Paul Littlefield
2023-Sep-26 11:29 UTC
[Samba] new DC preparation, nslookup and dig errors
On 26/09/2023 11:23, Rowland Penny via samba wrote:> OK, I think I understand what is going on. > > You are following this wiki page: > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_DirectoryYes :)> You have got to the heading 'Configuring DNS' and the first line under > that heading sends you to another wiki page, did you read the two blue > boxes below the link ?Yes. "The 'nameserver' you set in '/etc/resolv.conf' should be another AD DC, otherwise the join could have difficulty finding a KDC." Yep, have those ... root at dc5.mydomain.com ~ $ (screen) cat /etc/resolv.conf search mydomain.com nameserver 130.130.0.219 nameserver 130.130.0.218 ... and ... "If you are joining a new DC the 'nameserver' you set in '/etc/resolv.conf' must be another AD DC, otherwise the join will not be work. Once the new join has succeeded, you need to change the 'nameserver' to the new DCs ip address, do not use '127.0.0.1' or any other IP." Yep, same. So, I have the correct existing AD DCs in the '/etc/resolv.conf' on the new (unjoined) 'DC5'.> Also the wiki page you are sent to, could be a bit clearer.No, I thought it was fine :) So, what next to try and debug the error? "_ldap._tcp.mydomain.com;; communications error to 130.130.0.219#53: timed out" Regards, -- Paul Littlefield
On Tue, 26 Sep 2023 11:29:07 +0000 Paul Littlefield via samba <samba at lists.samba.org> wrote:> On 26/09/2023 11:23, Rowland Penny via samba wrote: > > OK, I think I understand what is going on. > > > > You are following this wiki page: > > > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > Yes :) > > > > You have got to the heading 'Configuring DNS' and the first line > > under that heading sends you to another wiki page, did you read the > > two blue boxes below the link ? > > Yes. > > "The 'nameserver' you set in '/etc/resolv.conf' should be another AD > DC, otherwise the join could have difficulty finding a KDC." > > Yep, have those ... > > root at dc5.mydomain.com ~ $ (screen) cat /etc/resolv.conf > search mydomain.com > nameserver 130.130.0.219 > nameserver 130.130.0.218You only need one, preferably the one holding the PDC_Emulator FSMO role> > ... and ... > > "If you are joining a new DC the 'nameserver' you set in > '/etc/resolv.conf' must be another AD DC, otherwise the join will not > be work. Once the new join has succeeded, you need to change the > 'nameserver' to the new DCs ip address, do not use '127.0.0.1' or any > other IP." > > Yep, same. > > So, I have the correct existing AD DCs in the '/etc/resolv.conf' on > the new (unjoined) 'DC5'.As I said, you only need one.> > > > Also the wiki page you are sent to, could be a bit clearer. > > No, I thought it was fine :) > > So, what next to try and debug the error? > > > "_ldap._tcp.mydomain.com;; communications error to 130.130.0.219#53: > timed out"Unless you have joined your new DC and it is working, stop testing, come back to this after you have joined your new DC. Rowland