samba - Apr 2015 - Winbind not able to start

Hi Rowland,

first and foremost thanks for the answer...on a saturday! Since I wrote I
got it running!
Did a complete purge of packages samba libnss-winbind libpam-winbind
krb5-user krb5-config libpam-krb5 and reinstalled.
Stopped smbd, nmbd and winbind and joined the domain. Started the services
again and winbind could start as well.

Thanks!



Fyi, the smb.conf on AD (got a bit of a strange naming convention for
workgroup/realm, but this way windows machines do not notice the change
from NT4 domain to AD):
# Global parameters
[global]
workgroup = MAYWEG.NET
realm = INTRANET.MAYWEG.NET
netbios name = SERVER06
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

On 11 April 2015 at 14:52, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
> On 11/04/15 13:01, Timo Altun wrote:
>
>> Hi guys,
>>
>> we're testing the domain join of a Debian Wheezy machine to an
Samba 4.17
>> AD with BIND9 backend (Debian Jessie). I can join the domain with
"net ads
>> join" alright, but "wbinfo -u" delivers nothing, cause
winbind is not able
>> to start.
>>
>> /etc/init.d/winbind status tells me it is not running.
>>
>> If I try winbindd -S -F I receive:
>>
>> initialize_winbindd_cache: clearing cache and re-creating with version
>> number 2
>> create_local_token failed: NT_STATUS_NO_SUCH_USER
>>
>> Is it possibly a rights issue? Some additional information:
>> - the machine was on squeezy before and we did a dist-upgrade to wheezy
>> - pam-auth-update lists kerberos and windows-nt/active directory
>> authentication as possible auth methods.
>> - windows machines can join the domain and communicate fine with the ad
>> dc.
>> Samba Version 3.6.6.
>> Following the configs of the domain member to be (wheezy), they worked
for
>> a fresh wheezy install for the same domain:
>>
>>
>> *smb.conf:*
>> [global]
>>
>> netbios name = WheezyTest
>> workgroup = MAYWEG.NET
>> security = ADS
>> realm = INTRANET.MAYWEG.NET
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> idmap config MAYWEG.NET:backend = ad
>> idmap config MAYWEG.NET:schema_mode = rfc2307
>> idmap config MAYWEG.NET:range = 10000-99999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users  = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>>
>> template homedir = /home/%U
>> template shell = /bin/bash
>>
>> *nsswitch.conf:*
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>>
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>>
>> *krb5.conf:*
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> *hosts:*
>> nameserver 192.168.111.90
>> search intranet.mayweg.net
>>
>> As usual, I'm happy for every pointer or help I can get. Googling
mostly
>> returned smbd not being able to start with this error, but that's
running.
>>
>> Greetings,
>> Timo
>>
>
> You seem to be using the realm name for the workgroup, what is in the
> smb.conf on the Samba AD DC ?
>
> If you are updating to wheezy then you might as well use samba from
> backports, this will give you a version that isn't EOL.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Greetings, Timo Altun!
> Fyi, the smb.conf on AD (got a bit of a strange naming convention for
> workgroup/realm, but this way windows machines do not notice the change
> from NT4 domain to AD):
They do notice. And if you try to roll back migration, you'll see that
machines that once logged in to AD no longer able to login to old domain.
The only part that visible changes is the default suffix, and in default
Windows configuration, it is changed automatically once the system joins AD
for the first time.
> # Global parameters
> [global]
> workgroup = MAYWEG.NET
Said the above, your configuration only works, because you do not have older
systems in your network, that do not understand periods in workgroup names.
In all other cases, you could have left the workgroup as it once was.
> realm = INTRANET.MAYWEG.NET
> netbios name = SERVER06
> interfaces = lo, eth0
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
> ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> [netlogon]
> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
> read only = No
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No

-- 
With best regards,
Andrey Repin
Saturday, April 11, 2015 18:49:42

Sorry for my terrible english...

Good evening,

unfortunately one problem emerged during the change from my testing
environment to a small portion of the live environment.
The automatic dns updates of the windows clients do not seem to work in the
live environment. I changed the AD DC IP from another subnet to
192.168.111.90, without reprovisioning. Everything else seems to work fine
though (e.g. domain joins, shares and DNS forwarding, looking up manually
added entries). I could also add entries manually with samba-tool dns add,
but keeping in mind that it worked in the other subnet I would like to
avoid that.
My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
As I don't receive any real error messages (looked in syslog, messages,
/var/log/samba/log.smbd) I don't have a clue where the problem is. Maybe
somebody has an idea?!

