Aw: Re: Re: DNS server no in sync with database?
support at remsnet.de
support at remsnet.de
Sun Mar 1 04:30:38 MST 2015
> Gesendet: Samstag, 28. Februar 2015 um 21:13 Uhr
> Von: "Andrew Bartlett" <abartlet at samba.org>
> An: support at remsnet.de
> Cc: "Amitay Isaacs" <amitay at gmail.com>, "Samba Technical" <samba-technical at lists.samba.org>
> Betreff: Re: Aw: Re: DNS server no in sync with database?
> On Thu, 2015-02-26 at 07:34 +0100, support at remsnet.de wrote:
> > Hello Amitay & Andrew and others
> > This "featger" .. DB not in sync .. exist when the dc runs awhile ... Same you can found on DLZ DB usage.
> > I ask again for that :
> > - dns IN NS , IN NS AUTO-generated in CN=MicrosoftDNS,CN=System,DC=samba,DC=example,DC=com - while deploy an DC or join as an DC
> Yes, we seem to be missing NS records from the dns_update_list. This
> also impacts on changing a hostname with renamedc, because even with my
> new samba_dnsupdate script to use samba-tool (bypassing the chicken and
> egg issue), we do not fix up the NS record.
Ugly bady BUG stuff .
I am not an coder but:
- possibly way to solve this are fork an subprocess
- use i.e IPCS
- control the update it over that
- close forked suprocess when done.
.. there are many ways on linux to get an cleat hold over an " atomic state" - kernel & linux offer a lot of things on the Process Intercomunications.
> > - dns for our OWN dns entries are get VALIDATED after an Join as DC ( either as an re-join with the same SID )
> We actually do that every time samba_dnsupdate runs. The issue is:
> with the internal dns server nobody looks at the output (because of the
> noise from nsupdate and our broken server-side crypto), and there is a
> bug that in 'standard' process mode, we don't get the status result from
> running the script.
sutch bug is ugly see aove comment.
> Ideally, samba_dnsupdate would never fail, and doing so would be a clear
> sign of poor heath in this area.
> I agree it could potentially be run during the join, where failure would
> be more likely to be noticed.
The truth is : samba_dnsupdate failes sometimes due out of sync , and if so , the AD itsself & AD Domain fall down .
> > - DC´s automatily added as IN NS for the zone
Are you realy realy shure ?
I am not - either not with latest samba 4.1.x or 4.2RC5 :
- after freshly setup Master DC and then join an freshly setup Second DC.
and let this run for i.e 12h - the second DCś dns entries are GONE without admin actions.
> This is already done.
> > - DC´s automaticy added as LDAP SRV for the zone
> This is already done, as far as I can tell.
NO it isn't all the time - Shuold i prove it on an real installation ?
> > - an diff of the db for "IN A " , IN SRV and missing ldap SRV on an joining DC´s are heavly CRITICAL
> > and shuold cause put an ERROR to admin-user saying failed join with details..
> > an Kind of Verfication code are required here to make shure .
> > - an samba-tool option i.e "sambatool validateDC" shuold be created that check and force correct any kind CORE DNS entries Issues as of desaster-recovery .
> This is in the logs, but as above, little attention is paid to it.
M$ ADS does verifiy the ADS all the time - samba4 shuold do that the same .
> This is fundamentally what samba_dnsupdate does each time it runs. You
> can run it manually as well for that reason.
I can say clearly prove that samba_dnsupdate don't do this all the time the right way.
I can let you login to freshly installed latest samba4 DCś and check out it yourself.
and DC & DOmain will fall down within less 12h without *any* admin actions
while using Multible DC'ś in different class-C ip subnets.
If interest exist to show you - ping me with PM .
> I hope this helps!
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Regards , Horst
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 901 bytes
Desc: not available
More information about the samba-technical