[Samba] DNS Issues when joining a Domain as a DC

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 16 04:12:45 MDT 2014

On 16/10/14 10:35, Thomas Kempf wrote:
> Hi,
> yesterday i tried to join a domain as a DC with bind9 as dns-backend 
> on Debian Wheezy with samba 4.1.11 from backports. I followed the 
> tutorial in the wiki 
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but didn' find 
> the instruction completely clear, so perhaps i made a mistake during 
> the join.
> It is written there:
> "If you choose BIND as DNS backend, instead of the internal DNS, then 
> you, of course, have to finish this before you continue"

As far as I am concerned this is incorrect, I just install the required 

apt-get -t wheezy-backports install samba attr krb5-config krb5-user ntp 
bind9 bind9utils dnsutils winbind libpam-winbind libpam-krb5 
libnss-winbind libsmbclient smbclient

Then stop any samba daemons and bind9, mv smb.conf and then join the 
domain as a DC:

samba-tool domain join example.com DC --realm=example.com 
--dns-backend=BIND9_DLZ -U administrator --password=P4ssw0rd*

This should get the DC joined to the domain, you then start samba:

service samba-ad-dc start

Now configure bind9, once this is configured, you can start bind9, at 
this point you should only have to make the server use itself as the 
nameserver by altering /etc/resolv.conf and finally add the server to 
the reverse zone (if you have created one)

All the dns tests should work as expected.


> I could not figure out how to finish configuring bind as a backend, 
> when the keytab file and the other bind-related files get created 
> after joining the domain.
> So i ran the join command first, and with the files created in this 
> step, i was able to get the DC up and running...
> I had to manually create the A and CNAME records on the old DC like it 
> is written in the wiki in the part "Check required DNS entries of the 
> new host". my guess was, that those entries should be replicated later 
> on to the new DC seems not to work.
> When i check the name resolving of the A record on the newly joined DC 
> it does not resolve whereas on the old one it works fine.
> AD-Domain is ad.hueper.de
> old DC is dns2.ad.hueper.de
> new DC is dns1.ad.hueper.de
> dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de
> Using domain server:
> Name: dns2.ad.hueper.de
> Address:
> Aliases:
> dns1.ad.hueper.de has address
> dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de
> Using domain server:
> Name: dns1.ad.hueper.de
> Address:
> Aliases:
> Host dns1.ad.hueper.de not found: 3(NXDOMAIN)
> When i look at the servers using RSAT DNS-Manager i can see the 
> A-Record on both DNS-Servers, so i wonder why doesn't it resolve on 
> the new DC ?
> Is it save to delete the A and CNAME Records and recreate them using 
> RSAT ?
> kind regards
> Tom

More information about the samba mailing list