The startup seems fine in the log:
Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f -u
bind
Apr 11 18:53:42 server06 named[4141]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
'--enable-rrl'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing
-fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
Apr 11 18:53:42 server06 named[4141]:
----------------------------------------------------
Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet
Systems Consortium,
Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Apr 11 18:53:42 server06 named[4141]: corporation.  Support and training
for BIND 9 are
Apr 11 18:53:42 server06 named[4141]: available at
https://www.isc.org/support
Apr 11 18:53:42 server06 named[4141]:
----------------------------------------------------
Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files from
4096 to 1048576
Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker threads
Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per interface
Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets
Apr 11 18:53:42 server06 named[4141]: loading configuration from
'/etc/bind/named.conf'
Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys from
file '/etc/bind/bind.keys'
Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port range:
[1024, 65535]
Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port range:
[1024, 65535]
Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo,
127.0.0.1#53
Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface eth0,
192.168.111.90#53
Apr 11 18:53:42 server06 named[4141]: generating session key for dynamic DNS
Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5 zones
Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' using driver
dlopen
Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN
DC=intranet,DC=mayweg,DC=net
Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure
Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable zone
'111.168.192.in-addr.arpa'
Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable zone '
intranet.mayweg.net'
Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable zone
'_msdcs.intranet.mayweg.net'
Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for view
_default, file 'managed-keys.bind'
[...]
Apr 11 18:53:42 server06 named[4141]: command channel listening on
127.0.0.1#953
Apr 11 18:53:42 server06 named[4141]: command channel listening on ::1#953
Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial 3
Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded serial
1
Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded
serial 1
Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial 2
Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded
serial 1
Apr 11 18:53:42 server06 named[4141]: all zones loaded
Apr 11 18:53:42 server06 named[4141]: running

The only thing I find a bit strange is "command channel listening on
::1#953" instead of the actual IPv4 address.
My smb.conf on the AD DC can be found in the e-mail before. Here is the
rest:

*krb5.conf:*
[libdefaults]
default_realm = INTRANET.MAYWEG.NET
dns_lookup_realm = false
dns_lookup_kdc = true

*named.conf:*
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

*named.conf.default-zones:*
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

*named.conf.options:*
options {
directory "/var/cache/bind";

forwarders {
  192.168.111.79;
};

dnssec-validation no;

auth-nxdomain no;    # conform to RFC1035
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

*named.conf.local:*
//empty

*/var/lib/samba/private/named.conf:*
dlz "AD DNS Zone" {
    # For BIND 9.9.x
    database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

I also checked the permissions on /etc/krb5.keytab and
/var/lib/samba/private/dns.keytab. Both should be accessible by bind and
samba.

