On 23/09/2022 18:51, Sonic wrote:> On Fri, Sep 23, 2022 at 1:24 PM Rowland Penny via samba >
>'domain'
> and 'search' are mutually exclusive in /etc/resolv.conf,
>> 'search' is known to work in Samba AD, so that is why I
recommend it over 'domain'.
>
> Oddly enough the Debian install puts both a search line and a domain
> line in resolv.conf. I simplified to domain but have now switched to
> search.
>
>> AAAARRRRGGGGHHHH..................
>
> Ha! I get it.
>
>> All AD computers must use a DC as their nameserver, this is because all
the AD dns records are stored in AD and each DC is authoritative for the DNS
domain.
>
>> The exception to this is where the AD computer uses a nameserver that
forwards all AD dns domain requests to a DC (which is pretty much the same thing
as using a DC as a nameserver). You cannot rely on a caching nameserver holding
the required AD records.
>
> Which is the case here - the local caching nameserver (Unbound) does
> contain all of the DC's records (via stub-zones), both forward and
> reverse, including all SRV records. There is nothing missing.
>
> Chris
OK, how do the records in AD get updated then ? I really suggest you
change your caching unbound dns server to a forwarding dns server.
Rowland