Web lists-archives.com

Re: [Samba] AD RODC not being used because of missing DNS entries?




On Sat, 20 Oct 2018 00:06:40 +0200 (CEST)
tomict via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Thanks for the quick reply Rowland
> 
> >Never ran an RODC (yet), but this all sounds like the problems that
> >used to occur when joining a second DC, try reading this:
> 
> >https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record
> 
> 
> I Checked this, both the A record and the objectGUID CNAME records
> exist for DC1 and DC2 on bth servers.
> 
> 
> >You could try restarting Samba, there is a script 'samba_dnsupdate',
> >which uses a file 'dns_update list' to create missing dns entries.
> >The script is run at start up.
> 
> > Rowland
> 
> I ran samba_dnsupdate manually on DC1 which runs fine. DC1 has all he
> records.
> 
> However, on DC2 there are errors. DC2 lacks the records which makes
> sense considering the errors. When I run samba_dnsupdate with log
> level = 3
> 
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Error setting DNS entry of type 22: SRV
> _ldap._tcp.Default-First-Site-Name._sites.ad.iucn.nl dc2.ad.iucn.nl
> 389: (3221225653, '{Device Timeout} The specified I/O operation on
> %hs was not completed before the time-out period expired.') Error
> setting DNS entry of type 32: SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.iucn.nl
> dc2.ad.iucn.nl 389: (3221225653, '{Device Timeout} The specified I/O
> operation on %hs was not completed before the time-out period
> expired.') Error setting DNS entry of type 34: SRV
> _kerberos._tcp.Default-First-Site-Name._sites.ad.iucn.nl
> dc2.ad.iucn.nl 88: (3221225653, '{Device Timeout} The specified I/O
> operation on %hs was not completed before the time-out period
> expired.') Error setting DNS entry of type 30: SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.iucn.nl
> dc2.ad.iucn.nl 88: (3221225653, '{Device Timeout} The specified I/O
> operation on %hs was not completed before the time-out period
> expired.') Failed update of 4 entries
> 
> Obviously there is something wrong with the dns updates on DC2. Any
> ideas?
> 
> Tom
> 

The problem is (as far as I understand it), you cannot write to an
RODC, it forwards write actions to a writeable DC, which then replicates
them back.
>From the above, it is timing out, is there a firewall or similar in the
way ? Can you ping a DC from the RODC ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba