AW: Site coverage DNS update on RODC

Andrej Gessel Andrej.Gessel at janztec.com
Fri Aug 3 17:34:02 UTC 2018 

Hello,


GC entries are not created because of this line in samba_dnsupdate script:

https://github.com/samba-team/samba/blob/a3d248f284eb2e5f4fe886310e481b28c9f1c392/source4/scripting/bin/samba_dnsupdate#L698



Thats why you didn't saw any error messages. Maybe it helps you.


Andrej

________________________________
Von: samba-technical <samba-technical-bounces at lists.samba.org> im Auftrag von Rowland Penny via samba-technical <samba-technical at lists.samba.org>
Gesendet: Freitag, 3. August 2018 18:57:23
An: samba-technical at lists.samba.org
Betreff: Re: Site coverage DNS update on RODC

On Fri, 3 Aug 2018 17:55:27 +0200
Kévin Guérineau via samba-technical <samba-technical at lists.samba.org>
wrote:

> Hi everyone,
>
> I have been working with Denis at Tranquil IT testing with our client
> on the new site coverage coming with 4.9rc2. I have some issues with
> samba_dnsupdate on RODC, and I would need some help here to see if
> there is a bug or the issue resides inbetween the keyboard and the
> chair. Aside from the error messages below, samba_dnsupdate does not
> properly create the _gc fields (with Samba, every RWDC is a GC. so I
> guess it is the same case for RODC).
>
> I have added more specific notes written inline of the
> samba_dnsupdate --verbose output bellow. I can fill a bugzilla entry
> if you suitable.
>
> Thanks,
>
> Kevin Guérineau
>
> [root at srvrodc.env.tranq private]# samba_dnsupdate   --verbose
> IPs: ['192.168.1.130']
> 8 DNS updates and 0 DNS deletes needed
> Successfully obtained Kerberos ticket to DNS/srvads.env.tranquil.it
> as SRVRODC$
> update (nsupdate): A srvrodc.env.tranquil.it 192.168.1.130
> Calling nsupdate for A srvrodc.env.tranquil.it 192.168.1.130 (add)
> Successfully obtained Kerberos ticket to DNS/srvads.env.tranquil.it
> as SRVRODC$
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> srvrodc.env.tranquil.it. 900    IN      A 192.168.1.130
>
> ####### note : during provisioning , srvrodc A field entry is created
> but SRVRODC$ does not have the RW ACE to that entry. then update fails
> ####### note : during samba_dnsupdate on SRVRODC, if DNS A entry for
> itself with a wrong ip address , samba_dnsupdate create a new entry
> rather than updating the existing one (it should delete the wrong one)
>
> update (rodc): CNAME
> 1a3cc061-4804-4983-950a-b2a3a0d29fa4._msdcs.env.tranquil.it
> srvrodc.env.tranquil.it
> Calling netlogon RODC update for CNAME
> 1a3cc061-4804-4983-950a-b2a3a0d29fa4._msdcs.env.tranquil.it
> srvrodc.env.tranquil.it
>
> ####### note : samba_dnsupdate tries to update even though the entry
> is already correct. Is it an expected behavior
>
> update (rodc): SRV _ldap._tcp.Site2._sites.env.tranquil.it
> srvrodc.env.tranquil.it 389
> Calling netlogon RODC update for SRV
> _ldap._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it 389
> Error setting DNS entry of type 22: SRV
> _ldap._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it 389:
> (3221225653, '{Device Timeout} The specified I/O operation on %hs was
> not completed before the time-out period expired.')
>
> ####### note : we are not sure why it fails here, if the entry is
> deleted, it is properly re-created, but we still get the same error
> message
>
> update (rodc): SRV _ldap._tcp.Site2._sites.dc._msdcs.env.tranquil.it
> srvrodc.env.tranquil.it 389
> Calling netlogon RODC update for SRV
> _ldap._tcp.Site2._sites.dc._msdcs.env.tranquil.it
> srvrodc.env.tranquil.it 389
> update (rodc): SRV _kerberos._tcp.Site2._sites.env.tranquil.it
> srvrodc.env.tranquil.it 88
> Calling netlogon RODC update for SRV
> _kerberos._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it 88
> Error setting DNS entry of type 34: SRV
> _kerberos._tcp.Site2._sites.env.tranquil.it srvrodc.env.tranquil.it
> 88: (3221225653, '{Device Timeout} The specified I/O operation on %hs
> was not completed before the time-out period expired.')
>
> ####### (same as above) note : we are not sure why it fails here, if
> the entry is deleted, it is properly re-created, but we get the same
> error message
>
> update (rodc): SRV
> _kerberos._tcp.Site2._sites.dc._msdcs.env.tranquil.it
> srvrodc.env.tranquil.it 88 Calling netlogon RODC update for SRV
> _kerberos._tcp.Site2._sites.dc._msdcs.env.tranquil.it
> srvrodc.env.tranquil.it 88
> update (rodc): SRV _gc._tcp.Site2._sites.env.tranquil.it
> srvrodc.env.tranquil.it 3268
>
> ####### note : we don't have any error message, but the entry is not
> created.
>
> update (rodc): SRV _ldap._tcp.Site2._sites.gc._msdcs.env.tranquil.it
> srvrodc.env.tranquil.it 3268
>
> #######  (same as above) note : we don't have any error message, but
> the entry is not created
>
> Failed update of 2 entries
>
> ####### note : it says that two entries fails, which it is the case,
> but the one that failed are not the one that really failed actually
>

>From my understanding, a RODC is just that, it is read only and doesn't
have the entire AD objects, it doesn't have the users for one thing,
these are cached when the user connects. So if you are trying to carry
out the DNS updates on the RODC, then they should always fail, they
should be passed to a RWDC.

See here:
https://social.technet.microsoft.com/wiki/contents/articles/4031.how-read-only-domain-controllers-and-dns-works.aspx

Rowland

More information about the samba-technical mailing list