Aw: Re: DNS server no in sync with database?

Andrew Bartlett abartlet at samba.org
Sat Feb 28 13:13:49 MST 2015 

On Thu, 2015-02-26 at 07:34 +0100, support at remsnet.de wrote:
> Hello Amitay  & Andrew  and others
> 
> This "featger"  .. DB not in sync ..  exist when the dc runs awhile ... Same you can found on DLZ DB usage.
> 
> I ask again for  that :
> 
> - dns  IN NS , IN NS AUTO-generated in CN=MicrosoftDNS,CN=System,DC=samba,DC=example,DC=com - while deploy an DC or join as an DC

Yes, we seem to be missing NS records from the dns_update_list.  This
also impacts on changing a hostname with renamedc, because even with my
new samba_dnsupdate script to use samba-tool (bypassing the chicken and
egg issue), we do not fix up the NS record.

> - dns for our OWN dns entries are get VALIDATED after an Join as DC ( either as an re-join  with the same SID ) 

We actually do that every time samba_dnsupdate runs.  The issue is:
with the internal dns server nobody looks at the output (because of the
noise from nsupdate and our broken server-side crypto), and there is a
bug that in 'standard' process mode, we don't get the status result from
running the script.  

Ideally, samba_dnsupdate would never fail, and doing so would be a clear
sign of poor heath in this area. 

I agree it could potentially be run during the join, where failure would
be more likely to be noticed. 

> - DC´s automatily added as IN NS for the zone 

This is already done.

> - DC´s automaticy added as LDAP SRV for the zone

This is already done, as far as I can tell.

> - an diff of the db  for "IN A " , IN SRV  and missing ldap SRV on an  joining DC´s are heavly CRITICAL  
>   and shuold cause put an ERROR to admin-user saying failed join with details..
>   an Kind of Verfication code are required here to make shure .
> - an samba-tool option i.e "sambatool validateDC"  shuold be created that check and force correct any kind CORE DNS entries Issues as of desaster-recovery .

This is in the logs, but as above, little attention is paid to it. 

This is fundamentally what samba_dnsupdate does each time it runs.  You
can run it manually as well for that reason. 

I hope this helps!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list