Greetings,
Timo

On 11 April 2015 at 16:16, Timo Altun <olol13.samba at the-1337.org>
wrote:
> Hi Rowland,
>
> first and foremost thanks for the answer...on a saturday! Since I wrote I
> got it running!
> Did a complete purge of packages samba libnss-winbind libpam-winbind
> krb5-user krb5-config libpam-krb5 and reinstalled.
> Stopped smbd, nmbd and winbind and joined the domain. Started the services
> again and winbind could start as well.
>
> Thanks!
>
>
>
> Fyi, the smb.conf on AD (got a bit of a strange naming convention for
> workgroup/realm, but this way windows machines do not notice the change
> from NT4 domain to AD):
> # Global parameters
> [global]
> workgroup = MAYWEG.NET
> realm = INTRANET.MAYWEG.NET
> netbios name = SERVER06
> interfaces = lo, eth0
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
> ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> On 11 April 2015 at 14:52, Rowland Penny <rowlandpenny at
googlemail.com>
> wrote:
>
>> On 11/04/15 13:01, Timo Altun wrote:
>>
>>> Hi guys,
>>>
>>> we're testing the domain join of a Debian Wheezy machine to an
Samba 4.17
>>> AD with BIND9 backend (Debian Jessie). I can join the domain with
"net
>>> ads
>>> join" alright, but "wbinfo -u" delivers nothing,
cause winbind is not
>>> able
>>> to start.
>>>
>>> /etc/init.d/winbind status tells me it is not running.
>>>
>>> If I try winbindd -S -F I receive:
>>>
>>> initialize_winbindd_cache: clearing cache and re-creating with
version
>>> number 2
>>> create_local_token failed: NT_STATUS_NO_SUCH_USER
>>>
>>> Is it possibly a rights issue? Some additional information:
>>> - the machine was on squeezy before and we did a dist-upgrade to
wheezy
>>> - pam-auth-update lists kerberos and windows-nt/active directory
>>> authentication as possible auth methods.
>>> - windows machines can join the domain and communicate fine with
the ad
>>> dc.
>>> Samba Version 3.6.6.
>>> Following the configs of the domain member to be (wheezy), they
worked
>>> for
>>> a fresh wheezy install for the same domain:
>>>
>>>
>>> *smb.conf:*
>>> [global]
>>>
>>> netbios name = WheezyTest
>>> workgroup = MAYWEG.NET
>>> security = ADS
>>> realm = INTRANET.MAYWEG.NET
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>> idmap config MAYWEG.NET:backend = ad
>>> idmap config MAYWEG.NET:schema_mode = rfc2307
>>> idmap config MAYWEG.NET:range = 10000-99999
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users  = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = Yes
>>>
>>> template homedir = /home/%U
>>> template shell = /bin/bash
>>>
>>> *nsswitch.conf:*
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat
>>>
>>> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
>>> networks:       files
>>>
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>>
>>> netgroup:       nis
>>>
>>>
>>> *krb5.conf:*
>>> [libdefaults]
>>> default_realm = INTRANET.MAYWEG.NET
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>>
>>> *hosts:*
>>> nameserver 192.168.111.90
>>> search intranet.mayweg.net
>>>
>>> As usual, I'm happy for every pointer or help I can get.
Googling mostly
>>> returned smbd not being able to start with this error, but
that's
>>> running.
>>>
>>> Greetings,
>>> Timo
>>>
>>
>> You seem to be using the realm name for the workgroup, what is in the
>> smb.conf on the Samba AD DC ?
>>
>> If you are updating to wheezy then you might as well use samba from
>> backports, this will give you a version that isn't EOL.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

