samba - Dec 2016 - Dynamic DNS and bind_dlz

I'm trying to troubleshoot why our workstations have stopped dynamically
registering their ip addresses in our AD using bind_dlz setup. It worked
for a couple of months and now does not. I realized I have a basic question
about how it is supposed to work.

Do the workstations (after getting a dynamic address from the dhcpd server)
contact the AD DC directly with the information? Or does dhcpd register the
address with bind and then bind notifies the DC?

If it is dhcpd -> bind -> DC, then can someone show a sample dhcpd.conf
file?

This is samba 4.4.5 and bind 9.9.

Thanks,

On Mon, 19 Dec 2016 12:25:29 -0800
Mark Nienberg via samba <samba at lists.samba.org> wrote:
> I'm trying to troubleshoot why our workstations have stopped
> dynamically registering their ip addresses in our AD using bind_dlz
> setup. It worked for a couple of months and now does not. I realized
> I have a basic question about how it is supposed to work.
> 
> Do the workstations (after getting a dynamic address from the dhcpd
> server) contact the AD DC directly with the information? Or does
> dhcpd register the address with bind and then bind notifies the DC?
> 
> If it is dhcpd -> bind -> DC, then can someone show a sample
> dhcpd.conf file?
> 
> This is samba 4.4.5 and bind 9.9.
> 
> Thanks,
It could be either ;-)

Unless you have set up dhcp to do it for you and Samba AD, bind and dhcp
are running on the same DC, it will be your clients that try to update
their own records. Try looking in the logs.

Hi Mark,

Am 19.12.2016 um 21:25 schrieb Mark Nienberg via samba:
> I'm trying to troubleshoot why our workstations have stopped
dynamically
> registering their ip addresses in our AD using bind_dlz setup. It worked
> for a couple of months and now does not. I realized I have a basic question
> about how it is supposed to work.
> 
> Do the workstations (after getting a dynamic address from the dhcpd server)
> contact the AD DC directly with the information? Or does dhcpd register the
> address with bind and then bind notifies the DC?
> 
> If it is dhcpd -> bind -> DC, then can someone show a sample
dhcpd.conf
> file?
The Windows default is that the client tries to register itself in the
AD DNS zone. If you haven't disabled the setting on your Windows domain
members, it should work. To verify, see:
https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates

Let me know if you have a different problem that is not described in our
troubleshooting section and that is not solvable by:
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End

Apart from that, you can configure dhcpd to register the client in the
AD DNS zone - but this is not part of Samba and thus not part of our
documentation.

Regards,
Marc

On Mon, 19 Dec 2016 22:21:56 +0100
Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
> Hi Mark,
> 
> Am 19.12.2016 um 21:25 schrieb Mark Nienberg via samba:
> > I'm trying to troubleshoot why our workstations have stopped
> > dynamically registering their ip addresses in our AD using bind_dlz
> > setup. It worked for a couple of months and now does not. I
> > realized I have a basic question about how it is supposed to work.
> > 
> > Do the workstations (after getting a dynamic address from the dhcpd
> > server) contact the AD DC directly with the information? Or does
> > dhcpd register the address with bind and then bind notifies the DC?
> > 
> > If it is dhcpd -> bind -> DC, then can someone show a sample
> > dhcpd.conf file?
> 
> The Windows default is that the client tries to register itself in the
> AD DNS zone. If you haven't disabled the setting on your Windows
> domain members, it should work. To verify, see:
> https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates
> 
> Let me know if you have a different problem that is not described in
> our troubleshooting section and that is not solvable by:
>
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End
> 
> Apart from that, you can configure dhcpd to register the client in the
> AD DNS zone - but this is not part of Samba and thus not part of our
> documentation.
You might want to reconsider that statement ;-)

Rowland

On Mon, Dec 19, 2016 at 1:21 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> The Windows default is that the client tries to register itself in the
> AD DNS zone. If you haven't disabled the setting on your Windows domain
> members, it should work. To verify, see:
> https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates
>
>
Oh, it doesn't work like either of my ideas! I think I get it now. The
dhcpd service is not involved at all. It does not have to be configured for
ddns. Rather, the windows workstation notifies the samba server, which in
turn runs nsupdate to push the update through bind to the samba ldb files.


> Let me know if you have a different problem that is not described in our
> troubleshooting section and that is not solvable by:
> https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#
> Reconfiguring_the_BIND9_DLZ_Back_End
>
My tests showed the NOTAUTH problem. My configuration was all fine, so I
finally ran "samba_dnsupdate" again as suggested in the wiki, and that
fixed it.

If I understand correctly, I should also be able to get reverse records to
update dynamically if I set up a GPO for it. I'll have a look at that next.

Thanks very much for your help,