Resolve conf Looks like this for MY.DOMAIN
DC01 192.168.50.11
search MY
nameserver 10.0.1.9
nameserver 192.168.50.11
DC02 10.0.1.9
search MY
nameserver 192.168.50.11
nameserver 10.0.1.9
But this was working without any Problems with the private ips before the Errors
on the backup appeared. I doubt changing the own ips to the loopback address
will fix my issues.
I?ve expanded testing and it seems only ldap lookup doesnt work for dc02 and i
noticed that there keeps on being a static A Record generated Dc01 10.0.1.9,
which seems wrong.
Server: 192.168.50.11
Address: 192.168.50.11#53
Name: dc01.my.domain
Address: 192.168.50.11
Name: dc01.my.domain
Address: 10.0.1.9
I kept deleting it but it keeps come back. So something must be wrong with
Dynamic DNS
Also there wasnt any NS entry in the Reverse lookup of the dc02s Site but i
guess that was because i didnt join the dc in a specific site. Nevertheless the
Entries did not complement.
Also there is entries for DC01 only in Site 2/_tcp for _gc,_ldap,_kerberos which
has to be switched with dc02 i guess. Also the my.domain/_tcp contains
gc,Kerberos,kpasswd,ldap entries for DC01 only. DNS Update does not seem to have
the Right entries.
host -t SRV _ldap._tcp.my.domain
_ldap._tcp.my.domain has SRV record 0 100 389 dc01.my.domain.
My thoughts:
Completely wiping dc02 from the Domain and Fixing all dns entries back to
normal. Properly joining dc02 to the site hoping the dns entries will now appear
correct.
I cannot really troubleshoot this at this Point without risking to run in to far
more erros.
Dnsupdate DC01
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST}
${HOSTNAME}
${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN}
${HOSTNAME}
${IF_RWDNS_FOREST}NS ${DNSFOREST}
${HOSTNAME}
${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST}
${HOSTNAME}
# Stub entries in the parent zone
${IF_RWDNS_DOMAIN}RPC ${DNSFOREST} NS ${DNSDOMAIN}
${HOSTNAME}
${IF_RWDNS_FOREST}RPC ${DNSFOREST} NS _msdcs.${DNSFOREST}
${HOSTNAME}
# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN}
${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN}
${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}
${HOSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN}
${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN}
${HOSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN}
${HOSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN}
${HOSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN}
${HOSTNAME} 464
# RW and RO domain controller
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN}
${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}
${HOSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}
${HOSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}
${HOSTNAME} 88
# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}
${HOSTNAME} 389
# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST}
${HOSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST}
${HOSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST}
${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}
${HOSTNAME} 3268
# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN}
${HOSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN}
${HOSTNAME} 389
# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST}
${HOSTNAME} 389
# RW and RO DNS Servers
Does not exist on dc02 as it has /var/lib/samba/* only.
DC02 dns query ALL
Name=, Records=5, Children=0
SOA: serial=127, refresh=900, retry=600, expire=86400, minttl=3600,
ns=dc01.my.domain., email=hostmaster.my.domain. (flags=600000f0, serial=127,
ttl=3600)
NS: dc01.my.domain. (flags=600000f0, serial=110, ttl=900)
NS: dc02.my.domain. (flags=600000f0, serial=110, ttl=900)
A: 192.168.50.11 (flags=600000f0, serial=110, ttl=900)
A: 10.0.1.9 (flags=600000f0, serial=110, ttl=900)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=2
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=CTG-INTEL, Records=1, Children=0
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Anmeldung-Li, Records=1, Children=0
A: 192.168.50.182 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Anmeldung-re, Records=1, Children=0
A: 192.168.50.181 (flags=f0, serial=110, ttl=1200)
Name=LOC1-CTG, Records=1, Children=0
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Labor, Records=1, Children=0
A: 192.168.50.3 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Monitoring, Records=1, Children=0
A: 192.168.50.164 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Telefonzentrale, Records=1, Children=0
A: 192.168.50.243 (flags=f0, serial=110, ttl=1200)
Name=LOC1-U1, Records=1, Children=0
A: 192.168.50.8 (flags=f0, serial=110, ttl=1200)
Name=LOC1-U2, Records=1, Children=0
A: 192.168.50.174 (flags=f0, serial=110, ttl=1200)
Name=LOC1-U3, Records=1, Children=0
A: 192.168.50.176 (flags=f0, serial=110, ttl=1200)
Name=dc01, Records=1, Children=0
A: 192.168.50.11 (flags=f0, serial=110, ttl=900)
Name=DomainDnsZones, Records=0, Children=2
Name=ForestDnsZones, Records=0, Children=2
Name=dc02, Records=1, Children=0
A: 10.0.1.9 (flags=f0, serial=120, ttl=3600)
Name=nasdd7fef, Records=1, Children=0
A: 192.168.50.232 (flags=f0, serial=110, ttl=3600)
Name=PC-Bakk, Records=1, Children=0
A: 10.0.1.182 (flags=f0, serial=110, ttl=1200)
DC02 dns query all
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:127.0.0.1[,sign]
Cannot do GSSAPI to an IP address
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
Password for [MVZ\administrator]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Name=, Records=5, Children=0
SOA: serial=125, refresh=900, retry=600, expire=86400, minttl=3600,
ns=dc01.my.domain., email=hostmaster.my.domain. (flags=600000f0, serial=125,
ttl=3600)
NS: dc01.my.domain. (flags=600000f0, serial=110, ttl=900)
NS: dc02.my.domain. (flags=600000f0, serial=110, ttl=900)
A: 192.168.50.11 (flags=600000f0, serial=110, ttl=900)
A: 10.0.1.9 (flags=600000f0, serial=110, ttl=900)
Name=_msdcs, Records=0, Children=0
Name=_sites, Records=0, Children=2
Name=_tcp, Records=0, Children=4
Name=_udp, Records=0, Children=2
Name=CTG-INTEL, Records=1, Children=0
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Anmeldung-Li, Records=1, Children=0
A: 192.168.50.182 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Anmeldung-re, Records=1, Children=0
A: 192.168.50.181 (flags=f0, serial=110, ttl=1200)
Name=LOC1-CTG, Records=1, Children=0
A: 192.168.50.231 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Labor, Records=1, Children=0
A: 192.168.50.3 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Monitoring, Records=1, Children=0
A: 192.168.50.164 (flags=f0, serial=110, ttl=1200)
Name=LOC1-Telefonzentrale, Records=1, Children=0
A: 192.168.50.243 (flags=f0, serial=110, ttl=1200)
Name=LOC1-U1, Records=1, Children=0
A: 192.168.50.8 (flags=f0, serial=110, ttl=1200)
Name=LOC1-U2, Records=1, Children=0
A: 192.168.50.174 (flags=f0, serial=110, ttl=1200)
Name=LOC1-U3, Records=1, Children=0
A: 192.168.50.176 (flags=f0, serial=110, ttl=1200)
Name=dc01, Records=2, Children=0
A: 192.168.50.11 (flags=f0, serial=110, ttl=900)
A: 10.0.1.9 (flags=f0, serial=110, ttl=900)
Name=DomainDnsZones, Records=0, Children=2
Name=ForestDnsZones, Records=0, Children=2
Name=dc02, Records=1, Children=0
A: 10.0.1.9 (flags=f0, serial=120, ttl=3600)
Name=nasdd7fef, Records=1, Children=0
A: 192.168.50.232 (flags=f0, serial=110, ttl=3600)
Name=PC-Bakk, Records=1, Children=0
A: 10.0.1.182 (flags=f0, serial=110, ttl=1200)
Von: Rowland Penny via samba
Gesendet: Donnerstag, 5. Mai 2022 18:17
An: samba at lists.samba.org
Cc: Rowland Penny
Betreff: Re: [Samba] How to determine DNS anomaly
On Thu, 2022-05-05 at 11:37 +0200, Hakim Liso via samba
wrote:> Hello, and thanks for your help
> I?ve just sent another mail according the dns anomalies.
> INTERNAL_SAMBA with DNS Forwarder 8.8.8.8 set on both in the
> smb.conf.
Your post was too big and got rejected and I don't see the point in
replying to 'askubuntu' where you have now posted.
When a DC is first joined to an existing domain there are numerous dns
records missing (you can see them in
usr/share/samba/setup/dns_update_list). When you join a new DC, the
resolv.conf must point to an existing DC, but after the join, you must
make the new DC use itself as its nameserver (use its ipaddress, not
127.0.0.1), have you done this ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba