On 29/02/16 10:45, Reindl Harald wrote:> > > Am 29.02.2016 um 11:28 schrieb Rowland penny: >> On 29/02/16 09:42, Reindl Harald wrote: >>> >>> >>> Am 29.02.2016 um 10:10 schrieb Rowland penny: >>>> Everything you say is valid except for when it comes to AD dns. >>>> When you want data from a zone, you start with the SOA record, you ask >>>> 'who holds the records for this zone?', it replies with the nameserver >>>> that holds the zone records. OK so far ? >>>> >>>> Only problem is that with AD, *every* DC that runs a dns server holds >>>> the zone records. Now if you have only one NS record in the SOA (or if >>>> only one NS record is returned, like the internal dns server does), >>>> then >>>> only one DC will be asked for the zone records, if this DC is down, >>>> you >>>> don't have a nameserver to ask! >>> >>> than its a bug in the internal dns server only return one NS record >> >> Totally agree >> >>> >>>> Every windows DC that runs a dns server is authoritative for the dns >>>> domain and has a SOA record. The only way I have found of doing this >>>> with a Samba DC, is to use Bind9 and add the second DCs NS record >>>> to the >>>> SOA, this SOA is stored in AD >>> >>> how would a SOA record look like with two NS records? >>> >> >> There was a thread dealing with this in December, see here for what I >> posted then: >> >> https://lists.samba.org/archive/samba/2015-December/196367.html > > i just want to see how a "dig SOA example.lan." would look like to > contain two nameservers, that below form the thread is as always a SOA > containing one origin > > example.lan > origin = testdc1.example.lan > mail addr = hostmaster.example.lan > serial = 3 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > >OK, your wish is my command :-) root at dc1:~# dig SOA samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54539 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc2.samdom.example.com. hostmaster.samdom.example.com. 185 900 600 86400 3600 ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 8 msec ;; SERVER: 192.168.0.6#53(192.168.0.6) ;; WHEN: Mon Feb 29 11:28:10 GMT 2016 ;; MSG SIZE rcvd: 162 Rowland
Am 29.02.2016 um 12:29 schrieb Rowland penny:> On 29/02/16 10:45, Reindl Harald wrote: >> >> >> Am 29.02.2016 um 11:28 schrieb Rowland penny: >>> On 29/02/16 09:42, Reindl Harald wrote: >>>> >>>> >>>> Am 29.02.2016 um 10:10 schrieb Rowland penny: >>>>> Everything you say is valid except for when it comes to AD dns. >>>>> When you want data from a zone, you start with the SOA record, you ask >>>>> 'who holds the records for this zone?', it replies with the nameserver >>>>> that holds the zone records. OK so far ? >>>>> >>>>> Only problem is that with AD, *every* DC that runs a dns server holds >>>>> the zone records. Now if you have only one NS record in the SOA (or if >>>>> only one NS record is returned, like the internal dns server does), >>>>> then >>>>> only one DC will be asked for the zone records, if this DC is down, >>>>> you >>>>> don't have a nameserver to ask! >>>> >>>> than its a bug in the internal dns server only return one NS record >>> >>> Totally agree >>> >>>> >>>>> Every windows DC that runs a dns server is authoritative for the dns >>>>> domain and has a SOA record. The only way I have found of doing this >>>>> with a Samba DC, is to use Bind9 and add the second DCs NS record >>>>> to the >>>>> SOA, this SOA is stored in AD >>>> >>>> how would a SOA record look like with two NS records? >>>> >>> >>> There was a thread dealing with this in December, see here for what I >>> posted then: >>> >>> https://lists.samba.org/archive/samba/2015-December/196367.html >> >> i just want to see how a "dig SOA example.lan." would look like to >> contain two nameservers, that below form the thread is as always a SOA >> containing one origin >> >> example.lan >> origin = testdc1.example.lan >> mail addr = hostmaster.example.lan >> serial = 3 >> refresh = 900 >> retry = 600 >> expire = 86400 >> minimum = 3600 > > OK, your wish is my command :-)as i say all the time - the SOA record has only one nameserver ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc2.samdom.example.com. hostmaster.samdom.example.com. 185 900 600 86400 3600 that's the SOA and nothing else :-) > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc1.samdom.example.com. > samdom.example.com. 900 IN NS dc2.samdom.example.com. these are NS records> root at dc1:~# dig SOA samdom.example.com > > ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA samdom.