On Thu, 2021-12-02 at 06:32 +0100, Nikita Druba via samba
wrote:> Hi!
>
> I wrote here 2 weeks ago with a problem with DCs SPN record for LDAP.
> We
> found strange value for userAccountControl for my DC. And this
> problem
> solved by migrating to new DC by adding new DC, moving fsmo roles
> and
> demoting old. Unfortunately online method not worked, I did it with
> stopped old DC.
How did you manage to join a new DC to a presumably stopped domain ?
>
> After this actions some services working more fast and good. But I
> have
> one very strange problem. I will describe my configuration before
> the
> problem.
>
> At all servers OS FreeBSD 12.2 and filesystem - zfs.
Well that is a configuration that is known to be problematical, Freebsd
and ZFS.
> Samba 4.13.14 runs
> in a jail with Bind 9.16.23 like backend.
Don't think running a Samba AD DC in a jail is going to work.
> Also I have Bind 9.16.23 on
> another server, its working like secondary dns.
Does your 'secondary' bind9 server forward the AD dns domain requests
to a Samba AD DC ?
> Secondary Bind gets
> zones from DC by transferring with a tsig-key. Also, I have several
> subnetworks(loopback and 3 other), whom DC listen.
>
> I have strange behaviour of Bind at new DC.
>
> When I set in resolv.conf of new DC other dns server, for example -
> old
> DC or secondary Bind, all works fine. New DC successfully resolve
> any
> records by nslookup or host commands from himself or other host.
>
> When I set in resolv.conf of new DC localhost or himself internal
> ip,
> Bind periodically freezing by the next regularity:
>
> - Bind stops to reply for the requests for a ~5 minutes. After start
> working without service restart and freeze again.
>
> - At the daytime(when employees in a office), in freezes after less
> 1
> minute work, at the night - after 10-15 minutes.
>
> - If I change resolv.conf from secondary Bind to internal IP, then
> not
> need to restart Bind or Samba to start or stop periodically
> freezing.
> Just change nameserver record and wait. If it was freezed, when
> resolv.conf changing, then it will be in freeze state ~5 minutes
> after
> start freezing and after will work fine.
>
> - If I change resolv.conf from secondary Bind to loopback, then NEED
> to
> restart Bind to start or stop freezing.
>
> - When Bind freeze - it don't stopped service by a command and
don't
> killed by default, only kill -9 work.
>
> - Internal Samba DNS work fine and don't freeze, when resolv.conf
> look
> to localhost.
>
> - Sometime Bind freeze not for all subnetworks. It can freeze for
> localhost and 2 subnetworks. In one last subnetwork DC Bind can
> successfully resolve any records from any subnetworks. But this
> situation I saw only one time and can't repeat it for now.
>
> - No special Bind log records with "debug 50", in time or before
of
> freezing. Its freezing after any messages. And all this messages I
> see
> in log, when Bind works without freezing.
>
> - I tried to run bind with logging to terminal, but don't saw no
> additional information, when freeze. Terminal logs the same, like in
> log
> files.
>
> - rndc freeze also.
You shouldn't be using rndc.
Lets be honest here, you seem to be doing everything that I wouldn't
recommend:
I wouldn't recommend using Freebsd in production
I wouldn't recommend using ZFS in production
I wouldn't recommend using a separate Bind9 server, unless it forwards
all AD dns to an AD DC.
Rowland