tomict
2018-Oct-19 22:06 UTC
[Samba] AD RODC not being used because of missing DNS entries?
Thanks for the quick reply Rowland>Never ran an RODC (yet), but this all sounds like the problems that >used to occur when joining a second DC, try reading this:>https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_RecordI Checked this, both the A record and the objectGUID CNAME records exist for DC1 and DC2 on bth servers.>You could try restarting Samba, there is a script 'samba_dnsupdate', >which uses a file 'dns_update list' to create missing dns entries. The >script is run at start up.> RowlandI ran samba_dnsupdate manually on DC1 which runs fine. DC1 has all he records. However, on DC2 there are errors. DC2 lacks the records which makes sense considering the errors. When I run samba_dnsupdate with log level = 3 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Error setting DNS entry of type 22: SRV _ldap._tcp.Default-First-Site-Name._sites.ad.iucn.nl dc2.ad.iucn.nl 389: (3221225653, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') Error setting DNS entry of type 32: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.iucn.nl dc2.ad.iucn.nl 389: (3221225653, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') Error setting DNS entry of type 34: SRV _kerberos._tcp.Default-First-Site-Name._sites.ad.iucn.nl dc2.ad.iucn.nl 88: (3221225653, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') Error setting DNS entry of type 30: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.iucn.nl dc2.ad.iucn.nl 88: (3221225653, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') Failed update of 4 entries Obviously there is something wrong with the dns updates on DC2. Any ideas? Tom
Rowland Penny
2018-Oct-20 08:28 UTC
[Samba] AD RODC not being used because of missing DNS entries?
On Sat, 20 Oct 2018 00:06:40 +0200 (CEST) tomict via samba <samba at lists.samba.org> wrote:> Thanks for the quick reply Rowland > > >Never ran an RODC (yet), but this all sounds like the problems that > >used to occur when joining a second DC, try reading this: > > >https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record > > > I Checked this, both the A record and the objectGUID CNAME records > exist for DC1 and DC2 on bth servers. > > > >You could try restarting Samba, there is a script 'samba_dnsupdate', > >which uses a file 'dns_update list' to create missing dns entries. > >The script is run at start up. > > > Rowland > > I ran samba_dnsupdate manually on DC1 which runs fine. DC1 has all he > records. > > However, on DC2 there are errors. DC2 lacks the records which makes > sense considering the errors. When I run samba_dnsupdate with log > level = 3 > > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Error setting DNS entry of type 22: SRV > _ldap._tcp.Default-First-Site-Name._sites.ad.iucn.nl dc2.ad.iucn.nl > 389: (3221225653, '{Device Timeout} The specified I/O operation on > %hs was not completed before the time-out period expired.') Error > setting DNS entry of type 32: SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.iucn.nl > dc2.ad.iucn.nl 389: (3221225653, '{Device Timeout} The specified I/O > operation on %hs was not completed before the time-out period > expired.') Error setting DNS entry of type 34: SRV > _kerberos._tcp.Default-First-Site-Name._sites.ad.iucn.nl > dc2.ad.iucn.nl 88: (3221225653, '{Device Timeout} The specified I/O > operation on %hs was not completed before the time-out period > expired.') Error setting DNS entry of type 30: SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.iucn.nl > dc2.ad.iucn.nl 88: (3221225653, '{Device Timeout} The specified I/O > operation on %hs was not completed before the time-out period > expired.') Failed update of 4 entries > > Obviously there is something wrong with the dns updates on DC2. Any > ideas? > > Tom >The problem is (as far as I understand it), you cannot write to an RODC, it forwards write actions to a writeable DC, which then replicates them back. From the above, it is timing out, is there a firewall or similar in the way ? Can you ping a DC from the RODC ? Rowland
tomict
2018-Oct-20 10:36 UTC
[Samba] AD RODC not being used because of missing DNS entries?
> Obviously there is something wrong with the dns updates on DC2. Any > ideas? > > Tom >>The problem is (as far as I understand it), you cannot write to an >RODC, it forwards write actions to a writeable DC, which then replicates >them back. >From the above, it is timing out, is there a firewall or similar in the >way ? Can you ping a DC from the RODC ? > >RowlandSELinux and Firewall were paused already, ping is ok. The read only constraint seem a likely candidate. Therefore, I updated the DNS on DC1 manually. However, some dns entries seem misplaced. First set of commands gave problems: samba-tool dns add DC1 ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' These commands were successful, records were added to the dns of DC1, and replicated to DC2. This can be checked in the DNS manager tool in Windows. However, there are problems -samba_dnsupdate on DC2 still complains about failing updates for these two, the "dc._msdcs." records. It apparently 'misses' them although it can not fix them because of the read only constraint. -Queries for these records return only one value. # host -t SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl has SRV record 0 100 88 DC1.ad.example.nl. I am confused about where in de DNS 'tree' in the windows dns manager these entries should be found. They seems to show up in the wrong place. There are two paths in the Windows DNS manager tree that look alike: DNS > DC1 > Forward Lookup Zones > _msdcs.ad.example.nl > dc > _sites > Default-First-Site-Name > _tcp DNS > DC1 > Forward Lookup Zones > ad.example.nl > _msdcs > dc > _sites > Default-First-Site-Name > _tcp The first path is where the DC1 entries are, and where I would expect my new DC2 entries. The second path is where my DC2 entries show up Is this correct/a bug? Second set of commands (without problems): samba-tool dns add DC1 ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' These commands were also successfull, records were added to the dns of DC1, replicated to DC2, and present in the Windows DNS manager. The DC2 entries show up alongside the DC1 entries in the Windows DNS manager. SRV record queries for (_ldap/_kerberos)._tcp.Default-First-Site-Name._sites.ad.example.nl return values for both domain servers, on both DC's: # host -t SRV _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV record 0 100 389 DC1.ad.example.nl. _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV record 0 100 389 DC2.ad.example.nl. Tom
Apparently Analagous Threads
- AD RODC not being used because of missing DNS entries?
- AD RODC not being used because of missing DNS entries?
- AD RODC not being used because of missing DNS entries?
- AD RODC not being used because of missing DNS entries?
- AD RODC not being used because of missing DNS entries?