Norbert Hanke
2024-Mar-31 15:09 UTC
[Samba] Inconsistent SOA records from different Samba AD-DC DNS servers
Hi all, I am experiencing strange behaviour regarding DNS resolution with my samba-driven AD. This is with Debian-packaged samba on raspberry Pi: # samba -V Version 4.19.5-Debian # uname -a Linux dc3.ad.mydomain.tld 6.1.0-rpi8-rpi-v8 #1 SMP PREEMPT Debian 1:6.1.73-1+rpt1 (2024-01-25) aarch64 GNU/Linux I would expect that every DNS server of the domain would respond with the same SOA record. But with Samba AD-DC integrated Bind9 it does not. Each DNS server responds with its own node being the SOA: # host -t SOA ad.mydomain.tld dc1 Using domain server: Name: dc1 Address: 10.88.1.8#53 Aliases: ad.mydomain.tld has SOA record dc1.ad.mydomain.tld. hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600 # host -t SOA ad.mydomain.tld dc2 Using domain server: Name: dc2 Address: 10.88.1.9#53 Aliases: ad.mydomain.tld has SOA record dc2.ad.mydomain.tld. hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600 # host -t SOA ad.mydomain.tld dc3 Using domain server: Name: dc3 Address: 10.88.1.10#53 Aliases: ad.mydomain.tld has SOA record dc3.ad.mydomain.tld. hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600 When querying each DC with samba-tool I always get the the same response, pointing to the DC that has all fsmo roles, which I expect: # samba-tool dns query dc3 ad.mydomain.tld ad.mydomain.tld SOA|grep SOA ??? SOA: serial=49776, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc1.ad.mydomain.tld., email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775, ttl=3600) # samba-tool dns query dc1 ad.mydomain.tld ad.mydomain.tld SOA|grep SOA ??? SOA: serial=49776, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc1.ad.mydomain.tld., email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775, ttl=3600) # samba-tool dns query dc2 ad.mydomain.tld ad.mydomain.tld SOA|grep SOA ??? SOA: serial=49776, refresh=900, retry=600, expire=86400, minttl=3600, ns=dc1.ad.mydomain.tld., email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775, ttl=3600) I also notice that the serial number between DNS and samba-tool responses is one off: 49776 vs 49775 . Is something broken with Bind9-DLZ? regards, Norbert
Rowland Penny
2024-Mar-31 16:02 UTC
[Samba] Inconsistent SOA records from different Samba AD-DC DNS servers
On Sun, 31 Mar 2024 17:09:34 +0200 Norbert Hanke via samba <samba at lists.samba.org> wrote:> Hi all, > > I am experiencing strange behaviour regarding DNS resolution with my > samba-driven AD. > > This is with Debian-packaged samba on raspberry Pi: > # samba -V > Version 4.19.5-Debian > # uname -a > Linux dc3.ad.mydomain.tld 6.1.0-rpi8-rpi-v8 #1 SMP PREEMPT Debian > 1:6.1.73-1+rpt1 (2024-01-25) aarch64 GNU/Linux > > I would expect that every DNS server of the domain would respond with > the same SOA record. But with Samba AD-DC integrated Bind9 it does > not. Each DNS server responds with its own node being the SOA: > > # host -t SOA ad.mydomain.tld dc1 > Using domain server: > Name: dc1 > Address: 10.88.1.8#53 > Aliases: > > ad.mydomain.tld has SOA record dc1.ad.mydomain.tld. > hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600 > > # host -t SOA ad.mydomain.tld dc2 > Using domain server: > Name: dc2 > Address: 10.88.1.9#53 > Aliases: > > ad.mydomain.tld has SOA record dc2.ad.mydomain.tld. > hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600 > > # host -t SOA ad.mydomain.tld dc3 > Using domain server: > Name: dc3 > Address: 10.88.1.10#53 > Aliases: > > ad.mydomain.tld has SOA record dc3.ad.mydomain.tld. > hostmaster.ad.mydomain.tld. 49776 900 600 86400 3600 > > > When querying each DC with samba-tool I always get the the same > response, pointing to the DC that has all fsmo roles, which I expect: > > # samba-tool dns query dc3 ad.mydomain.tld ad.mydomain.tld SOA|grep > SOA SOA: serial=49776, refresh=900, retry=600, expire=86400, > minttl=3600, ns=dc1.ad.mydomain.tld., > email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775, > ttl=3600) # samba-tool dns query dc1 ad.mydomain.tld ad.mydomain.tld > SOA|grep SOA SOA: serial=49776, refresh=900, retry=600, expire=86400, > minttl=3600, ns=dc1.ad.mydomain.tld., > email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775, > ttl=3600) # samba-tool dns query dc2 ad.mydomain.tld ad.mydomain.tld > SOA|grep SOA SOA: serial=49776, refresh=900, retry=600, expire=86400, > minttl=3600, ns=dc1.ad.mydomain.tld., > email=hostmaster.ad.mydomain.tld. (flags=600000f0, serial=49775, > ttl=3600) > > I also notice that the serial number between DNS and samba-tool > responses is one off: 49776 vs 49775 . > > Is something broken with Bind9-DLZ?Simple answer, no. Full answer, Active directory uses what is known as multi-master when it comes to DNS. The DNS records are stored in AD and each DC is authoritative for the DNS domain and, as such, they are all SOAs (Start Of Authority), so no, nothing is broken. Rowland
Maybe Matching Threads
- Samba4 DNS SOA Records
- adjust SOA record
- Can someone explain why host reports no SOA record for domain on DC?
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline