Web lists-archives.com

Re: [Samba] AD RODC not being used because of missing DNS entries?





Hi,

We have encountered these timeout issues with Samba 4.7 as an RODC too. We created a ticket about it here :

https://bugzilla.samba.org/show_bug.cgi?id=13502


One thing is that even after the timeouts got resolved, I still get a weird behaviour with two entries that keeps trying to update themselves when I run "samba_dnsupdate". The call succeeds, but the entries are actually NOT updated.

Here is what I'm seeing:

# samba_dnsupdate --verbose
IPs: ['192.168.57.3']
Looking for DNS entry A sambarodc.mondomaine.lan 192.168.57.3 as sambarodc.mondomaine.lan.
Looking for DNS entry CNAME 7648bfe6-0ad3-4924-b055-d229546e0284._msdcs.mondomaine.lan sambarodc.mondomaine.lan as 7648bfe6-0ad3-4924-b055-d229546e0284._msdcs.mondomaine.lan.
Looking for DNS entry SRV _ldap._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 389 as _ldap._tcp.Secondary._sites.mondomaine.lan.
Checking 0 100 389 sambarodc.mondomaine.lan. against SRV _ldap._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 389
Looking for DNS entry SRV _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 389 as _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan.
Checking 0 100 389 sambarodc.mondomaine.lan. against SRV _ldap._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 389
Looking for DNS entry SRV _kerberos._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 88 as _kerberos._tcp.Secondary._sites.mondomaine.lan.
Checking 0 100 88 sambarodc.mondomaine.lan. against SRV _kerberos._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 88
Looking for DNS entry SRV _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 88 as _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan.
Checking 0 100 88 sambarodc.mondomaine.lan. against SRV _kerberos._tcp.Secondary._sites.dc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 88
Looking for DNS entry SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268 as _gc._tcp.Secondary._sites.mondomaine.lan.
The DNS entry SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268, queried as _gc._tcp.Secondary._sites.mondomaine.lan. does not exist
need update: SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268
Looking for DNS entry SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268 as _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan.
The DNS entry SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268, queried as _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan. does not exist
need update: SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268
2 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/sambarwdc.mondomaine.lan as SAMBARODC$
update (rodc): SRV _gc._tcp.Secondary._sites.mondomaine.lan sambarodc.mondomaine.lan 3268
update (rodc): SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan sambarodc.mondomaine.lan 3268

# host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan
Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)

# host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan
Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)


Is it something you can see on your environment too?


Note that on my environment, the failed updates got resolved by themselves, as if the timeout was hiding the fact that the update finally succeeded. Now on other systems, updates had to be done manually as you did... We're still trying to understand what's different between the two.





Le 20/10/2018 à 21:59, tomict via samba a écrit :
BTW how did you make this tree view?
I have lots of time, so I typed it ;-)

Thanks for your time! :-)


There seem to be two problems with my RODC  DC2:
1) DNS records were not generated when joining the domain. This is
perhaps caused by some kind of timeout problem.
Not sure about this, but you could be correct.

I can live with that. I only needed to input 4 entries manually (although I made that a challenge as well, see below)


2) manual addition of the "_msdcs" records
resulted in a wrong path (see below)
The 'wrong path' is because you gave it the wrong path ;-)
Aaaagh! @#!%@%!


If you run 'samba-tool dns zonelist 127.0.0.1 -U Administrator' it will
show your DNS zones, one of which should start with '_msdcs'.
So, your commands:
<....>
Should have been:
samba-tool dns add DC1 _msdcs.ad.example.nl _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100'
samba-tool dns add DC1 _msdcs.ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100'
Delete the wrong entries.
Rowland

Thanks for pointing that out. _msdcs is a zone! I did not realize that when I got the entries from the file /var/lib/samba/dns_update_list. The records are in place now.

I suppose the DNS entries in the other locations are not necessary for domain control on my RODC? I will know next week if DC2 starts being used.

To make my RODC ready for duty should DC1 fail I added, using the windows DNS manager:
1) a NS record pointing to my RODC (DC2) as name server in the AD.
2) a A record in ad.example.nl with blank hostname ('same as parent folder') pointing to the ip address of DC2
And I will preload user en computer accounts.

@Rowland: thank you very much for the help, much appreciated!

regards,

  Tom




--
Message envoyé grâce à OBM, la Communication Libre par Linagora
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba