On Tue, 26 Sep 2023 09:08:29 +0000 Paul Littlefield via samba <samba at lists.samba.org> wrote:> On 25/09/2023 16:25, Rowland Penny via samba wrote: > > Whilst anything is possible, if you are trying to connect to the > > internal dns server on a machine that isn't yet a DC, then it will > > time out, because there isn't a dns server there yet. > > > > Of course. I may be misunderstanding things here. > > > Maybe :) > > I am preparing to join a third Linux DC to an existing domain running > two Linux DCs, and am following these instructions ... > > https://wiki.samba.org/index.php/Linux_and_Unix_DNS_Configuration#Resolving_SRV_Records > > ... so am concerned that there is a "communications error":- > > "_ldap._tcp.mydomain.com;; communications error to 130.130.0.219#53: > timed out" > > ... which is DC5 trying to get a DNS record from DC4 and failing. > > If I run the same 'test' from that wiki page on either of the > existing 2 Linux DCs which _are_ dns servers for the whole network, > it does not show that error. > > Do you follow me? > > In other words, I want to sort that error out first before I go > trying to join a new DC (which I am only doing to solve the recent > security patch!) > > I have tried Googling it but come up blank. > > Regards, >OK, I think I understand what is going on. You are following this wiki page: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory You have got to the heading 'Configuring DNS' and the first line under that heading sends you to another wiki page, did you read the two blue boxes below the link ? Also the wiki page you are sent to, could be a bit clearer. Rowland
Paul Littlefield
2023-Sep-26 11:29 UTC
[Samba] new DC preparation, nslookup and dig errors
On 26/09/2023 11:23, Rowland Penny via samba wrote:> OK, I think I understand what is going on. > > You are following this wiki page: > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_DirectoryYes :)> You have got to the heading 'Configuring DNS' and the first line under > that heading sends you to another wiki page, did you read the two blue > boxes below the link ?Yes. "The 'nameserver' you set in '/etc/resolv.conf' should be another AD DC, otherwise the join could have difficulty finding a KDC." Yep, have those ... root at dc5.mydomain.com ~ $ (screen) cat /etc/resolv.conf search mydomain.com nameserver 130.130.0.219 nameserver 130.130.0.218 ... and ... "If you are joining a new DC the 'nameserver' you set in '/etc/resolv.conf' must be another AD DC, otherwise the join will not be work. Once the new join has succeeded, you need to change the 'nameserver' to the new DCs ip address, do not use '127.0.0.1' or any other IP." Yep, same. So, I have the correct existing AD DCs in the '/etc/resolv.conf' on the new (unjoined) 'DC5'.> Also the wiki page you are sent to, could be a bit clearer.No, I thought it was fine :) So, what next to try and debug the error? "_ldap._tcp.mydomain.com;; communications error to 130.130.0.219#53: timed out" Regards, -- Paul Littlefield