samba - Oct 2018 - AD RODC not being used because of missing DNS entries?

On Sat, 20 Oct 2018 17:04:20 +0200 (CEST)
tomict via samba <samba at lists.samba.org> wrote:
> 
> > OK, I have checked from Windows and my dns looks like this:
> > DC2-|
> >     |- Forward Lookup Zone
> >        |- samdom.example.com
> 
> You have much more dc2 entries, I only have 4 from my manual
> additions. Your dns setup is the same as the setup that I had last
> year when testing with a second non-RODC Domain Controller. 
> 
> BTW how did you make this tree view?
I have lots of time, so I typed it ;-)
> 
> There seem to be two problems with my RODC  DC2:
> 1) DNS records were not generated when joining the domain. This is
> perhaps caused by some kind of timeout problem. 
Not sure about this, but you could be correct.
>However samba only
> complains about 4 records 2) manual addition of the "_msdcs"
records
> resulted in a wrong path (see below)
> 
The 'wrong path' is because you gave it the wrong path ;-)

If you run 'samba-tool dns zonelist 127.0.0.1 -U Administrator' it will
show your DNS zones, one of which should start with '_msdcs'.

So, your commands:

samba-tool dns add DC1 ad.example.nl
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
'DC2.ad.example.nl 389 0 100'
samba-tool dns add DC1 ad.example.nl
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
'DC2.ad.example.nl 88 0 100'

Should have been:

samba-tool dns add DC1 _msdcs.ad.example.nl
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
'DC2.ad.example.nl 389 0 100'
samba-tool dns add DC1 _msdcs.ad.example.nl
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
'DC2.ad.example.nl 88 0 100'

Delete the wrong entries.

Rowland

>> BTW how did you make this tree view?
>I have lots of time, so I typed it ;-)

Thanks for your time! :-)

>> There seem to be two problems with my RODC  DC2:
>> 1) DNS records were not generated when joining the domain. This is
>> perhaps caused by some kind of timeout problem. 
>Not sure about this, but you could be correct.

I can live with that. I only needed to input 4 entries manually (although I made
that a challenge as well, see below)

>>2) manual addition of the "_msdcs" records
>> resulted in a wrong path (see below)
> The 'wrong path' is because you gave it the wrong path ;-)
Aaaagh! @#!%@%!

>If you run 'samba-tool dns zonelist 127.0.0.1 -U Administrator' it
will
>show your DNS zones, one of which should start with '_msdcs'.
>So, your commands:
<....>
>Should have been:
>samba-tool dns add DC1 _msdcs.ad.example.nl
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
'DC2.ad.example.nl 389 0 100'
>samba-tool dns add DC1 _msdcs.ad.example.nl
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
'DC2.ad.example.nl 88 0 100'
>Delete the wrong entries.
>Rowland

Thanks for pointing that out. _msdcs is a zone! I did not realize that when I
got the entries from the file /var/lib/samba/dns_update_list. The records are in
place now.

I suppose the DNS entries in the other locations are not necessary for domain
control on my RODC? I will know next week if DC2 starts being used.

To make my RODC ready for duty should DC1 fail I added, using the windows DNS
manager:
1) a NS record pointing to my RODC (DC2) as name server in the AD. 
2) a A record in ad.example.nl with blank hostname ('same as parent
folder') pointing to the ip address of DC2
And I will preload user en computer accounts.

@Rowland: thank you very much for the help, much appreciated!

 
regards,

 Tom




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi,

We have encountered these timeout issues with Samba 4.7 as an RODC too. 
We created a ticket about it here :

https://bugzilla.samba.org/show_bug.cgi?id=13502


One thing is that even after the timeouts got resolved, I still get a 
weird behaviour with two entries that keeps trying to update themselves 
when I run "samba_dnsupdate". The call succeeds, but the entries are 
actually NOT updated.

