Web lists-archives.com

Re: [Samba] AD RODC not being used because of missing DNS entries?





----- Original Message -----
> From: "samba" <samba@xxxxxxxxxxxxxxx>
> To: "samba" <samba@xxxxxxxxxxxxxxx>
> Sent: Monday, 22 October, 2018 07:57:23
> Subject: Re: [Samba] AD RODC not being used because of missing DNS entries?

> Hi,
> 
  <snip>
> 
> One thing is that even after the timeouts got resolved, I still get a
> weird behaviour with two entries that keeps trying to update themselves
> when I run "samba_dnsupdate". The call succeeds, but the entries are
> actually NOT updated.
> 
> Here is what I'm seeing:
  <snip>
>> 2 DNS updates and 0 DNS deletes needed
>> Successfully obtained Kerberos ticket to DNS/sambarwdc.mondomaine.lan as
>> SAMBARODC$
>> update (rodc): SRV _gc._tcp.Secondary._sites.mondomaine.lan
>> sambarodc.mondomaine.lan 3268
>> update (rodc): SRV _ldap._tcp.Secondary._sites.gc._msdcs.mondomaine.lan
>> sambarodc.mondomaine.lan 3268
>>
>> # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan
>> Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)
>>
>> # host -t SRV _gc._tcp.Secondary._sites.mondomaine.lan
>> Host _gc._tcp.Secondary._sites.mondomaine.lan not found: 3(NXDOMAIN)
> 
> 
> Is it something you can see on your environment too?
> 

Hi,

Sorry for replying too late, i did not notice until now that there was a follow up to the mail conversation.

Yes, I had the same issue of two dns records on the RODC trying to update, apparently with success, but not really. I resolved this, like you, by manually updating the records on the RWDC (which then got replicated to the RODC). Of course the RODC controller cannot write new records other than by replication because it is literally "read only". Maybe there is something wrong with the RODC join process because I would expect the dns records to be created at that time.

The error that caused the two not updating records was in my case my first try at inserting the records by hand on the RWDC. I was looking at the file /var/lib/samba/private/dns_update_list for the records to update and did not notice that there are two different zones involved. It seemed as if the entries were present, so the update efforts seemed unnecassary, but in fact the records were not present at all.

The command I used first:

   # samba-tool dns add DC1 ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 88 0 100'

is syntactically correct, but it inserts a wrong entry in the wrong zone.

It should be done, as in my second try after a Rowland pointed it out to me, like this:

   # samba-tool dns add DC1 _msdcs.ad.example.nl _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.example.nl SRV 'DC2.ad.example.nl 389 0 100'

notice the different zone "_msdcs.ad.example.nl" . I had the same problem with the _ldap entry.

The first (wrong) command created a wrong entry that confused everything, and me in particular.
I don't think that (or know if) this has anything to do with your problem, but it did solve mine.

regards,
Tom



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba