samba - Feb 2021 - 2 AD DNS questions

(1)? I've had very little success in getting a 2nd DC to take over when 
the 1st DC is down.? While searching for possible causes, I discovered 
in RSAT that the reverse zone has only the 1st DC listed on the 
nameserver tab of both DC's, unlike the forward zone, where both are 
listed.? Additionally RSAT does not allow me to add the 2nd DC to the 
nameserver tab, instead yielding a "Validation error, please try again 
later" error message.? I assume there is a corresponding samba-tool 
command to accomplish this, but I have not been able to find it.

(2)? Also, I seem to recall it being stated on this list that in AD, 
each DC was supposed to be the SOA of its DNS records.? For me, the SOA 
of both the forward and reverse zones on the 2nd DC is still the first 
DC, just like a non-AD BIND9 server.? I'm just asking for clarification 
of what the correct value should be for the SOA on each DC.

Thanks.
Dale

On 19/02/2021 18:58, Dale via samba wrote:
> (1) I've had very little success in getting a 2nd DC to take over when 
> the 1st DC is down.? While searching for possible causes, I discovered 
> in RSAT that the reverse zone has only the 1st DC listed on the 
> nameserver tab of both DC's, unlike the forward zone, where both are 
> listed.? Additionally RSAT does not allow me to add the 2nd DC to the 
> nameserver tab, instead yielding a "Validation error, please try again
> later" error message.? I assume there is a corresponding samba-tool 
> command to accomplish this, but I have not been able to find it.

It should have both:

root at dc4:~# ldbsearch --cross-ncs --show-binary -H 
/var/lib/samba/private/sam.ldb -b 
'DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com'
-s sub '(&(objectClass=dnsNode)(name=@))'
# record 1
dn: 
DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20190726140900.0Z
uSNCreated: 594342
showInAdvancedViewOnly: TRUE
name: @
objectGUID: 89654d6c-f05b-4fd2-9c80-5640d465cbfe
objectCategory: 
CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
dc: @
dnsRecord:???? NDR: struct dnsp_DnssrvRpcRecord
 ??????? wDataLength????????????? : 0x004f (79)
 ??????? wType??????????????????? : DNS_TYPE_SOA (6)
 ??????? version????????????????? : 0x05 (5)
 ??????? rank???????????????????? : DNS_RANK_ZONE (240)
 ??????? flags??????????????????? : 0x0000 (0)
 ??????? dwSerial???????????????? : 0x00036bab (224171)
 ??????? dwTtlSeconds???????????? : 0x00000e10 (3600)
 ??????? dwReserved?????????????? : 0x00000000 (0)
 ??????? dwTimeStamp????????????? : 0x00000000 (0)
 ??????? data???????????????????? : union dnsRecordData(case 6)
 ??????? soa: struct dnsp_soa
 ??????????? serial?????????????????? : 0x00036bab (224171)
 ??????????? refresh????????????????? : 0x00000384 (900)
 ??????????? retry??????????????????? : 0x00000258 (600)
 ??????????? expire?????????????????? : 0x00015180 (86400)
 ??????????? minimum????????????????? : 0x00000e10 (3600)
 ??????????? mname??????????????????? : dc4.samdom.example.com
 ??????????? rname??????????????????? : hostmaster.samdom.example.com

dnsRecord:???? NDR: struct dnsp_DnssrvRpcRecord
 ??????? wDataLength????????????? : 0x001a (26)
 ??????? wType??????????????????? : DNS_TYPE_NS (2)
 ??????? version????????????????? : 0x05 (5)
 ??????? rank???????????????????? : DNS_RANK_ZONE (240)
 ??????? flags??????????????????? : 0x0000 (0)
 ??????? dwSerial???????????????? : 0x0000006e (110)
 ??????? dwTtlSeconds???????????? : 0x00000e10 (3600)
 ??????? dwReserved?????????????? : 0x00000000 (0)
 ??????? dwTimeStamp????????????? : 0x00000000 (0)
 ??????? data???????????????????? : union dnsRecordData(case 2)
 ??????? ns?????????????????????? : dc4.samdom.example.com

dnsRecord:???? NDR: struct dnsp_DnssrvRpcRecord
 ??????? wDataLength????????????? : 0x001b (27)
 ??????? wType??????????????????? : DNS_TYPE_NS (2)
 ??????? version????????????????? : 0x05 (5)
 ??????? rank???????????????????? : DNS_RANK_ZONE (240)
 ??????? flags??????????????????? : 0x0000 (0)
 ??????? dwSerial???????????????? : 0x00036b34 (224052)
 ??????? dwTtlSeconds???????????? : 0x00000384 (900)
 ??????? dwReserved?????????????? : 0x00000000 (0)
 ??????? dwTimeStamp????????????? : 0x00000000 (0)
 ??????? data???????????????????? : union dnsRecordData(case 2)
 ??????? ns?????????????????????? : dc01.samdom.example.com

whenChanged: 20210210114634.0Z
uSNChanged: 1518469
distinguishedName: 
DC=@,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
> (2)? Also, I seem to recall it being stated on this list that in AD, 
> each DC was supposed to be the SOA of its DNS records.? For me, the 
> SOA of both the forward and reverse zones on the 2nd DC is still the 
> first DC, just like a non-AD BIND9 server.? I'm just asking for 
> clarification of what the correct value should be for the SOA on each DC.
>
Yes both DC's should show as being authoritative:

root at dc01:~# host -t soa samdom.example.com
samdom.example.com has SOA record dc01.samdom.example.com. 
hostmaster.samdom.example.com. 245335 900 600 86400 3600

root at dc4:~# host -t soa samdom.example.com
samdom.example.com has SOA record dc4.samdom.example.com. 
hostmaster.samdom.example.com. 245335 900 600 86400 3600

Rowland