[Samba] Active Directory DNS Registration

Robert LeBlanc robert at leblancnet.us
Thu Dec 3 10:03:55 MST 2009 

On Thu, Dec 3, 2009 at 9:34 AM, Casey Allen Shobe <casey at shobe.info> wrote:

> On Thu, Dec 3, 2009 at 10:55 AM, Robert LeBlanc <robert at leblancnet.us>wrote:
>
>> When you use net ads join to join the computer to the domain, it should
>> register the machine in DNS as well.
>>
>
> Well, prior to reading this I actually got things changed over to use
> security = ads insead of domain, and re-joined the domain using kerberos.
> The DNS issue was exactly the same.
>
> Since you say that the machine object shows the name in lowercase, I assume
>> you did not create the object previously.
>>
>
> No, I did not.  I deleted it using active directory users and groups before
> rejoining with kerberos also.
>
>
>> If looking in DNS management does not show you machine in the forward
>> zone,
>>
>
> How can I check for sure?  wbinfo -I and -N work, btw, but not DNS
> resolution.  I do not have any access to the Windows DNS stuff as it runs on
> servers I cannot log in to.  Well, actually, I have a non-admin login right
> on one of them, but I don't think I can do anything useful with that.
>

I don't have login access to our DCs, but have been granted access to DNS. I
open up DNS management on my Windows XP workstation, then select one of the
DCs as the DNS server, I can then do any DNS work without having to login to
the DC. If this is still not an option, then I would make heavy use of the
dig command on Linux.


> try on the Samba server "sudo net ads dns register -P" That will try to
>> register the machine again in DNS.
>>
>
> That command hung for long time, then finally returned:
> "DNS update failed!"
>

I wonder if this may have to do with the domain requiring secure updates, it
seems that this would work since you have Kerberos working correctly. I
would look through the logs, maybe bumping up the debug level while running
the above command. You won't need to disjoin or rejoin to see the DNS
errors. I haven't had to do much in the way of DNS debugging here as it
works just fine in our environment.


> I'm not sure if pre-creating the object will cause problems as I have not
>> pre-created objects in my domain.
>>
>
> I deleted the computer from AD, and pre-created it using uppercase letters,
> then re-joined the domain using net ads join.  Now DNS resolution seems to
> work!
>

This seems fishy and doesn't make sense, as we don't have to so this here. I
would try some of the above things as it may help pinpoint the real problem
and fix it for future Samba installs.


> > If you need additional IP's or CNAMEs, you may have to enter those
> > manually in DNS management.
>
> I'm assuming this is something on the Windows DC that is outside of my
> control.  Is it possible to set up a (linux-based) DNS server for our site
> that can resolve some custom things I put in, but passes anything it doesn't
> know an answer for (e.g. any Windows hostname) to the Windows DNS?
>
>
Please see my above comment, you AD admin may feel comfortable delegating
certian DNS rights to get your job done. I would much prefer that over a
split horizon DNS, or delegated zone if your site has it's own sub-domain.
It get too difficult to manage multiple DNS servers. We have a delegated DNS
zone for our AD domain, and our clients all use our Linux DNS servers by
default. The reason, that DNS was set-up a long time ago and not everyone on
campus uses the Active Directory.

Client
   |
Linux DNS (school.edu, delegates school.local to AD DCs)
   |
Windows DNS (school.local)


Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University

More information about the samba mailing list