Hello Rowland, thanks for your help. My replies lines below:> Do the DCs point at each other for dns ? > > i.e. is /etc/resolv.conf on the first DC something like this: > > search your.domian.com > nameserver ip.of.second.dc > nameserver ip.of.this.dc > > and on the second DC: > > search your.domian.com > nameserver ip.of.first.dc > nameserver ip.of.this.dc >Yes, they both point to each other just as you suggested.> I would also ensure that ntp is running on both DCs, using the same external > ntp servers and then your workstations would use your DCs for their time > servers. >I've just configured NTP on both servers, they now have only 1 seconds of difference.> One last comment, you haven't got a primary DC and a backup DC, you just > have two DCs. The only difference between your two DCs is the FSMO roles and > these can be moved from DC to DC. >What type of DCs are these two servers? Some kind of two Primary or Master DC each one? Shouldn't I have a PDC and a BDC? (I thought this the recommeded setup for DCs). Please let me know if I'm doing anything wrong here. I'm going to check if samba_dnsupdate error messages dissapear in the following minutes/hours after synchronizing both servers using NTP, but I don't know what caused this error. Was it really caused by time differences between servers? or is there anything else that might need to be fixed? Thanks again
On 23/02/16 13:15, Jason Voorhees wrote:> Hello Rowland, thanks for your help. > > My replies lines below: > > >> Do the DCs point at each other for dns ? >> >> i.e. is /etc/resolv.conf on the first DC something like this: >> >> search your.domian.com >> nameserver ip.of.second.dc >> nameserver ip.of.this.dc >> >> and on the second DC: >> >> search your.domian.com >> nameserver ip.of.first.dc >> nameserver ip.of.this.dc >> > Yes, they both point to each other just as you suggested. > >> I would also ensure that ntp is running on both DCs, using the same external >> ntp servers and then your workstations would use your DCs for their time >> servers. >> > I've just configured NTP on both servers, they now have only 1 seconds > of difference. > >> One last comment, you haven't got a primary DC and a backup DC, you just >> have two DCs. The only difference between your two DCs is the FSMO roles and >> these can be moved from DC to DC. >> > What type of DCs are these two servers? Some kind of two Primary or > Master DC each one? Shouldn't I have a PDC and a BDC? (I thought this > the recommeded setup for DCs). Please let me know if I'm doing > anything wrong here.You can call them what you want, but all Samba AD DCs are the same, they both hold the same replicating database, the only difference is what FSMO roles each DC holds and you can move these roles. The terms 'PDC' & 'BDC' are used with an NT4-style domain, where they mean something. Whilst there is a 'PDC emulator' FSMO role (see here for info: https://support.microsoft.com/en-us/kb/197132), there isn't a 'BDC emulator' FSMO role.> > I'm going to check if samba_dnsupdate error messages dissapear in the > following minutes/hours after synchronizing both servers using NTP, > but I don't know what caused this error. Was it really caused by time > differences between servers? or is there anything else that might need > to be fixed?It could be the time difference, but if it seems not then have a look here: https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting Rowland> > Thanks again
Im suggesting, Since the following: NOTAUTH : is a failure on dns updates is OR incorrect manual changes in bind and/or incorrect rights. And check the needed rights on what the dns needs. I dont know if your using bind or internal dns. For bind : look here https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD And for the NTP Server config. Dont use a pool, use a stratum 1 server in you country. The, for example, debian.ntp-pool.. etc gave me errors in time syncing. Go here for a stable ntp server in you country. http://support.ntp.org/bin/view/Servers/StratumOneTimeServers set all your dc's to this ntp server. ( or use a "proxy" ntp server ) to sync your DC's and optional, it can be fault keytab files. You can recreate them if needed. Found here : https://wiki.samba.org/index.php/Keytab_Extraction Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: dinsdag 23 februari 2016 14:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba_dnsupdate NOTAUTH > > On 23/02/16 13:15, Jason Voorhees wrote: > > Hello Rowland, thanks for your help. > > > > My replies lines below: > > > > > >> Do the DCs point at each other for dns ? > >> > >> i.e. is /etc/resolv.conf on the first DC something like this: > >> > >> search your.domian.com > >> nameserver ip.of.second.dc > >> nameserver ip.of.this.dc > >> > >> and on the second DC: > >> > >> search your.domian.com > >> nameserver ip.of.first.dc > >> nameserver ip.of.this.dc > >> > > Yes, they both point to each other just as you suggested. > > > >> I would also ensure that ntp is running on both DCs, using the same > external > >> ntp servers and then your workstations would use your DCs for their > time > >> servers. > >> > > I've just configured NTP on both servers, they now have only 1 seconds > > of difference. > > > >> One last comment, you haven't got a primary DC and a backup DC, you > just > >> have two DCs. The only difference between your two DCs is the FSMO > roles and > >> these can be moved from DC to DC. > >> > > What type of DCs are these two servers? Some kind of two Primary or > > Master DC each one? Shouldn't I have a PDC and a BDC? (I thought this > > the recommeded setup for DCs). Please let me know if I'm doing > > anything wrong here. > > You can call them what you want, but all Samba AD DCs are the same, they > both hold the same replicating database, the only difference is what > FSMO roles each DC holds and you can move these roles. The terms 'PDC' & > 'BDC' are used with an NT4-style domain, where they mean something. > Whilst there is a 'PDC emulator' FSMO role (see here for info: > https://support.microsoft.com/en-us/kb/197132), there isn't a 'BDC > emulator' FSMO role. > > > > > I'm going to check if samba_dnsupdate error messages dissapear in the > > following minutes/hours after synchronizing both servers using NTP, > > but I don't know what caused this error. Was it really caused by time > > differences between servers? or is there anything else that might need > > to be fixed? > > It could be the time difference, but if it seems not then have a look > here: > > https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting > > Rowland > > > > Thanks again > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Thank you all guys for your help. I've been busy these days. Today I exprienced some issues on users management on my Zentyal DC, then I noticed that samba process was using lot of memory and paging space was near 50% usage or even more. I had to kill the process and starting again which in fact fixed my user management issue but I also noticed that after that time I didn't get any more "NOTAUTH" errors about samba_dnsupdate on my CentOS 7 PDC. It's curious but maybe Zentyal DC running Samba was having some kind of issue before that caused the other CentOS 7 DC to fail the DNS replication. Now I can run "samba_dnsupdate --verbose --all-names" without issues. Thank you Rowland, after reading a bit about FSMO roles now I understand that PDC & BDC terms are deprecated. Have a nice day! On Tue, Feb 23, 2016 at 9:20 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:> Im suggesting, Since the following: NOTAUTH : > is a failure on dns updates is > OR incorrect manual changes in bind and/or incorrect rights. > > And check the needed rights on what the dns needs. > I dont know if your using bind or internal dns. > For bind : look here > https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD > > And for the NTP Server config. > Dont use a pool, use a stratum 1 server in you country. > The, for example, debian.ntp-pool.. etc gave me errors in time syncing. > Go here for a stable ntp server in you country. > http://support.ntp.org/bin/view/Servers/StratumOneTimeServers > set all your dc's to this ntp server. ( or use a "proxy" ntp server ) to sync your DC's > > and optional, it can be fault keytab files. > You can recreate them if needed. > Found here : https://wiki.samba.org/index.php/Keytab_Extraction > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: dinsdag 23 februari 2016 14:32 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] samba_dnsupdate NOTAUTH >> >> On 23/02/16 13:15, Jason Voorhees wrote: >> > Hello Rowland, thanks for your help. >> > >> > My replies lines below: >> > >> > >> >> Do the DCs point at each other for dns ? >> >> >> >> i.e. is /etc/resolv.conf on the first DC something like this: >> >> >> >> search your.domian.com >> >> nameserver ip.of.second.dc >> >> nameserver ip.of.this.dc >> >> >> >> and on the second DC: >> >> >> >> search your.domian.com >> >> nameserver ip.of.first.dc >> >> nameserver ip.of.this.dc >> >> >> > Yes, they both point to each other just as you suggested. >> > >> >> I would also ensure that ntp is running on both DCs, using the same >> external >> >> ntp servers and then your workstations would use your DCs for their >> time >> >> servers. >> >> >> > I've just configured NTP on both servers, they now have only 1 seconds >> > of difference. >> > >> >> One last comment, you haven't got a primary DC and a backup DC, you >> just >> >> have two DCs. The only difference between your two DCs is the FSMO >> roles and >> >> these can be moved from DC to DC. >> >> >> > What type of DCs are these two servers? Some kind of two Primary or >> > Master DC each one? Shouldn't I have a PDC and a BDC? (I thought this >> > the recommeded setup for DCs). Please let me know if I'm doing >> > anything wrong here. >> >> You can call them what you want, but all Samba AD DCs are the same, they >> both hold the same replicating database, the only difference is what >> FSMO roles each DC holds and you can move these roles. The terms 'PDC' & >> 'BDC' are used with an NT4-style domain, where they mean something. >> Whilst there is a 'PDC emulator' FSMO role (see here for info: >> https://support.microsoft.com/en-us/kb/197132), there isn't a 'BDC >> emulator' FSMO role. >> >> > >> > I'm going to check if samba_dnsupdate error messages dissapear in the >> > following minutes/hours after synchronizing both servers using NTP, >> > but I don't know what caused this error. Was it really caused by time >> > differences between servers? or is there anything else that might need >> > to be fixed? >> >> It could be the time difference, but if it seems not then have a look >> here: >> >> https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting >> >> Rowland >> > >> > Thanks again >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba