Web lists-archives.com

[Samba] AD RODC not being used because of missing DNS entries?

Hi All, 

Is it correct that my RODC domain controller (DC2.ad.example.nl) has only one entry in the (internal) DNS on domain controller DC1? 
It seems to me that because of missing dns entries it is not used by clients in the ad domain 

I recently installed a second Domain Controller (DC2) along the smooth running first domain controller DC1. 
Samba version 4.8.5, Centos 7 Linux, further config files below. 

The command used to join the DC2 as RODC: 
# samba-tool domain join ad.example.nl RODC -U "ad.example.nl\Administrator" (see https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC) 
This seemed to run OK, DC2 was joined to the domain. 

Before I restarted the samba-ad service, I set the uidNumber of DC2 because I use idmap backend = ad on the other domain members. 

Machine and user accounts are replicated to DC2. 
The A record entry for DC2.ad.example was added to the dns on DC1, but nothing more. 

I see no entries voor ldap, kerberos etc. For example: 
# host -t SRV _ldap._tcp.dc._msdcs.ad.example.nl 
_ldap._tcp.dc._msdcs.ad.example.nl has SRV record 0 100 389 DC1.ad.example.nl. 

# host ad.example.nl 
ad.example.nl has address 
which is the address of DC1. I thought it should also return a second ip address for DC2. 

in the /var/log/samba/log.samba I see truckloads of this: 
[2018/10/19 21:51:05.039345, 0] ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_done) 
../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error code 4 

Should I add the records manually? Should they have been added when I joined the RODC to the domain? 
Or am I wrong about something else (very likely)? 


Tom Welter 

Below are config file for both DC's. 
Sysvol is replicated from DC1 to DC2 via rsync 

Samba Version: 
Version 4.8.5-SerNet-RedHat-11.el7 

content of //DC1/etc/samba/smb.conf 
workgroup = EXAMPLENL 
realm = AD.EXAMPLE.NL 
netbios name = DC1 
server role = active directory domain controller 
dns forwarder = 
idmap_ldb:use rfc2307 = yes 
allow dns updates = nonsecure 
ldap server require strong auth = no 
log level = 0 

path = /var/lib/samba/sysvol/ad.example.nl/scripts 
read only = No 

path = /var/lib/samba/sysvol 
read only = No 

content of //DC2/etc/samba/smb.conf 
netbios name = DC2 
realm = AD.EXAMPLE.NL 
server role = active directory domain controller 
workgroup = EXAMPLENL 

path = /var/lib/samba/sysvol/ad.example.com/scripts 
read only = No 

path = /var/lib/samba/sysvol 
read only = No 

for completeness: 
samba-tool dns zoneinfo dc1.ad.example.nl ad.example.nl -U administrator 

fReverse : FALSE 
fPaused : FALSE 
fShutdown : FALSE 
fAutoCreated : FALSE 
fUseDatabase : TRUE 
pszDataFile : None 
aipMasters : [] 
fSecureSecondaries : DNS_ZONE_SECSECURE_NO_XFER 
aipSecondaries : [] 
aipNotify : [] 
fUseWins : FALSE 
fUseNbstat : FALSE 
fAging : FALSE 
dwNoRefreshInterval : 168 
dwRefreshInterval : 168 
dwAvailForScavengeTime : 0 
aipScavengeServers : [] 
dwRpcStructureVersion : 0x2 
dwForwarderTimeout : 0 
fForwarderSlave : 0 
aipLocalMasters : [] 
pszDpFqdn : DomainDnsZones.ad.example.nl 
pwszZoneDn : DC=ad.example.nl,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=example,DC=nl 
dwLastSuccessfulSoaCheck : 0 
dwLastSuccessfulXfr : 0 
fQueuedForBackgroundLoad : FALSE 
fBackgroundLoadInProgress : FALSE 
fReadOnlyZone : FALSE 
dwLastXfrAttempt : 0 
dwLastXfrResult : 0 

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba