On 13/02/2020 16:28, Paul Littlefield wrote:> On 13/02/2020 15:17, Rowland penny via samba wrote: >> The various ways have already been mentioned, but are all your DCs >> listed as nameservers (NS) in the SOA's for the forward and reverse >> zones ? > > > I think so... > > > root at dc3.mydomain.com ~ $ (screen) samba-tool dns query dc3 > mydomain.com @ ALL > ? Name=, Records=5, Children=0 > ??? SOA: serial=620, refresh=900, retry=600, expire=86400, minttl=0, > ns=dc3.mydomain.com., email=hostmaster.mydomain.com. (flags=600000f0, > serial=620, ttl=3600) > ??? NS: dc3.mydomain.com. (flags=600000f0, serial=110, ttl=900) > ??? NS: dc4.mydomain.com. (flags=600000f0, serial=110, ttl=900) > ??? A: 192.168.0.218 (flags=600000f0, serial=110, ttl=900) > ??? A: 192.168.0.219 (flags=600000f0, serial=110, ttl=900) > > > root at dc3.mydomain.com ~ $ (screen) samba-tool dns query dc3 > 0.168.192.in-addr.arpa @ ALL > ? Name=, Records=3, Children=0 > ??? SOA: serial=73, refresh=900, retry=600, expire=86400, minttl=3600, > ns=dc3.mydomain.com., email=hostmaster.mydomain.com. (flags=600000f0, > serial=73, ttl=3600) > ??? NS: dc3.mydomain.com. (flags=600000f0, serial=56, ttl=900) > ??? NS: dc4.mydomain.com. (flags=600000f0, serial=58, ttl=900) > > > ...do those look fine? > > PaullyI am not a dns expert, but shouldn't the reverse zone SOA have A records like the forward zone ? Rowland
Paul Littlefield
2020-Feb-13 17:28 UTC
[Samba] Failover DC did not work when Main DC failed
On 13/02/2020 17:08, Rowland penny via samba wrote:> I am not a dns expert, but shouldn't the reverse zone SOA have A records like the forward zone ?Hello Rowland, That's a good question, although as it's a reverse zone then I'm thinking they just have PTR records, which they do... Name=218, Records=1, Children=0 PTR: DC3 (flags=f0, serial=54, ttl=900) Name=219, Records=1, Children=0 PTR: DC4 (flags=f0, serial=55, ttl=900) ...but if there's anyone in this mailing list who can verify and compare with what they then that would be marvellous! Paully
My reverse zones have PTR records. Though I don't have NS records for all of my DC's. I guess that needs to be manually created. Also, you don't have any CNAMES or domain overrides pointing to a single DC? Perhaps Bind is pointing to another internal DNS server, and then to a public DNS? ---- Here's a way to test failover from a Windows client: You can switch logon servers with "nltest /server:<clientcomputer> /sc_reset:<domain\dc>" https://www.technipages.com/windows-how-to-switch-domain-controller So try this -- (I just did this on one of my DC's): * Switch a Windows Client to DC4 * Verify with "nltest /dsgetdc:<domain>" and "nltest /sc_query:<domain>" C:\WINDOWS\system32>nltest /Server:<mycomputer> /sc_query:<shortdomainname>> Flags: 30 HAS_IP HAS_TIMESERV > Trusted DC Name \\<DC4>.<mydomain.com> > Trusted DC Connection Status Status = 0 0x0 NERR_Success > The command completed successfully > C:\WINDOWS\system32>nltest /dsgetdc:<shortdomainname> > DC: \\<DC4> > Address: \\ip.addr.ss.ss > Dom Guid: <guid> > Dom Name: <shortdomainname> > Forest Name: mydomain.com > Dc Site Name: <mysite> > Our Site Name: <mysite> > Flags: GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST > CLOSE_SITE > The command completed successfully* Then stop samba on DC4 * "nltest /dclist:<domain>" This should fail, as it's attempting to get lookups from the trusted DC (DC4) C:\WINDOWS\system32>nltest /dclist:<shortdomainname>> Get list of DCs in domain ' <shortdomainname> ' from '\\<DC4>'. > Cannot DsBind to <shortdomainname> (\\<DC4>).Status = 1722 0x6ba > RPC_S_SERVER_UNAVAILABLE > List of DCs in Domain <shortdomainname> > \\<DC3>(PDC) > The command completed successfully >* "nltest /sc_verify:<domain>" -- this should force a query and change the trusted DC to an available DC. (Don't forget to turn samba back on) Kris Lou klou at themusiclink.net>