Here is what I'm seeing:
> # samba_dnsupdate --verbose
> IPs: ['192.168.57.3']
> Looking for DNS entry A sambarodc.mondomaine.lan 192.168.57.3 as
sambarodc.mondomaine.lan.
> Looking for DNS entry CNAME
7648bfe6-0ad3-4924-b055-d229546e0284._msdcs.mondomaine.lan
sambarodc.mondomaine.lan as
7648bfe6-0ad3-4924-b055-d229546e0284._msdcs.mondomaine.lan.
> Looking for DNS entry SRV _ldap._tcp.Secondary._sites.mondomaine.lan
sambarodc.mondomaine.lan 389 as _ldap._tcp.Secondary._sites.mondomaine.lan.
> Checking 0 100 389 sambarodc.mondomaine.lan. against SRV
_ldap._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 389
> Looking for DNS entry SRV
_ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan
389 as _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan.
> Checking 0 100 389 sambarodc.mondomaine.lan. against SRV
_ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan
389
> Looking for DNS entry SRV _kerberos._tcp.Secondary._sites.mondomaine.lan
sambarodc.mondomaine.lan 88 as _kerberos._tcp.Secondary._sites.mondomaine.lan.
> Checking 0 100 88 sambarodc.mondomaine.lan. against SRV
_kerberos._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 88
> Looking for DNS entry SRV
_kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan
sambarodc.mondomaine.lan 88 as
_kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan.
> Checking 0 100 88 sambarodc.mondomaine.lan. against SRV
_kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan
sambarodc.mondomaine.lan 88
> Looking for DNS entry SRV _gc._tcp.Secondary._sites.mondomaine.lan
sambarodc.mondomaine.lan 3268 as _gc._tcp.Secondary._sites.mondomaine.lan.
> The DNS entry SRV _gc._tcp.Secondary._sites.mondomaine.lan
sambarodc.mondomaine.lan 3268, queried as
_gc._tcp.Secondary._sites.mondomaine.lan. does not exist
> need update: SRV _gc._tcp.Secondary._sites.mondomaine.lan
sambarodc.mondomaine.lan 3268
> Looking for DNS entry SRV
_ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan
3268 as _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan.
> The DNS entry SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan
sambarodc.mondomaine.lan 3268, queried as
_ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan. does not exist
> need update: SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan
sambarodc.mondomaine.lan 3268
> 2 DNS updates and 0 DNS deletes needed
> Successfully obtained Kerberos ticket to DNS/sambarwdc.mondomaine.lan as
SAMBARODC$
> update (rodc): SRV _gc._tcp.Secondary._sites.mondomaine.lan
sambarodc.mondomaine.lan 3268
> update (rodc): SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan
sambarodc.mondomaine.lan 3268
>
> # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan
> Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)
>
> # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan
> Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)

Is it something you can see on your environment too?


Note that on my environment, the failed updates got resolved by 
themselves, as if the timeout was hiding the fact that the update 
finally succeeded. Now on other systems, updates had to be done manually 
as you did... We're still trying to understand what's different between 
the two.





Le 20/10/2018 à 21:59, tomict via samba a écrit :
>>> BTW how did you make this tree view?
>> I have lots of time, so I typed it ;-)
>
> Thanks for your time! :-)
>
>
>>> There seem to be two problems with my RODC  DC2:
>>> 1) DNS records were not generated when joining the domain. This is
>>> perhaps caused by some kind of timeout problem.
>> Not sure about this, but you could be correct.
>
> I can live with that. I only needed to input 4 entries manually (although I
made that a challenge as well, see below)
>
>
>>> 2) manual addition of the "_msdcs" records
>>> resulted in a wrong path (see below)
>> The 'wrong path' is because you gave it the wrong path ;-)
> Aaaagh! @#!%@%!
>
>
>> If you run 'samba-tool dns zonelist 127.0.0.1 -U Administrator'
it will
>> show your DNS zones, one of which should start with '_msdcs'.
>> So, your commands:
> <....>
>> Should have been:
>> samba-tool dns add DC1 _msdcs.ad.example.nl
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
'DC2.ad.example.nl 389 0 100'
>> samba-tool dns add DC1 _msdcs.ad.example.nl
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV
'DC2.ad.example.nl 88 0 100'
>> Delete the wrong entries.
>> Rowland
>
> Thanks for pointing that out. _msdcs is a zone! I did not realize that when
I got the entries from the file /var/lib/samba/dns_update_list. The records are
in place now.
>
> I suppose the DNS entries in the other locations are not necessary for
domain control on my RODC? I will know next week if DC2 starts being used.
>
> To make my RODC ready for duty should DC1 fail I added, using the windows
DNS manager:
> 1) a NS record pointing to my RODC (DC2) as name server in the AD.
> 2) a A record in ad.example.nl with blank hostname ('same as parent
folder') pointing to the ip address of DC2
> And I will preload user en computer accounts.
>
> @Rowland: thank you very much for the help, much appreciated!
>
>   
> regards,
>
>   Tom
>
>
>
>
--
Message envoyé grâce à OBM, la Communication Libre par Linagora