tomict
2018-Oct-20 10:36 UTC
[Samba] AD RODC not being used because of missing DNS entries?
> Obviously there is something wrong with the dns updates on DC2. Any > ideas? > > Tom >>The problem is (as far as I understand it), you cannot write to an >RODC, it forwards write actions to a writeable DC, which then replicates >them back. >From the above, it is timing out, is there a firewall or similar in the >way ? Can you ping a DC from the RODC ? > >RowlandSELinux and Firewall were paused already, ping is ok. The read only constraint seem a likely candidate. Therefore, I updated the DNS on DC1 manually. However, some dns entries seem misplaced. First set of commands gave problems: samba-tool dns add DC1 ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' These commands were successful, records were added to the dns of DC1, and replicated to DC2. This can be checked in the DNS manager tool in Windows. However, there are problems -samba_dnsupdate on DC2 still complains about failing updates for these two, the "dc._msdcs." records. It apparently 'misses' them although it can not fix them because of the read only constraint. -Queries for these records return only one value. # host -t SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl has SRV record 0 100 88 DC1.ad.example.nl. I am confused about where in de DNS 'tree' in the windows dns manager these entries should be found. They seems to show up in the wrong place. There are two paths in the Windows DNS manager tree that look alike: DNS > DC1 > Forward Lookup Zones > _msdcs.ad.example.nl > dc > _sites > Default-First-Site-Name > _tcp DNS > DC1 > Forward Lookup Zones > ad.example.nl > _msdcs > dc > _sites > Default-First-Site-Name > _tcp The first path is where the DC1 entries are, and where I would expect my new DC2 entries. The second path is where my DC2 entries show up Is this correct/a bug? Second set of commands (without problems): samba-tool dns add DC1 ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100' These commands were also successfull, records were added to the dns of DC1, replicated to DC2, and present in the Windows DNS manager. The DC2 entries show up alongside the DC1 entries in the Windows DNS manager. SRV record queries for (_ldap/_kerberos)._tcp.Default-First-Site-Name._sites.ad.example.nl return values for both domain servers, on both DC's: # host -t SRV _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV record 0 100 389 DC1.ad.example.nl. _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV record 0 100 389 DC2.ad.example.nl. Tom
Rowland Penny
2018-Oct-20 11:21 UTC
[Samba] AD RODC not being used because of missing DNS entries?
On Sat, 20 Oct 2018 12:36:46 +0200 (CEST) tomict via samba <samba at lists.samba.org> wrote:> > > Obviously there is something wrong with the dns updates on DC2. Any > > ideas? > > > > Tom > > > > >The problem is (as far as I understand it), you cannot write to an > >RODC, it forwards write actions to a writeable DC, which then > >replicates them back. > >From the above, it is timing out, is there a firewall or similar in > >the way ? Can you ping a DC from the RODC ? > > > >Rowland > > SELinux and Firewall were paused already, ping is ok. The read only > constraint seem a likely candidate. Therefore, I updated the DNS on > DC1 manually. However, some dns entries seem misplaced. > > First set of commands gave problems: > samba-tool dns add DC1 ad.example.nl > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV > 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl > SRV 'DC2.ad.example.nl 88 0 100' > > These commands were successful, records were added to the dns of DC1, > and replicated to DC2. This can be checked in the DNS manager tool in > Windows. > > However, there are problems > -samba_dnsupdate on DC2 still complains about failing updates for > these two, the "dc._msdcs." records. It apparently 'misses' them > although it can not fix them because of the read only constraint. > -Queries for these records return only one value. # host -t SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl has > SRV record 0 100 88 DC1.ad.example.nl. > > I am confused about where in de DNS 'tree' in the windows dns manager > these entries should be found. They seems to show up in the wrong > place. > > There are two paths in the Windows DNS manager tree that look alike: > > DNS > DC1 > Forward Lookup Zones > _msdcs.ad.example.nl > dc > > _sites > Default-First-Site-Name > _tcp DNS > DC1 > Forward Lookup > Zones > ad.example.nl > _msdcs > dc > _sites > > Default-First-Site-Name > _tcp The first path is where the DC1 > entries are, and where I would expect my new DC2 entries. The second > path is where my DC2 entries show up > > Is this correct/a bug? > > > Second set of commands (without problems): > samba-tool dns add DC1 ad.example.nl > _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl SRV > 'DC2.ad.example.nl 389 0 100' samba-tool dns add DC1 ad.example.nl > _kerberos._tcp.Default-First-Site-Name._sites.ad.example.nl SRV > 'DC2.ad.example.nl 88 0 100' > > These commands were also successfull, records were added to the dns > of DC1, replicated to DC2, and present in the Windows DNS manager. > The DC2 entries show up alongside the DC1 entries in the Windows DNS > manager. SRV record queries for > (_ldap/_kerberos)._tcp.Default-First-Site-Name._sites.ad.example.nl > return values for both domain servers, on both DC's: # host -t SRV > _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl > _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV > record 0 100 389 DC1.ad.example.nl. > _ldap._tcp.Default-First-Site-Name._sites.ad.example.nl has SRV > record 0 100 389 DC2.ad.example.nl. > > Tom >Just one thought, where does the nameserver on DC2 point ? Is it to DC1 ? or itself, DC2 ? If it is pointing to itself, try pointing it at DC1 Rowland
tomict
2018-Oct-20 11:58 UTC
[Samba] AD RODC not being used because of missing DNS entries?
> Just one thought, where does the nameserver on DC2 point ? > Is it to DC1 ? > or itself, DC2 ?> If it is pointing to itself, try pointing it at DC1> RowlandThe Nameserver on DC2 points to the ip address of DC1 Tom
Rowland Penny
2018-Oct-20 13:53 UTC
[Samba] AD RODC not being used because of missing DNS entries?
On Sat, 20 Oct 2018 13:58:15 +0200 (CEST) tomict via samba <samba at lists.samba.org> wrote:> > > Just one thought, where does the nameserver on DC2 point ? > > Is it to DC1 ? > > or itself, DC2 ? > > > If it is pointing to itself, try pointing it at DC1 > > > Rowland > > The Nameserver on DC2 points to the ip address of DC1 > > Tom >OK, I have checked from Windows and my dns looks like this: DC2-| |- Forward Lookup Zone |- samdom.example.com | |- _sites | | |- Default-First-Site-Name | | |- _tcp | | |- _gc - dc1 | | |- _gc - dc2 | | |- _ldap - dc1 | | |- _ldap - dc2 | | |- _kerberos - dc1 | | |- _kerberos - dc2 | | | |- _tcp | | |- _gc - dc1 | | |- _gc - dc2 | | |- _kerberos - dc1 | | |- _kerberos - dc2 | | |- _kpasswd - dc1 | | |- _kpasswd - dc2 | | |- _ldap - dc1 | | |- _ldap - dc2 | | |- _ldaps - dc1 | | | |- _udp | | |- _kerberos - dc1 | | |- _kerberos - dc2 | | |- _kpasswd - dc1 | | |- _kpasswd - dc2 | | | |- DomainDnsZones | | |- _sites | | | |- Default-First-Site-Name | | | |- _tcp | | | |- _ldap - dc1 | | | |- _ldap - dc2 | | |- _tcp | | | |- _ldap - dc1 | | | |- _ldap - dc2 | | | |- ForestDnsZones | | |- _sites | | | |- Default-First-Site-Name | | | |- _tcp | | | |- _ldap - dc1 | | | |- _ldap - dc2 | | |- _tcp | | | |- _ldap - dc1 | | | |- _ldap - dc2 | |- _msdcs.samdom.example.com |- dc | |- _sites | | |- Default-First-Site-Name | | |- _tcp | | | _kerberos - dc1 | | | _kerberos - dc2 | | | _ldap - dc1 | | | _ldap - dc2 | | | |- _tcp | | |- _ldap dc1 | | |- _ldap dc2 | | |- _ldap dc1 | | |- _ldap dc2 | | |- domains | |- 39158xxx-xxxx-xxxx-xxx-xxxxxxxxxxx | | |- _tcp | | |- _ldap - dc1 | | |- _ldap - dc2 | | |- gc | |- _sites | |- Default-First-Site-Name | | |- _tcp | | |- _ldap - dc1 | | |- _ldap - dc2 | | | |- _tcp | | |- _ldap - dc1 | | |- _ldap - dc2 | |- pdc |- _tcp |- _ldap - dc1 |- _ldap - dc2 Rowland