Rowland Penny
2018-Oct-20 13:53 UTC
[Samba] AD RODC not being used because of missing DNS entries?
On Sat, 20 Oct 2018 13:58:15 +0200 (CEST) tomict via samba <samba at lists.samba.org> wrote:> > > Just one thought, where does the nameserver on DC2 point ? > > Is it to DC1 ? > > or itself, DC2 ? > > > If it is pointing to itself, try pointing it at DC1 > > > Rowland > > The Nameserver on DC2 points to the ip address of DC1 > > Tom >OK, I have checked from Windows and my dns looks like this: DC2-| |- Forward Lookup Zone |- samdom.example.com | |- _sites | | |- Default-First-Site-Name | | |- _tcp | | |- _gc - dc1 | | |- _gc - dc2 | | |- _ldap - dc1 | | |- _ldap - dc2 | | |- _kerberos - dc1 | | |- _kerberos - dc2 | | | |- _tcp | | |- _gc - dc1 | | |- _gc - dc2 | | |- _kerberos - dc1 | | |- _kerberos - dc2 | | |- _kpasswd - dc1 | | |- _kpasswd - dc2 | | |- _ldap - dc1 | | |- _ldap - dc2 | | |- _ldaps - dc1 | | | |- _udp | | |- _kerberos - dc1 | | |- _kerberos - dc2 | | |- _kpasswd - dc1 | | |- _kpasswd - dc2 | | | |- DomainDnsZones | | |- _sites | | | |- Default-First-Site-Name | | | |- _tcp | | | |- _ldap - dc1 | | | |- _ldap - dc2 | | |- _tcp | | | |- _ldap - dc1 | | | |- _ldap - dc2 | | | |- ForestDnsZones | | |- _sites | | | |- Default-First-Site-Name | | | |- _tcp | | | |- _ldap - dc1 | | | |- _ldap - dc2 | | |- _tcp | | | |- _ldap - dc1 | | | |- _ldap - dc2 | |- _msdcs.samdom.example.com |- dc | |- _sites | | |- Default-First-Site-Name | | |- _tcp | | | _kerberos - dc1 | | | _kerberos - dc2 | | | _ldap - dc1 | | | _ldap - dc2 | | | |- _tcp | | |- _ldap dc1 | | |- _ldap dc2 | | |- _ldap dc1 | | |- _ldap dc2 | | |- domains | |- 39158xxx-xxxx-xxxx-xxx-xxxxxxxxxxx | | |- _tcp | | |- _ldap - dc1 | | |- _ldap - dc2 | | |- gc | |- _sites | |- Default-First-Site-Name | | |- _tcp | | |- _ldap - dc1 | | |- _ldap - dc2 | | | |- _tcp | | |- _ldap - dc1 | | |- _ldap - dc2 | |- pdc |- _tcp |- _ldap - dc1 |- _ldap - dc2 Rowland
tomict
2018-Oct-20 15:04 UTC
[Samba] AD RODC not being used because of missing DNS entries?
> OK, I have checked from Windows and my dns looks like this: > DC2-| > |- Forward Lookup Zone > |- samdom.example.comYou have much more dc2 entries, I only have 4 from my manual additions. Your dns setup is the same as the setup that I had last year when testing with a second non-RODC Domain Controller. BTW how did you make this tree view? There seem to be two problems with my RODC DC2: 1) DNS records were not generated when joining the domain. This is perhaps caused by some kind of timeout problem. However samba only complains about 4 records 2) manual addition of the "_msdcs" records resulted in a wrong path (see below) I only have DC2 in the following locations on DC1 and DC2, and these resulted from my manual addition: DC2-| |- Forward Lookup Zone |- samdom.example.com | |- _sites | | |- Default-First-Site-Name | | |- _tcp | | |- _gc - dc1 | | |- _ldap - dc1 | | |- _ldap - dc2 | | |- _kerberos - dc1 | | |- _kerberos - dc2 I also seem to have a path that you do not have, I think also from my manual addition. I suppose mine is wrong DC2-| |- Forward Lookup Zone |- samdom.example.com | |- _msdcs | | |- dc | | |- _sites | | |- Default-First-Site-Name | | | - _tcp | | | - _ldap - dc2 | | | - _kerberos - dc2 I tried : # samba_updatedns --use-samba-tool --rpc-server-ip=ip.addr.of.dc1 but that resulted in 4 times: ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e Tom -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Oct-20 15:39 UTC
[Samba] AD RODC not being used because of missing DNS entries?
On Sat, 20 Oct 2018 17:04:20 +0200 (CEST) tomict via samba <samba at lists.samba.org> wrote:> > > OK, I have checked from Windows and my dns looks like this: > > DC2-| > > |- Forward Lookup Zone > > |- samdom.example.com > > You have much more dc2 entries, I only have 4 from my manual > additions. Your dns setup is the same as the setup that I had last > year when testing with a second non-RODC Domain Controller. > > BTW how did you make this tree view?I have lots of time, so I typed it ;-)> > There seem to be two problems with my RODC DC2: > 1) DNS records were not generated when joining the domain. This is > perhaps caused by some kind of timeout problem.Not sure about this, but you could be correct.>However samba only > complains about 4 records 2) manual addition of the "_msdcs" records > resulted in a wrong path (see below) >The 'wrong path' is because you gave it the wrong path ;-) If you run 'samba-tool dns zonelist 127.0.0.1 -U Administrator' it will show your DNS zones, one of which should start with '_msdcs'. So, your commands: samba-tool dns add DC1 ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' Should have been: samba-tool dns add DC1 _msdcs.ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 _msdcs.ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' Delete the wrong entries. Rowland