To get the question of why new servers, this one I'm using has hardware whose remaining life is measured in days. The elastic bands and sticky tape it is held together with won't hold for much longer. I'm using it to build and test a new environment, but then I need to migrate that onto something with a little more vitality before bringing it into production (in the next 56 hours). As for DNS. I ALWAYS had the problem with my Zentyal boxes that if the one I built first went down, the others didn't know what to do with their lives. The same is true on these ones I've built today. DC01 has IP 192.168.4.5 DC02 has IP 192.168.4.6 The gateway is ar 192.168.4.1 If I set /etc/resolv.conf to nameserver 192.168.4.6 nameserver 192.168.4.1 search internal.kcs I get no internal or external name resolution. Trying to ping anything gives me: ping: google.com: Temporary failure in name resolution Dig gives me this error: itadmin at dc02:~$ dig dc01.internal.kcs ; <<>> DiG 9.16.1-Ubuntu <<>> dc01.internal.kcs ;; global options: +cmd ;; connection timed out; no servers could be reached Digging from DC01 works fine though itadmin at dc01:/$ dig dc02.internal.kcs ; <<>> DiG 9.16.1-Ubuntu <<>> dc02.internal.kcs ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14095 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 4375a2de0dc15f30010000005f53fc6edecede8d59738b72 (good) ;; QUESTION SECTION: ;dc02.internal.kcs. IN A ;; ANSWER SECTION: dc02.internal.kcs. 900 IN A 192.168.4.6 ;; Query time: 4 msec ;; SERVER: 192.168.4.5#53(192.168.4.5) ;; WHEN: Sat Sep 05 14:00:30 PDT 2020 ;; MSG SIZE rcvd: 90 and all my troubles go away if I change resolv.conf to have nameserver 192.168.4.5 at the top On Sat, Sep 5, 2020 at 10:26 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 05/09/2020 17:54, Peter Pollock via samba wrote: > > Please forgive me, I'm not sure what terminology to use here so this > > question may sound wrong. > > > > I have built two servers samba servers with a new domain. They replicate > > happily and I can seem to do everything I could ever want on them. > > > > DC01 holds all the FSMO roles and, as the first one built, acts as the > > "master" for DNS. Nothing works well on either server if DC01 is not at > the > > top of the hosts file. > Both DC's are dns masters, it is known as multi-master. Each DC should > use its own ipaddress for its nameserver in /etc/resolv.conf, so > something is wrong if it doesn't work. > > > > But this is in a temporary environment and what I'd like to do is build > two > > production servers, connect them to this AD domain, get them working and > > then have them take over all the FSMO roles and for one of them to become > > the master for DNS so that I can switch off these two test servers I have > > built. > No, you lost me there, you will have two good DC's and you will add > another two good DC's and then turn off the first two, why ? > > My question is, what do I have to do to make another server the "master"? > > is it just transferring the FSMO roles or is there something else (apart > > from updating the host files on all the live servers)? > > There is no concept of a 'master' in AD, all DC's are equal except for > the FSMO roles and they can be on any DC, in fact, if you had seven > DC's, you could have an FSMO role on each. You can transfer all the > roles to any DC, but it wouldn't make it the 'master', because there is > no master. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Peter, As Rowland pointed out in a previous post to you "Each DC should use its own ipaddress for its nameserver in /etc/resolv.conf", so the gateway IP should not be there. So make /etc/resolv.conf on DC01 nameserver 192.168.4.5 search internal.kcs and /etc/resolv.conf on DC02 nameserver 192.168.4.6 search internal.kcs If you use the internal dns backend add the following to your [global] section in /etc/samba/smb.conf on both DC01 and DC02 dns forwarder = <public DNS server IP-address> If you use the bind dns backend make sure that the forwarders option contain the IP-address(es) of your public DNS server(s). In that case, the dns forwarder parameter must not exist in /etc/samba/smb.conf Hope it helps Best regards, Peter On 2020-09-05 23:02, Peter Pollock via samba wrote:> To get the question of why new servers, this one I'm using has hardware > whose remaining life is measured in days. The elastic bands and sticky tape > it is held together with won't hold for much longer. I'm using it to build > and test a new environment, but then I need to migrate that onto something > with a little more vitality before bringing it into production (in the next > 56 hours). > > As for DNS. I ALWAYS had the problem with my Zentyal boxes that if the one > I built first went down, the others didn't know what to do with their > lives. The same is true on these ones I've built today. > > DC01 has IP 192.168.4.5 > DC02 has IP 192.168.4.6 > The gateway is ar 192.168.4.1 > > If I set /etc/resolv.conf to > nameserver 192.168.4.6 > nameserver 192.168.4.1 > search internal.kcs > > I get no internal or external name resolution. Trying to ping anything > gives me: > ping: google.com: Temporary failure in name resolution > > Dig gives me this error: > > itadmin at dc02:~$ dig dc01.internal.kcs > > ; <<>> DiG 9.16.1-Ubuntu <<>> dc01.internal.kcs > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > > Digging from DC01 works fine though > > itadmin at dc01:/$ dig dc02.internal.kcs > > ; <<>> DiG 9.16.1-Ubuntu <<>> dc02.internal.kcs > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14095 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 4375a2de0dc15f30010000005f53fc6edecede8d59738b72 (good) > ;; QUESTION SECTION: > ;dc02.internal.kcs. IN A > > ;; ANSWER SECTION: > dc02.internal.kcs. 900 IN A 192.168.4.6 > > ;; Query time: 4 msec > ;; SERVER: 192.168.4.5#53(192.168.4.5) > ;; WHEN: Sat Sep 05 14:00:30 PDT 2020 > ;; MSG SIZE rcvd: 90 > > and all my troubles go away if I change resolv.conf to have nameserver > 192.168.4.5 at the top > > > On Sat, Sep 5, 2020 at 10:26 AM Rowland penny via samba < > samba at lists.samba.org> wrote: > >> On 05/09/2020 17:54, Peter Pollock via samba wrote: >>> Please forgive me, I'm not sure what terminology to use here so this >>> question may sound wrong. >>> >>> I have built two servers samba servers with a new domain. They replicate >>> happily and I can seem to do everything I could ever want on them. >>> >>> DC01 holds all the FSMO roles and, as the first one built, acts as the >>> "master" for DNS. Nothing works well on either server if DC01 is not at >> the >>> top of the hosts file. >> Both DC's are dns masters, it is known as multi-master. Each DC should >> use its own ipaddress for its nameserver in /etc/resolv.conf, so >> something is wrong if it doesn't work. >>> But this is in a temporary environment and what I'd like to do is build >> two >>> production servers, connect them to this AD domain, get them working and >>> then have them take over all the FSMO roles and for one of them to become >>> the master for DNS so that I can switch off these two test servers I have >>> built. >> No, you lost me there, you will have two good DC's and you will add >> another two good DC's and then turn off the first two, why ? >>> My question is, what do I have to do to make another server the "master"? >>> is it just transferring the FSMO roles or is there something else (apart >>> from updating the host files on all the live servers)? >> There is no concept of a 'master' in AD, all DC's are equal except for >> the FSMO roles and they can be on any DC, in fact, if you had seven >> DC's, you could have an FSMO role on each. You can transfer all the >> roles to any DC, but it wouldn't make it the 'master', because there is >> no master. >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Thank you everyone for your help. I corrected my resolv.conf files as Peter Milesson suggested and then had to take a number of extra steps so now things are looking a little better. In case it helps anyone else in the future, here's what I found (plus I am now having problems resolving internal addresses). As far as I can see, the setup on both servers is identical (except they use their own IP addresses). But DC01 can contact the big bad outside world while DC02 cannot. One thing I did find: there were incorrect permissions on /var/lib/samba/bind-dns/ on DC02 meaning that dns.keytab was empty. I fixed the permissions on the folder using the steps in here https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End and restarted both bind9 and named and the problem got a little better, but still no actual contact with the outside world. Before fixing the permissions I got: itadmin at dc02:$ nslookup twitter.com ;; connection timed out; no servers could be reached Now I get: itadmin at dc02:/var/lib/samba$ nslookup twitter.com Server: 192.168.4.6 Address: 192.168.4.6#53 ** server can't find twitter.com: SERVFAIL so I ran named-checkconf and found that it still couldn't read /var/lib/samba/bind-dns/named.conf I fixed that by applying the same permissions I gave to the folder and I can now resolve external names! itadmin at dc02:/var/lib/samba$ nslookup twitter.com Server: 192.168.4.6 Address: 192.168.4.6#53 Non-authoritative answer: Name: twitter.com Address: 104.244.42.65 Name: twitter.com Address: 104.244.42.193 ... at least, I could for about 90 seconds. Then, without me changing anything, it failed again and I'm back to getting the SERVFAIL message. The dns.keytab file still seems to be empty. So I re-ran samba_upgradedns --dns-backend=BIND9_DLZ Which wrote information to the dns.keytab file, but rewrote /var/lib/samba/bind-dns/named.conf to comment out everything, so I edited that to uncomment the bind 9.12 line. Now I'm talking to the outside world again! HOWEVER... I can't resolve the name of the fileserver I built yesterday (from either dc01 or dc02) I CAN find (both with ping and through windows file manager by entering \\fs01 