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54539 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;samdom.example.com. IN SOA > > ;; ANSWER SECTION: > samdom.example.com. 3600 IN SOA dc2.samdom.example.com. > hostmaster.samdom.example.com. 185 900 600 86400 3600 > > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc1.samdom.example.com. > samdom.example.com. 900 IN NS dc2.samdom.example.com. > > ;; ADDITIONAL SECTION: > dc1.samdom.example.com. 900 IN A 192.168.0.5 > dc2.samdom.example.com. 900 IN A 192.168.0.6 > > ;; Query time: 8 msec > ;; SERVER: 192.168.0.6#53(192.168.0.6) > ;; WHEN: Mon Feb 29 11:28:10 GMT 2016 > ;; MSG SIZE rcvd: 162-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160229/6a6f8003/signature.sig>
On 29/02/16 11:51, Reindl Harald wrote:> > > Am 29.02.2016 um 12:29 schrieb Rowland penny: >> On 29/02/16 10:45, Reindl Harald wrote: >>> >>> >>> Am 29.02.2016 um 11:28 schrieb Rowland penny: >>>> On 29/02/16 09:42, Reindl Harald wrote: >>>>> >>>>> >>>>> Am 29.02.2016 um 10:10 schrieb Rowland penny: >>>>>> Everything you say is valid except for when it comes to AD dns. >>>>>> When you want data from a zone, you start with the SOA record, >>>>>> you ask >>>>>> 'who holds the records for this zone?', it replies with the >>>>>> nameserver >>>>>> that holds the zone records. OK so far ? >>>>>> >>>>>> Only problem is that with AD, *every* DC that runs a dns server >>>>>> holds >>>>>> the zone records. Now if you have only one NS record in the SOA >>>>>> (or if >>>>>> only one NS record is returned, like the internal dns server does), >>>>>> then >>>>>> only one DC will be asked for the zone records, if this DC is down, >>>>>> you >>>>>> don't have a nameserver to ask! >>>>> >>>>> than its a bug in the internal dns server only return one NS record >>>> >>>> Totally agree >>>> >>>>> >>>>>> Every windows DC that runs a dns server is authoritative for the dns >>>>>> domain and has a SOA record. The only way I have found of doing this >>>>>> with a Samba DC, is to use Bind9 and add the second DCs NS record >>>>>> to the >>>>>> SOA, this SOA is stored in AD >>>>> >>>>> how would a SOA record look like with two NS records? >>>>> >>>> >>>> There was a thread dealing with this in December, see here for what I >>>> posted then: >>>> >>>> https://lists.samba.org/archive/samba/2015-December/196367.html >>> >>> i just want to see how a "dig SOA example.lan." would look like to >>> contain two nameservers, that below form the thread is as always a SOA >>> containing one origin >>> >>> example.lan >>> origin = testdc1.example.lan >>> mail addr = hostmaster.example.lan >>> serial = 3 >>> refresh = 900 >>> retry = 600 >>> expire = 86400 >>> minimum = 3600 >> >> OK, your wish is my command :-) > > as i say all the time - the SOA record has only one nameserver > > ;; ANSWER SECTION: > samdom.example.com. 3600 IN SOA dc2.samdom.example.com. > hostmaster.samdom.example.com. 185 900 600 86400 3600 > > that's the SOA and nothing else :-) > > > ;; AUTHORITY SECTION: > > samdom.example.com. 900 IN NS dc1.samdom.example.com. > > samdom.example.com. 900 IN NS dc2.samdom.example.com. > > these are NS records > >> root at dc1:~# dig SOA samdom.example.com >> >> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA samdom.example.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54539 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;samdom.example.com. IN SOA >> >> ;; ANSWER SECTION: >> samdom.example.com. 3600 IN SOA dc2.samdom.example.com. >> hostmaster.samdom.example.com. 185 900 600 86400 3600 >> >> ;; AUTHORITY SECTION: >> samdom.example.com. 900 IN NS dc1.samdom.example.com. >> samdom.example.com. 900 IN NS dc2.samdom.example.com. >> >> ;; ADDITIONAL SECTION: >> dc1.samdom.example.com. 900 IN A 192.168.0.5 >> dc2.samdom.example.com. 900 IN A 192.168.0.6 >> >> ;; Query time: 8 msec >> ;; SERVER: 192.168.0.6#53(192.168.0.6) >> ;; WHEN: Mon Feb 29 11:28:10 GMT 2016 >> ;; MSG SIZE rcvd: 162 > > >OK, same command run on the second DC: root at dc2:~# dig SOA samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24665 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc1.samdom.example.com. hostmaster.samdom.example.com. 185 900 600 86400 3600 ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc2.samdom.example.com. samdom.example.com. 900 IN NS dc1.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 2 msec ;; SERVER: 192.168.0.5#53(192.168.0.5) ;; WHEN: Mon Feb 29 12:01:23 GMT 2016 ;; MSG SIZE rcvd: 162 Rowland
Reasonably Related Threads
- which DNS backend ?
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- which DNS backend ?