Thank you everyone for your help. I corrected my resolv.conf files as Peter
Milesson suggested and then had to take a number of extra steps so now
things are looking a little better. In case it helps anyone else in the
future, here's what I found (plus I am now having problems resolving
internal addresses).
As far as I can see, the setup on both servers is identical (except they
use their own IP addresses).
But DC01 can contact the big bad outside world while DC02 cannot.
One thing I did find: there were incorrect permissions on
/var/lib/samba/bind-dns/ on DC02 meaning that dns.keytab was empty.
I fixed the permissions on the folder using the steps in here
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End and restarted both
bind9 and named and the problem got a little better, but still no actual
contact with the outside world. Before fixing the permissions I got:
itadmin at dc02:$ nslookup twitter.com
;; connection timed out; no servers could be reached
Now I get:
itadmin at dc02:/var/lib/samba$ nslookup twitter.com
Server: 192.168.4.6
Address: 192.168.4.6#53
** server can't find twitter.com: SERVFAIL
so I ran named-checkconf and found that it still couldn't read
/var/lib/samba/bind-dns/named.conf
I fixed that by applying the same permissions I gave to the folder and I
can now resolve external names!
itadmin at dc02:/var/lib/samba$ nslookup twitter.com
Server: 192.168.4.6
Address: 192.168.4.6#53
Non-authoritative answer:
Name: twitter.com
Address: 104.244.42.65
Name: twitter.com
Address: 104.244.42.193
... at least, I could for about 90 seconds. Then, without me changing
anything, it failed again and I'm back to getting the SERVFAIL message.
The dns.keytab file still seems to be empty.
So I re-ran samba_upgradedns --dns-backend=BIND9_DLZ
Which wrote information to the dns.keytab file, but rewrote
/var/lib/samba/bind-dns/named.conf to comment out everything, so I edited
that to uncomment the bind 9.12 line.
Now I'm talking to the outside world again!
HOWEVER... I can't resolve the name of the fileserver I built yesterday
(from either dc01 or dc02) I CAN find (both with ping and through windows
file manager by entering \\fs01 into the search bar) it from the windows
clients I have joined to the domain though. Which is weird.
itadmin at dc02:/$ ping fs01
ping: fs01: Temporary failure in name resolution
so now I'm stuck again.... but it's getting better!
On Sun, Sep 6, 2020 at 12:31 AM Peter Milesson via samba <
samba at lists.samba.org> wrote:
> Hi Peter,
>
> As Rowland pointed out in a previous post to you "Each DC should use
its
> own ipaddress for its nameserver in /etc/resolv.conf", so the gateway
IP
> should not be there.
>
> So make /etc/resolv.conf on DC01
> nameserver 192.168.4.5
> search internal.kcs
>
> and /etc/resolv.conf on DC02
> nameserver 192.168.4.6
> search internal.kcs
>
> If you use the internal dns backend add the following to your [global]
> section in /etc/samba/smb.conf on both DC01 and DC02
>
> dns forwarder = <public DNS server IP-address>
>
> If you use the bind dns backend make sure that the forwarders option
> contain the IP-address(es) of your public DNS server(s). In that case,
> the dns forwarder parameter must not exist in /etc/samba/smb.conf
>
> Hope it helps
>
> Best regards,
>
> Peter
>
> On 2020-09-05 23:02, Peter Pollock via samba wrote:
> > To get the question of why new servers, this one I'm using has
hardware
> > whose remaining life is measured in days. The elastic bands and sticky
> tape
> > it is held together with won't hold for much longer. I'm using
it to
> build
> > and test a new environment, but then I need to migrate that onto
> something
> > with a little more vitality before bringing it into production (in the
> next
> > 56 hours).
> >
> > As for DNS. I ALWAYS had the problem with my Zentyal boxes that if the
> one
> > I built first went down, the others didn't know what to do with
their
> > lives. The same is true on these ones I've built today.
> >
> > DC01 has IP 192.168.4.5
> > DC02 has IP 192.168.4.6
> > The gateway is ar 192.168.4.1
> >
> > If I set /etc/resolv.conf to
> > nameserver 192.168.4.6
> > nameserver 192.168.4.1
> > search internal.kcs
> >
> > I get no internal or external name resolution. Trying to ping anything
> > gives me:
> > ping: google.com: Temporary failure in name resolution
> >
> > Dig gives me this error:
> >
> > itadmin at dc02:~$ dig dc01.internal.kcs
> >
> > ; <<>> DiG 9.16.1-Ubuntu <<>>
dc01.internal.kcs
> > ;; global options: +cmd
> > ;; connection timed out; no servers could be reached
> >
> >
> > Digging from DC01 works fine though
> >
> > itadmin at dc01:/$ dig dc02.internal.kcs
> >
> > ; <<>> DiG 9.16.1-Ubuntu <<>>
dc02.internal.kcs
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14095
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 4096
> > ; COOKIE: 4375a2de0dc15f30010000005f53fc6edecede8d59738b72 (good)
> > ;; QUESTION SECTION:
> > ;dc02.internal.kcs. IN A
> >
> > ;; ANSWER SECTION:
> > dc02.internal.kcs. 900 IN A 192.168.4.6
> >
> > ;; Query time: 4 msec
> > ;; SERVER: 192.168.4.5#53(192.168.4.5)
> > ;; WHEN: Sat Sep 05 14:00:30 PDT 2020
> > ;; MSG SIZE rcvd: 90
> >
> > and all my troubles go away if I change resolv.conf to have nameserver
> > 192.168.4.5 at the top
> >
> >
> > On Sat, Sep 5, 2020 at 10:26 AM Rowland penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On 05/09/2020 17:54, Peter Pollock via samba wrote:
> >>> Please forgive me, I'm not sure what terminology to use
here so this
> >>> question may sound wrong.
> >>>
> >>> I have built two servers samba servers with a new domain. They
> replicate
> >>> happily and I can seem to do everything I could ever want on
them.
> >>>
> >>> DC01 holds all the FSMO roles and, as the first one built,
acts as the
> >>> "master" for DNS. Nothing works well on either
server if DC01 is not at
> >> the
> >>> top of the hosts file.
> >> Both DC's are dns masters, it is known as multi-master. Each
DC should
> >> use its own ipaddress for its nameserver in /etc/resolv.conf, so
> >> something is wrong if it doesn't work.
> >>> But this is in a temporary environment and what I'd like
to do is build
> >> two
> >>> production servers, connect them to this AD domain, get them
working
> and
> >>> then have them take over all the FSMO roles and for one of
them to
> become
> >>> the master for DNS so that I can switch off these two test
servers I
> have
> >>> built.
> >> No, you lost me there, you will have two good DC's and you
will add
> >> another two good DC's and then turn off the first two, why ?
> >>> My question is, what do I have to do to make another server
the
> "master"?
> >>> is it just transferring the FSMO roles or is there something
else
> (apart
> >>> from updating the host files on all the live servers)?
> >> There is no concept of a 'master' in AD, all DC's are
equal except for
> >> the FSMO roles and they can be on any DC, in fact, if you had
seven
> >> DC's, you could have an FSMO role on each. You can transfer
all the
> >> roles to any DC, but it wouldn't make it the 'master',
because there is
> >> no master.
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>