tomict
2018-Oct-19 20:09 UTC
[Samba] AD RODC not being used because of missing DNS entries?
Hi All, Is it correct that my RODC domain controller (DC2.ad.example.nl) has only one entry in the (internal) DNS on domain controller DC1? It seems to me that because of missing dns entries it is not used by clients in the ad domain I recently installed a second Domain Controller (DC2) along the smooth running first domain controller DC1. Samba version 4.8.5, Centos 7 Linux, further config files below. The command used to join the DC2 as RODC: # samba-tool domain join ad.example.nl RODC -U "ad.example.nl\Administrator" (see https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) This seemed to run OK, DC2 was joined to the domain. Before I restarted the samba-ad service, I set the uidNumber of DC2 because I use idmap backend = ad on the other domain members. Machine and user accounts are replicated to DC2. The A record entry for DC2.ad.example was added to the dns on DC1, but nothing more. I see no entries voor ldap, kerberos etc. For example: # host -t SRV _ldap._tcp.dc._msdcs.ad.example.nl returns: _ldap._tcp.dc._msdcs.ad.example.nl has SRV record 0 100 389 DC1.ad.example.nl. and # host ad.example.nl returns: ad.example.nl has address 192.168.223.100 which is the address of DC1. I thought it should also return a second ip address for DC2. in the /var/log/samba/log.samba I see truckloads of this: [2018/10/19 21:51:05.039345, 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 4 Should I add the records manually? Should they have been added when I joined the RODC to the domain? Or am I wrong about something else (very likely)? regards, Tom Welter Below are config file for both DC's. Sysvol is replicated from DC1 to DC2 via rsync Samba Version: Version 4.8.5-SerNet-RedHat-11.el7 content of //DC1/etc/samba/smb.conf [global] workgroup = EXAMPLENL realm = AD.EXAMPLE.NL netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.223.117 idmap_ldb:use rfc2307 = yes allow dns updates = nonsecure ldap server require strong auth = no log level = 0 [netlogon] path = /var/lib/samba/sysvol/ad.example.nl/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No content of //DC2/etc/samba/smb.conf [global] netbios name = DC2 realm = AD.EXAMPLE.NL server role = active directory domain controller workgroup = EXAMPLENL [netlogon] path = /var/lib/samba/sysvol/ad.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No for completeness: samba-tool dns zoneinfo dc1.ad.example.nl ad.example.nl -U administrator outputs: dwZoneType : DNS_ZONE_TYPE_PRIMARY fReverse : FALSE fAllowUpdate : DNS_ZONE_UPDATE_SECURE fPaused : FALSE fShutdown : FALSE fAutoCreated : FALSE fUseDatabase : TRUE pszDataFile : None aipMasters : [] fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER fNotifyLevel : DNS_ZONE_NOTIFY_LIST_ONLY aipSecondaries : [] aipNotify : [] fUseWins : FALSE fUseNbstat : FALSE fAging : FALSE dwNoRefreshInterval : 168 dwRefreshInterval : 168 dwAvailForScavengeTime : 0 aipScavengeServers : [] dwRpcStructureVersion : 0x2 dwForwarderTimeout : 0 fForwarderSlave : 0 aipLocalMasters : [] dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.ad.example.nl pwszZoneDn : DC=ad.example.nl,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=example,DC=nl dwLastSuccessfulSoaCheck : 0 dwLastSuccessfulXfr : 0 fQueuedForBackgroundLoad : FALSE fBackgroundLoadInProgress : FALSE fReadOnlyZone : FALSE dwLastXfrAttempt : 0 dwLastXfrResult : 0
Rowland Penny
2018-Oct-19 21:03 UTC
[Samba] AD RODC not being used because of missing DNS entries?
On Fri, 19 Oct 2018 22:09:27 +0200 (CEST) tomict via samba <samba at lists.samba.org> wrote:> Hi All, > > Is it correct that my RODC domain controller (DC2.ad.example.nl) has > only one entry in the (internal) DNS on domain controller DC1? It > seems to me that because of missing dns entries it is not used by > clients in the ad domain > > I recently installed a second Domain Controller (DC2) along the > smooth running first domain controller DC1. Samba version 4.8.5, > Centos 7 Linux, further config files below. > > The command used to join the DC2 as RODC: > # samba-tool domain join ad.example.nl RODC -U > "ad.example.nl\Administrator" (see > https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) This seemed > to run OK, DC2 was joined to the domain. > > Before I restarted the samba-ad service, I set the uidNumber of DC2 > because I use idmap backend = ad on the other domain members. > > Machine and user accounts are replicated to DC2. > The A record entry for DC2.ad.example was added to the dns on DC1, > but nothing more. > > I see no entries voor ldap, kerberos etc. For example: > # host -t SRV _ldap._tcp.dc._msdcs.ad.example.nl > returns: > _ldap._tcp.dc._msdcs.ad.example.nl has SRV record 0 100 389 > DC1.ad.example.nl. > > and > # host ad.example.nl > returns: > ad.example.nl has address 192.168.223.100 > which is the address of DC1. I thought it should also return a second > ip address for DC2. > > in the /var/log/samba/log.samba I see truckloads of this: > [2018/10/19 21:51:05.039345, > 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) ../source4/dsdb/dns/dns_update.c:330: > Failed DNS update - with error code 4 > > > Should I add the records manually? Should they have been added when I > joined the RODC to the domain? Or am I wrong about something else > (very likely)? >Never ran an RODC (yet), but this all sounds like the problems that used to occur when joining a second DC, try reading this: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record You could try restarting Samba, there is a script 'samba_dnsupdate', which uses a file 'dns_update list' to create missing dns entries. The script is run at start up. Rowland
tomict
2018-Oct-19 22:06 UTC
[Samba] AD RODC not being used because of missing DNS entries?
Thanks for the quick reply Rowland>Never ran an RODC (yet), but this all sounds like the problems that >used to occur when joining a second DC, try reading this:>https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_RecordI Checked this, both the A record and the objectGUID CNAME records exist for DC1 and DC2 on bth servers.>You could try restarting Samba, there is a script 'samba_dnsupdate', >which uses a file 'dns_update list' to create missing dns entries. The >script is run at start up.> RowlandI ran samba_dnsupdate manually on DC1 which runs fine. DC1 has all he records. However, on DC2 there are errors. DC2 lacks the records which makes sense considering the errors. When I run samba_dnsupdate with log level = 3 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Error setting DNS entry of type 22: SRV _ldap._tcp.Default-First-Site-Name._sites.ad.iucn.nl dc2.ad.iucn.nl 389: (3221225653, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') Error setting DNS entry of type 32: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.iucn.nl dc2.ad.iucn.nl 389: (3221225653, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') Error setting DNS entry of type 34: SRV _kerberos._tcp.Default-First-Site-Name._sites.ad.iucn.nl dc2.ad.iucn.nl 88: (3221225653, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') Error setting DNS entry of type 30: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.iucn.nl dc2.ad.iucn.nl 88: (3221225653, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') Failed update of 4 entries Obviously there is something wrong with the dns updates on DC2. Any ideas? Tom
Maybe Matching Threads
- AD RODC not being used because of missing DNS entries?
- AD RODC not being used because of missing DNS entries?
- AD RODC not being used because of missing DNS entries?
- AD RODC not being used because of missing DNS entries?
- AD RODC not being used because of missing DNS entries?