Hi! I wrote here 2 weeks ago with a problem with DCs SPN record for LDAP. We found strange value for userAccountControl for my DC. And this problem solved by migrating to new DC by adding new DC, moving fsmo roles and demoting old. Unfortunately online method not worked, I did it with stopped old DC. After this actions some services working more fast and good. But I have one very strange problem. I will describe my configuration before the problem. At all servers OS FreeBSD 12.2 and filesystem - zfs. Samba 4.13.14 runs in a jail with Bind 9.16.23 like backend. Also I have Bind 9.16.23 on another server, its working like secondary dns. Secondary Bind gets zones from DC by transferring with a tsig-key. Also, I have several subnetworks(loopback and 3 other), whom DC listen. I have strange behaviour of Bind at new DC. When I set in resolv.conf of new DC other dns server, for example - old DC or secondary Bind, all works fine. New DC successfully resolve any records by nslookup or host commands from himself or other host. When I set in resolv.conf of new DC localhost or himself internal ip, Bind periodically freezing by the next regularity: - Bind stops to reply for the requests for a ~5 minutes. After start working without service restart and freeze again. - At the daytime(when employees in a office), in freezes after less 1 minute work, at the night - after 10-15 minutes. - If I change resolv.conf from secondary Bind to internal IP, then not need to restart Bind or Samba to start or stop periodically freezing. Just change nameserver record and wait. If it was freezed, when resolv.conf changing, then it will be in freeze state ~5 minutes after start freezing and after will work fine. - If I change resolv.conf from secondary Bind to loopback, then NEED to restart Bind to start or stop freezing. - When Bind freeze - it don't stopped service by a command and don't killed by default, only kill -9 work. - Internal Samba DNS work fine and don't freeze, when resolv.conf look to localhost. - Sometime Bind freeze not for all subnetworks. It can freeze for localhost and 2 subnetworks. In one last subnetwork DC Bind can successfully resolve any records from any subnetworks. But this situation I saw only one time and can't repeat it for now. - No special Bind log records with "debug 50", in time or before of freezing. Its freezing after any messages. And all this messages I see in log, when Bind works without freezing. - I tried to run bind with logging to terminal, but don't saw no additional information, when freeze. Terminal logs the same, like in log files. - rndc freeze also.
I? forgot to add, that config of new DC jail, zfs, named and samba fully the same as old DC and very similar for several other my samba DCs. I tried to switch on Internal DNS and back. I also tried to disable all Bind options, that no refers in samba wiki. I do not understand, where else I can found some information, what here is wrong. 02.12.2021 6:32, Nikita Druba via samba ?????:> Hi! > > I wrote here 2 weeks ago with a problem with DCs SPN record for LDAP. > We found strange value for userAccountControl for my DC. And this > problem solved by migrating to new DC by adding new DC, moving fsmo > roles and demoting old. Unfortunately online method not worked, I did > it with stopped old DC. > > After this actions some services working more fast and good. But I > have one very strange problem. I will describe my configuration before > the problem. > > At all servers OS FreeBSD 12.2 and filesystem - zfs. Samba 4.13.14 > runs in a jail with Bind 9.16.23 like backend. Also I have Bind > 9.16.23 on another server, its working like secondary dns. Secondary > Bind gets zones from DC by transferring with a tsig-key. Also, I have > several subnetworks(loopback and 3 other), whom DC listen. > > I have strange behaviour of Bind at new DC. > > When I set in resolv.conf of new DC other dns server, for example - > old DC or secondary Bind, all works fine. New DC successfully resolve > any records by nslookup or host commands from himself or other host. > > When I set in resolv.conf of new DC localhost or himself internal ip, > Bind periodically freezing by the next regularity: > > - Bind stops to reply for the requests for a ~5 minutes. After start > working without service restart and freeze again. > > - At the daytime(when employees in a office), in freezes after less 1 > minute work, at the night - after 10-15 minutes. > > - If I change resolv.conf from secondary Bind to internal IP, then not > need to restart Bind or Samba to start or stop periodically freezing. > Just change nameserver record and wait. If it was freezed, when > resolv.conf changing, then it will be in freeze state ~5 minutes after > start freezing and after will work fine. > > - If I change resolv.conf from secondary Bind to loopback, then NEED > to restart Bind to start or stop freezing. > > - When Bind freeze - it don't stopped service by a command and don't > killed by default, only kill -9 work. > > - Internal Samba DNS work fine and don't freeze, when resolv.conf look > to localhost. > > - Sometime Bind freeze not for all subnetworks. It can freeze for > localhost and 2 subnetworks. In one last subnetwork DC Bind can > successfully resolve any records from any subnetworks. But this > situation I saw only one time and can't repeat it for now. > > - No special Bind log records with "debug 50", in time or before of > freezing. Its freezing after any messages. And all this messages I see > in log, when Bind works without freezing. > > - I tried to run bind with logging to terminal, but don't saw no > additional information, when freeze. Terminal logs the same, like in > log files. > > - rndc freeze also. > >
On Thu, 2021-12-02 at 06:32 +0100, Nikita Druba via samba wrote:> Hi! > > I wrote here 2 weeks ago with a problem with DCs SPN record for LDAP. > We > found strange value for userAccountControl for my DC. And this > problem > solved by migrating to new DC by adding new DC, moving fsmo roles > and > demoting old. Unfortunately online method not worked, I did it with > stopped old DC.How did you manage to join a new DC to a presumably stopped domain ?> > After this actions some services working more fast and good. But I > have > one very strange problem. I will describe my configuration before > the > problem. > > At all servers OS FreeBSD 12.2 and filesystem - zfs.Well that is a configuration that is known to be problematical, Freebsd and ZFS.> Samba 4.13.14 runs > in a jail with Bind 9.16.23 like backend.Don't think running a Samba AD DC in a jail is going to work.> Also I have Bind 9.16.23 on > another server, its working like secondary dns.Does your 'secondary' bind9 server forward the AD dns domain requests to a Samba AD DC ?> Secondary Bind gets > zones from DC by transferring with a tsig-key. Also, I have several > subnetworks(loopback and 3 other), whom DC listen. > > I have strange behaviour of Bind at new DC. > > When I set in resolv.conf of new DC other dns server, for example - > old > DC or secondary Bind, all works fine. New DC successfully resolve > any > records by nslookup or host commands from himself or other host. > > When I set in resolv.conf of new DC localhost or himself internal > ip, > Bind periodically freezing by the next regularity: > > - Bind stops to reply for the requests for a ~5 minutes. After start > working without service restart and freeze again. > > - At the daytime(when employees in a office), in freezes after less > 1 > minute work, at the night - after 10-15 minutes. > > - If I change resolv.conf from secondary Bind to internal IP, then > not > need to restart Bind or Samba to start or stop periodically > freezing. > Just change nameserver record and wait. If it was freezed, when > resolv.conf changing, then it will be in freeze state ~5 minutes > after > start freezing and after will work fine. > > - If I change resolv.conf from secondary Bind to loopback, then NEED > to > restart Bind to start or stop freezing. > > - When Bind freeze - it don't stopped service by a command and don't > killed by default, only kill -9 work. > > - Internal Samba DNS work fine and don't freeze, when resolv.conf > look > to localhost. > > - Sometime Bind freeze not for all subnetworks. It can freeze for > localhost and 2 subnetworks. In one last subnetwork DC Bind can > successfully resolve any records from any subnetworks. But this > situation I saw only one time and can't repeat it for now. > > - No special Bind log records with "debug 50", in time or before of > freezing. Its freezing after any messages. And all this messages I > see > in log, when Bind works without freezing. > > - I tried to run bind with logging to terminal, but don't saw no > additional information, when freeze. Terminal logs the same, like in > log > files. > > - rndc freeze also.You shouldn't be using rndc. Lets be honest here, you seem to be doing everything that I wouldn't recommend: I wouldn't recommend using Freebsd in production I wouldn't recommend using ZFS in production I wouldn't recommend using a separate Bind9 server, unless it forwards all AD dns to an AD DC. Rowland