On 11/04/15 18:54, Timo Altun wrote:
> Good evening,
>
> unfortunately one problem emerged during the change from my testing 
> environment to a small portion of the live environment.
> The automatic dns updates of the windows clients do not seem to work 
> in the live environment. I changed the AD DC IP from another subnet to 
> 192.168.111.90, without reprovisioning. Everything else seems to work 
> fine though (e.g. domain joins, shares and DNS forwarding, looking up 
> manually added entries). I could also add entries manually with 
> samba-tool dns add, but keeping in mind that it worked in the other 
> subnet I would like to avoid that.
> My DNS Backend is BIND 9.9.5 from the Debian Wheezy sources.
> As I don't receive any real error messages (looked in syslog, 
> messages, /var/log/samba/log.smbd) I don't have a clue where the 
> problem is. Maybe somebody has an idea?!
>
> The startup seems fine in the log:
> Apr 11 18:53:42 server06 named[4141]: starting BIND 9.9.5-9-Debian -f 
> -u bind
> Apr 11 18:53:42 server06 named[4141]: built with '--prefix=/usr' 
> '--mandir=/usr/share/man' '--infodir=/usr/share/info' 
> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
> '--enable-largefile' '--with-libtool'
'--enable-shared'
> '--enable-static' '--with-openssl=/usr'
'--with-gssapi=/usr'
> '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6'
> '--enable-rrl' '--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing
> -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
> Apr 11 18:53:42 server06 named[4141]: 
> ----------------------------------------------------
> Apr 11 18:53:42 server06 named[4141]: BIND 9 is maintained by Internet 
> Systems Consortium,
> Apr 11 18:53:42 server06 named[4141]: Inc. (ISC), a non-profit 
> 501(c)(3) public-benefit
> Apr 11 18:53:42 server06 named[4141]: corporation. Support and 
> training for BIND 9 are
> Apr 11 18:53:42 server06 named[4141]: available at 
> https://www.isc.org/support
> Apr 11 18:53:42 server06 named[4141]: 
> ----------------------------------------------------
> Apr 11 18:53:42 server06 named[4141]: adjusted limit on open files 
> from 4096 to 1048576
> Apr 11 18:53:42 server06 named[4141]: found 4 CPUs, using 4 worker threads
> Apr 11 18:53:42 server06 named[4141]: using 4 UDP listeners per interface
> Apr 11 18:53:42 server06 named[4141]: using up to 4096 sockets
> Apr 11 18:53:42 server06 named[4141]: loading configuration from 
> '/etc/bind/named.conf'
> Apr 11 18:53:42 server06 named[4141]: reading built-in trusted keys 
> from file '/etc/bind/bind.keys'
> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv4 port 
> range: [1024, 65535]
> Apr 11 18:53:42 server06 named[4141]: using default UDP/IPv6 port 
> range: [1024, 65535]
> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface lo, 
> 127.0.0.1#53
> Apr 11 18:53:42 server06 named[4141]: listening on IPv4 interface 
> eth0, 192.168.111.90#53
> Apr 11 18:53:42 server06 named[4141]: generating session key for 
> dynamic DNS
> Apr 11 18:53:42 server06 named[4141]: sizing zone task pool based on 5 
> zones
> Apr 11 18:53:42 server06 named[4141]: Loading 'AD DNS Zone' using 
> driver dlopen
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: started for DN 
> DC=intranet,DC=mayweg,DC=net
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: starting configure
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone '111.168.192.in-addr.arpa'
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone 'intranet.mayweg.net <http://intranet.mayweg.net>'
> Apr 11 18:53:42 server06 named[4141]: samba_dlz: configured writeable 
> zone '_msdcs.intranet.mayweg.net
<http://msdcs.intranet.mayweg.net>'
> Apr 11 18:53:42 server06 named[4141]: set up managed keys zone for 
> view _default, file 'managed-keys.bind'
> [...]
> Apr 11 18:53:42 server06 named[4141]: command channel listening on 
> 127.0.0.1#953
> Apr 11 18:53:42 server06 named[4141]: command channel listening on ::1#953
> Apr 11 18:53:42 server06 named[4141]: managed-keys-zone: loaded serial 3
> Apr 11 18:53:42 server06 named[4141]: zone 0.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: zone 127.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: zone localhost/IN: loaded serial 2
> Apr 11 18:53:42 server06 named[4141]: zone 255.in-addr.arpa/IN: loaded 
> serial 1
> Apr 11 18:53:42 server06 named[4141]: all zones loaded
> Apr 11 18:53:42 server06 named[4141]: running
>
> The only thing I find a bit strange is "command channel listening on 
> ::1#953" instead of the actual IPv4 address.
> My smb.conf on the AD DC can be found in the e-mail before. Here is 
> the rest:
>
> *krb5.conf:*
> [libdefaults]
> default_realm = INTRANET.MAYWEG.NET <http://INTRANET.MAYWEG.NET>
> dns_lookup_realm = false
> dns_lookup_kdc = true
> *
> *
> *named.conf:*
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
>
> *named.conf.default-zones:*
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> *named.conf.options:*
> options {
> directory "/var/cache/bind";
>
> forwarders {
> 192.168.111.79;
> };
>
> dnssec-validation no;
>
> auth-nxdomain no;    # conform to RFC1035
> listen-on { any; };
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> *
> *
> *named.conf.local:*
> //empty
>
> */var/lib/samba/private/named.conf:*
> dlz "AD DNS Zone" {
>     # For BIND 9.9.x
>     database "dlopen 
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
> };
>
> I also checked the permissions on /etc/krb5.keytab and 
> /var/lib/samba/private/dns.keytab. Both should be accessible by bind 
> and samba.
>
> Greetings,
> Timo
Your files are the same as mine and mine works (mind you I use dhcp 
running on the first DC), If something does go wrong It shows errors in 
syslog. I take it that the clients are set up to do their own updates.

The '953' number you are worrying about is the command channel listening
on the ipv6 localhost address.

I am not entirely sure you can use the DNS server on an AD DC for more 
than one domain, it usually just updates the one forward zone. I am 
still not happy with the workgroup with a dot in it.

Rowland

Rowland