Aw: Re: DNS server no in sync with database?
abartlet at samba.org
Sat Feb 28 13:13:49 MST 2015
On Thu, 2015-02-26 at 07:34 +0100, support at remsnet.de wrote:
> Hello Amitay & Andrew and others
> This "featger" .. DB not in sync .. exist when the dc runs awhile ... Same you can found on DLZ DB usage.
> I ask again for that :
> - dns IN NS , IN NS AUTO-generated in CN=MicrosoftDNS,CN=System,DC=samba,DC=example,DC=com - while deploy an DC or join as an DC
Yes, we seem to be missing NS records from the dns_update_list. This
also impacts on changing a hostname with renamedc, because even with my
new samba_dnsupdate script to use samba-tool (bypassing the chicken and
egg issue), we do not fix up the NS record.
> - dns for our OWN dns entries are get VALIDATED after an Join as DC ( either as an re-join with the same SID )
We actually do that every time samba_dnsupdate runs. The issue is:
with the internal dns server nobody looks at the output (because of the
noise from nsupdate and our broken server-side crypto), and there is a
bug that in 'standard' process mode, we don't get the status result from
running the script.
Ideally, samba_dnsupdate would never fail, and doing so would be a clear
sign of poor heath in this area.
I agree it could potentially be run during the join, where failure would
be more likely to be noticed.
> - DC´s automatily added as IN NS for the zone
This is already done.
> - DC´s automaticy added as LDAP SRV for the zone
This is already done, as far as I can tell.
> - an diff of the db for "IN A " , IN SRV and missing ldap SRV on an joining DC´s are heavly CRITICAL
> and shuold cause put an ERROR to admin-user saying failed join with details..
> an Kind of Verfication code are required here to make shure .
> - an samba-tool option i.e "sambatool validateDC" shuold be created that check and force correct any kind CORE DNS entries Issues as of desaster-recovery .
This is in the logs, but as above, little attention is paid to it.
This is fundamentally what samba_dnsupdate does each time it runs. You
can run it manually as well for that reason.
I hope this helps!
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical