Izan Díez Sánchez
2016-Nov-30 12:17 UTC
[Samba] Recommended DNS configuration on Domain Controllers causes share by IP name to fail
Hi, Following DNS configuration of multiple DCs recommended on the wiki https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Di rectory#DNS_Configuration_on_Domain_Controllers , clients are unable to open windows shares based on the server IP, for example \\133.1.1.24 . However they work fine opening either the netbios name or the DNS name, for example \\FILESERVER1 or \\FILESERVER1.domain.local Here it is what the article says: ------------------------------------------------------------------ DNS Configuration on Domain Controllers The DNS configuration on domain controllers (DC) is important, because if it is unable to locate other DCs the replication will fail. The following is a best practice for DNS configuration on domain controllers (DC): Set the local IP of a DC as secondary or tertiary nameserver entry in its /etc/resolv.conf file and use a different Active Directory (AD) DNS server IP from the forest as primary name server. For example: On the new joined DC, use the 10.99.0.1 IP of the existing DC as primary and the local 10.99.0.2 IP as secondary nameserver entry: nameserver 10.99.0.1 nameserver 10.99.0.2 # IP of the new joined DC as secondary entry search samdom.example.com If you are running more than two DCs, you can configure the IPs in crosswise direction. ------------------------------------------------------------------ This only occurs with Windows File Servers and never with other Samba members of the AD. If tried to access via the graphical interface the explorer just takes forever and hangs. The following error is thrown in the command line: C:\Users\ids>net view \\133.1.1.24 System error 53. The network path was not found. Changing the configuration of /etc/resolv.conf to the following: nameserver 10.99.0.2 # IP of the new joined DC as secondary entry nameserver 10.99.0.1 search samdom.example.com That is, always the first name server as itself in every DC of the domain. Makes the shares referred as the IP to work as expected. I tested in a pure Windows AD and this is the normal behavior. It seems that is some kind of dns query loop trying to do the reverse name resolution, but I wasnt able to debug further. Has anyone experienced something similar? Izan Díez Sánchez ids at empre.es Empresarios Agrupados +34 91 309 80 00 (ext: 8813) Magallanes 3 28015 Madrid www.empresariosagrupados.es This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message by mistake, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. Visit our Web page:(http://www.empre.es) Este mensaje puede contener información confidencial o privilegiada. Si Vd. no es el destinatario ni está autorizado por el mismo para recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar ninguna medida basada en este mensaje o en la información que contiene. Si Vd. ha recibido este mensaje por error, notifíquelo de forma inmediata al remitente por correo electrónico y borre el mensaje. Gracias por su cooperación.Visite nuestra página web:(http://www.empre.es) Please, Do not print this message unless it is necessary.Our environment is in our hands. Antes de imprimir este mensaje, asegúrese de que es necesario. El medio ambiente está en nuestra mano.
Rowland Penny
2016-Nov-30 13:09 UTC
[Samba] Recommended DNS configuration on Domain Controllers causes share by IP name to fail
On Wed, 30 Nov 2016 13:17:18 +0100 Izan Díez Sánchez via samba <samba at lists.samba.org> wrote:> Hi, > > Following DNS configuration of multiple DCs recommended on the wiki > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Di > rectory#DNS_Configuration_on_Domain_Controllers , clients are unable > to open windows shares based on the server IP, for example > \\133.1.1.24 . However they work fine opening either the netbios name > or the DNS name, for example \\FILESERVER1 or > \\FILESERVER1.domain.local > > Here it is what the article says: > > ------------------------------------------------------------------ > DNS Configuration on Domain Controllers > > The DNS configuration on domain controllers (DC) is important, > because if it is unable to locate other DCs the replication will > fail. The following is a best practice for DNS configuration on > domain controllers (DC): Set the local IP of a DC as secondary or > tertiary nameserver entry in its /etc/resolv.conf file and use a > different Active Directory (AD) DNS server IP from the forest as > primary name server. For example: On the new joined DC, use the > 10.99.0.1 IP of the existing DC as primary and the local 10.99.0.2 IP > as secondary nameserver entry: nameserver 10.99.0.1 > nameserver 10.99.0.2 # IP of the new joined DC as secondary > entry search samdom.example.com > If you are running more than two DCs, you can configure the IPs in > crosswise direction. > ------------------------------------------------------------------ > > This only occurs with Windows File Servers and never with other Samba > members of the AD. If tried to access via the graphical interface the > explorer just takes forever and hangs. The following error is thrown > in the command line: > > C:\Users\ids>net view \\133.1.1.24 > System error 53. > > The network path was not found. > > > Changing the configuration of /etc/resolv.conf to the following: > > nameserver 10.99.0.2 # IP of the new joined DC as secondary > entry nameserver 10.99.0.1 > search samdom.example.com > > That is, always the first name server as itself in every DC of the > domain. Makes the shares referred as the IP to work as expected. I > tested in a pure Windows AD and this is the normal behavior. > > It seems that is some kind of dns query loop trying to do the reverse > name resolution, but I wasnt able to debug further. > > Has anyone experienced something similar?I am now beginning to think the wiki is wrong. The new DC needs to point to an existing DC during the join, this way it will replicate correctly, but once the replication has occurred, it should point to its own IP. The wiki was written the way it is because of concerns over 'islanding', I do not think this is a real concern, because every DC holds all the domain DNS records and should be able to find any other machine in the domain. Rowland
L.P.H. van Belle
2016-Nov-30 13:32 UTC
[Samba] Recommended DNS configuration on Domain Controllers causes share by IP name to fail
Your correct, the wiki is wrong. Preconditions This line should be changed. Verify that the host name in /etc/resolv.conf resolves to the network IP and not to 127.0.0.1 (localhost). To : Verify that the host name in /etc/hosts resolves to the network IP and not to 127.0.0.1 (localhost). And 127.0.0.1 localhost localhost.localdomain 10.99.0.2 DC2.samdom.example.com DC2 DNS Resolving. Is correct, the name server is pointing to the first DC. And i would suggest, before the Verify the DNS Entries. Add a "Reboot the server, wait a few min, depending on the samba AD DB size." Now proceed with the dns checks and database replications. I dont know it this are all fixed in the comming 4.5.2, but in lots of cases, the the DNS resolving doesnt work, the needed records are not created at startup of samba. But after a reboot this works most of the time. And this part. DNS Configuration on Domain Controllers. If you are running more than two DCs, you can configure the IPs in crosswise direction. Add: but only after you joined the server, rebooted at least 1-2 times and you checked the dns entries and ad database replication. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: woensdag 30 november 2016 14:10 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Recommended DNS configuration on Domain Controllers > causes share by IP name to fail > > On Wed, 30 Nov 2016 13:17:18 +0100 > Izan Díez Sánchez via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > Following DNS configuration of multiple DCs recommended on the wiki > > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_ > Di > > rectory#DNS_Configuration_on_Domain_Controllers , clients are unable > > to open windows shares based on the server IP, for example > > \\133.1.1.24 . However they work fine opening either the netbios name > > or the DNS name, for example \\FILESERVER1 or > > \\FILESERVER1.domain.local > > > > Here it is what the article says: > > > > ------------------------------------------------------------------ > > DNS Configuration on Domain Controllers > > > > The DNS configuration on domain controllers (DC) is important, > > because if it is unable to locate other DCs the replication will > > fail. The following is a best practice for DNS configuration on > > domain controllers (DC): Set the local IP of a DC as secondary or > > tertiary nameserver entry in its /etc/resolv.conf file and use a > > different Active Directory (AD) DNS server IP from the forest as > > primary name server. For example: On the new joined DC, use the > > 10.99.0.1 IP of the existing DC as primary and the local 10.99.0.2 IP > > as secondary nameserver entry: nameserver 10.99.0.1 > > nameserver 10.99.0.2 # IP of the new joined DC as secondary > > entry search samdom.example.com > > If you are running more than two DCs, you can configure the IPs in > > crosswise direction. > > ------------------------------------------------------------------ > > > > This only occurs with Windows File Servers and never with other Samba > > members of the AD. If tried to access via the graphical interface the > > explorer just takes forever and hangs. The following error is thrown > > in the command line: > > > > C:\Users\ids>net view \\133.1.1.24 > > System error 53. > > > > The network path was not found. > > > > > > Changing the configuration of /etc/resolv.conf to the following: > > > > nameserver 10.99.0.2 # IP of the new joined DC as secondary > > entry nameserver 10.99.0.1 > > search samdom.example.com > > > > That is, always the first name server as itself in every DC of the > > domain. Makes the shares referred as the IP to work as expected. I > > tested in a pure Windows AD and this is the normal behavior. > > > > It seems that is some kind of dns query loop trying to do the reverse > > name resolution, but I wasn??t able to debug further. > > > > Has anyone experienced something similar? > > I am now beginning to think the wiki is wrong. The new DC needs to > point to an existing DC during the join, this way it will replicate > correctly, but once the replication has occurred, it should point to > its own IP. > > The wiki was written the way it is because of concerns over > 'islanding', I do not think this is a real concern, because every DC > holds all the domain DNS records and should be able to find any other > machine in the domain. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
lingpanda101
2016-Nov-30 14:21 UTC
[Samba] Recommended DNS configuration on Domain Controllers causes share by IP name to fail
On 11/30/2016 8:09 AM, Rowland Penny via samba wrote:> On Wed, 30 Nov 2016 13:17:18 +0100 > Izan Díez Sánchez via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> Following DNS configuration of multiple DCs recommended on the wiki >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Di >> rectory#DNS_Configuration_on_Domain_Controllers , clients are unable >> to open windows shares based on the server IP, for example >> \\133.1.1.24 . However they work fine opening either the netbios name >> or the DNS name, for example \\FILESERVER1 or >> \\FILESERVER1.domain.local >> >> Here it is what the article says: >> >> ------------------------------------------------------------------ >> DNS Configuration on Domain Controllers >> >> The DNS configuration on domain controllers (DC) is important, >> because if it is unable to locate other DCs the replication will >> fail. The following is a best practice for DNS configuration on >> domain controllers (DC): Set the local IP of a DC as secondary or >> tertiary nameserver entry in its /etc/resolv.conf file and use a >> different Active Directory (AD) DNS server IP from the forest as >> primary name server. For example: On the new joined DC, use the >> 10.99.0.1 IP of the existing DC as primary and the local 10.99.0.2 IP >> as secondary nameserver entry: nameserver 10.99.0.1 >> nameserver 10.99.0.2 # IP of the new joined DC as secondary >> entry search samdom.example.com >> If you are running more than two DCs, you can configure the IPs in >> crosswise direction. >> ------------------------------------------------------------------ >> >> This only occurs with Windows File Servers and never with other Samba >> members of the AD. If tried to access via the graphical interface the >> explorer just takes forever and hangs. The following error is thrown >> in the command line: >> >> C:\Users\ids>net view \\133.1.1.24 >> System error 53. >> >> The network path was not found. >> >> >> Changing the configuration of /etc/resolv.conf to the following: >> >> nameserver 10.99.0.2 # IP of the new joined DC as secondary >> entry nameserver 10.99.0.1 >> search samdom.example.com >> >> That is, always the first name server as itself in every DC of the >> domain. Makes the shares referred as the IP to work as expected. I >> tested in a pure Windows AD and this is the normal behavior. >> >> It seems that is some kind of dns query loop trying to do the reverse >> name resolution, but I wasnt able to debug further. >> >> Has anyone experienced something similar? > I am now beginning to think the wiki is wrong. The new DC needs to > point to an existing DC during the join, this way it will replicate > correctly, but once the replication has occurred, it should point to > its own IP. > > The wiki was written the way it is because of concerns over > 'islanding', I do not think this is a real concern, because every DC > holds all the domain DNS records and should be able to find any other > machine in the domain. > > Rowland > > > >I think the wiki is correct but see comment below. I don't believe islanding to be a big concern either but what about the possibility of a "race condition" between DNS and AD? In a Microsoft environment, AD has the possibility of starting first before DNS has started. This of course creates failure in name resolution during boot. Is this a concern using Bind or Samba internal DNS? If not then I see no issue setting a DC to itself as a primary DNS server. -- - James
Rowland Penny
2016-Nov-30 14:37 UTC
[Samba] Recommended DNS configuration on Domain Controllers causes share by IP name to fail
On Wed, 30 Nov 2016 14:32:08 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Your correct, the wiki is wrong. > > Preconditions > This line should be changed. > Verify that the host name in /etc/resolv.conf resolves to the network > IP and not to 127.0.0.1 (localhost). > > To : > Verify that the host name in /etc/hosts resolves to the network IP > and not to 127.0.0.1 (localhost). And > 127.0.0.1 localhost localhost.localdomain > 10.99.0.2 DC2.samdom.example.com DC2 >Done.> DNS Resolving. Is correct, the name server is pointing to the first > DC. > > And i would suggest, > before the Verify the DNS Entries. > Add a "Reboot the server, wait a few min, depending on the samba AD > DB size."Now I really read the DC joining page, there a few things that need fixing, 'Verify the DNS Entries' comes before 'Starting the Samba Service' for instance.> > Now proceed with the dns checks and database replications. > > I dont know it this are all fixed in the comming 4.5.2, but in lots > of cases, the the DNS resolving doesnt work, the needed records are > not created at startup of samba. But after a reboot this works most > of the time. > > And this part. > DNS Configuration on Domain Controllers. > If you are running more than two DCs, you can configure the IPs in > crosswise direction. Add: but only after you joined the server, > rebooted at least 1-2 times and you checked the dns entries and ad > database replication. > >This is where we disagree, 'islanding' seems to have been a problem with 2000, later versions shouldn't have this problem, see here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/b7bf37a2-6e1a-40a8-8d4b-1c15ee9bc0fa/2k8-best-practice-for-setting-the-dns-server-list-on-a-dcdns-server-for-an-interface?forum=winserverNIS Rowland
L.P.H. van Belle
2016-Nov-30 15:18 UTC
[Samba] Recommended DNS configuration on Domain Controllers causes share by IP name to fail
Hai James, ..> > I think the wiki is correct but see comment below. > > I don't believe islanding to be a big concern either but what about > the possibility of a "race condition" between DNS and AD? In a Microsoft > environment, AD has the possibility of starting first before DNS has > started. This of course creates failure in name resolution during boot. > Is this a concern using Bind or Samba internal DNS? If not then I see > no issue setting a DC to itself as a primary DNS server. > > -- > - James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba>AD has the possibility of starting first before DNS has started.No, not true, Active Directory Domain Services depends on DNS Server ( and others) in windows. And yes the wiki does have a few errors imo. One needed correction are the /etc/hosts file for example : 127.0.0.1 localhost any-other.alias See also : http://www.ietf.org/rfc/rfc1912.txt>Is this a concern using Bind or Samba internal DNS?I ask at Oliver ( todays subject : [Samba] Add new DomainController ) I think this is related with bind. Let wait what he tells us. And if its systemd (and in my debian jessie system im still missing some startup dependecies.) Something like : After=network.target bind9.service Requires=network-online.target ... The network.target only indicates that the network management stack is up. Whether any network interfaces are already configured when it is reached is undefined. I'll go through the debian bug list for this. Setting a DC to itself as a primary DNS server, yes its possible. But only client software uses it (resolv.conf). Any pc used the DNS itself. At a DC join you MUST point to the first DC and only after everything is replicated yes you can point back to itself, not that i advice it. I've setup as followed. All DC's point to the DC1 (with FSMO roles) + DC2 (this order for all DC's) (and all DC's have in /etc/hosts all the DC hostnames as backup.) All members servers and PC's point to the DC2 and DC3 ( incase you have only 2 DC.s i suggest order DC2 DC1 ) Never had any resolving problems this way and load is split over the servers. But this can be setup in multiple ways. This is best for me, for you, it can be different. Greetz, Louis
Possibly Parallel Threads
- Recommended DNS configuration on Domain Controllers causes share by IP name to fail
- Recommended DNS configuration on Domain Controllers causes share by IP name to fail
- Recommended DNS configuration on Domain Controllers causes share by IP name to fail
- Recurrent DNS issues after DC loss
- Login not possible / machine account issues