into the search bar) it from the windows clients I have joined to the domain though. Which is weird. itadmin at dc02:/$ ping fs01 ping: fs01: Temporary failure in name resolution so now I'm stuck again.... but it's getting better! On Sun, Sep 6, 2020 at 12:31 AM Peter Milesson via samba < samba at lists.samba.org> wrote:> Hi Peter, > > As Rowland pointed out in a previous post to you "Each DC should use its > own ipaddress for its nameserver in /etc/resolv.conf", so the gateway IP > should not be there. > > So make /etc/resolv.conf on DC01 > nameserver 192.168.4.5 > search internal.kcs > > and /etc/resolv.conf on DC02 > nameserver 192.168.4.6 > search internal.kcs > > If you use the internal dns backend add the following to your [global] > section in /etc/samba/smb.conf on both DC01 and DC02 > > dns forwarder = <public DNS server IP-address> > > If you use the bind dns backend make sure that the forwarders option > contain the IP-address(es) of your public DNS server(s). In that case, > the dns forwarder parameter must not exist in /etc/samba/smb.conf > > Hope it helps > > Best regards, > > Peter > > On 2020-09-05 23:02, Peter Pollock via samba wrote: > > To get the question of why new servers, this one I'm using has hardware > > whose remaining life is measured in days. The elastic bands and sticky > tape > > it is held together with won't hold for much longer. I'm using it to > build > > and test a new environment, but then I need to migrate that onto > something > > with a little more vitality before bringing it into production (in the > next > > 56 hours). > > > > As for DNS. I ALWAYS had the problem with my Zentyal boxes that if the > one > > I built first went down, the others didn't know what to do with their > > lives. The same is true on these ones I've built today. > > > > DC01 has IP 192.168.4.5 > > DC02 has IP 192.168.4.6 > > The gateway is ar 192.168.4.1 > > > > If I set /etc/resolv.conf to > > nameserver 192.168.4.6 > > nameserver 192.168.4.1 > > search internal.kcs > > > > I get no internal or external name resolution. Trying to ping anything > > gives me: > > ping: google.com: Temporary failure in name resolution > > > > Dig gives me this error: > > > > itadmin at dc02:~$ dig dc01.internal.kcs > > > > ; <<>> DiG 9.16.1-Ubuntu <<>> dc01.internal.kcs > > ;; global options: +cmd > > ;; connection timed out; no servers could be reached > > > > > > Digging from DC01 works fine though > > > > itadmin at dc01:/$ dig dc02.internal.kcs > > > > ; <<>> DiG 9.16.1-Ubuntu <<>> dc02.internal.kcs > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14095 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ; COOKIE: 4375a2de0dc15f30010000005f53fc6edecede8d59738b72 (good) > > ;; QUESTION SECTION: > > ;dc02.internal.kcs. IN A > > > > ;; ANSWER SECTION: > > dc02.internal.kcs. 900 IN A 192.168.4.6 > > > > ;; Query time: 4 msec > > ;; SERVER: 192.168.4.5#53(192.168.4.5) > > ;; WHEN: Sat Sep 05 14:00:30 PDT 2020 > > ;; MSG SIZE rcvd: 90 > > > > and all my troubles go away if I change resolv.conf to have nameserver > > 192.168.4.5 at the top > > > > > > On Sat, Sep 5, 2020 at 10:26 AM Rowland penny via samba < > > samba at lists.samba.org> wrote: > > > >> On 05/09/2020 17:54, Peter Pollock via samba wrote: > >>> Please forgive me, I'm not sure what terminology to use here so this > >>> question may sound wrong. > >>> > >>> I have built two servers samba servers with a new domain. They > replicate > >>> happily and I can seem to do everything I could ever want on them. > >>> > >>> DC01 holds all the FSMO roles and, as the first one built, acts as the > >>> "master" for DNS. Nothing works well on either server if DC01 is not at > >> the > >>> top of the hosts file. > >> Both DC's are dns masters, it is known as multi-master. Each DC should > >> use its own ipaddress for its nameserver in /etc/resolv.conf, so > >> something is wrong if it doesn't work. > >>> But this is in a temporary environment and what I'd like to do is build > >> two > >>> production servers, connect them to this AD domain, get them working > and > >>> then have them take over all the FSMO roles and for one of them to > become > >>> the master for DNS so that I can switch off these two test servers I > have > >>> built. > >> No, you lost me there, you will have two good DC's and you will add > >> another two good DC's and then turn off the first two, why ? > >>> My question is, what do I have to do to make another server the > "master"? > >>> is it just transferring the FSMO roles or is there something else > (apart > >>> from updating the host files on all the live servers)? > >> There is no concept of a 'master' in AD, all DC's are equal except for > >> the FSMO roles and they can be on any DC, in fact, if you had seven > >> DC's, you could have an FSMO role on each. You can transfer all the > >> roles to any DC, but it wouldn't make it the 'master', because there is > >> no master. > >> > >> Rowland > >> > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >