time, whereas using the local instance for sure requires some extra > monitoring in order to prevent stuck replications. > Any idea? > Thanks & Best regards, JoachimYes, it should use itself as the DNS server, once the initial registration work is done. We know this area isn't ideal, and we are actively working to improve it. I expect Samba 4.5 to be much more sensible in this regard, given the patches I've seen from other Samba team members and the work my team at Catalyst is currently doing for our clients. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba