[Samba] DNS Issues when joining a Domain as a DC

Daniel Müller mueller at tropenklinik.de
Thu Oct 16 05:12:45 MDT 2014 

My /etc/krb5.conf  on both of my DCs
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = TPLK.LOC
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
         renew_lifetime = 7d
        forwardable = true

[realms]
 TPLK.LOC = {
  kdc = first-dc second-dc
  admin_server = first-dc.TPLK.LOC second-dc.TPLK.LOC
 }

[domain_realm]
 .tplk.loc = TPLK.LOC
 tplk.loc = TPLK.LOC

So I think you did :
ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs
objectguid---and steps too.

So if you remove the entry from resolv.conf on your new DC which points to
your first dc nothing get resolved?
And you do on your new dc: nslookup ex:
nslookup
> s4slave
Server:         192.168.135.253
Address:        192.168.135.253#53

Name:   s4slave.tplk.loc
Address: 172.17.1.2
Name:   s4slave.tplk.loc
Address: 192.168.135.253
Name:   s4slave.tplk.loc
Address: 192.168.132.241

This should point you to the first nameserver in your resolv.conf
(Server:your.new.dc!?)

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de



-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Thomas Kempf
Gesendet: Donnerstag, 16. Oktober 2014 12:45
An: samba at lists.samba.org
Betreff: Re: [Samba] DNS Issues when joining a Domain as a DC

Hi Daniel,

Am 16.10.2014 um 12:12 schrieb Daniel Müller:
> Is your first DC a Samba4 host?
Yes 4.1.11 too

> Did you: samba-tool domain join YOURDOMAIN DC -Uadministrator 
> --realm=your.realm --dns-backend=BIND9_DLZ
Yes, but i had to add the options "interfaces=127.0.01,192.168.0.1" and
"bind interfaces only=yes" because i have more interfaces on that machine

> samba-tool dns add your.master.dc your.realm YOUR.NEW.DC A 
> your.new.dc.ip -Uadministrator
yes

> host -t A YOUR.NEW.DC.  must show no errors!!
it does not show errors as long as the nameserver is the Master DC.
when i use the nameserver on the new DC it does not get resolved.

> What about your krb5.conf?
On the new DC:
dns1:~# cat /etc/krb5.conf
[libdefaults]
         default_realm = AD.HUEPER.DE
         dns_lookup_realm = true
         dns_lookup_kdc = true

On the master DC:
dns2:~# cat /etc/krb5.conf
[libdefaults]
         default_realm = AD.HUEPER.DE
         dns_lookup_realm = false
         dns_lookup_kdc = true

> What about : samba-tool drs kcc -Uadministrator Your.domain.controllers  ?
I did not run that command initially. I thought this was only necessary when
joining a MS-DC.
Just ran it at the moment

dns1:~# samba-tool drs kcc -Uadministrator Password for
[HUEPER\administrator]:
Consistency check on dns1.ad.hueper.de successful.

dns1:~# samba-tool drs kcc -Uadministrator dns2.ad.hueper.de Password for
[HUEPER\administrator]:
Consistency check on dns2.ad.hueper.de successful.




> Ex:
> samba-tool drs kcc -Uadministrator s4master.tplk.loc Password for 
> [TPLK\administrator]:
> Consistency check on s4master.tplk.loc successful.
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org] Im Auftrag von Thomas Kempf
> Gesendet: Donnerstag, 16. Oktober 2014 11:35
> An: samba at lists.samba.org
> Betreff: [Samba] DNS Issues when joining a Domain as a DC
>
> Hi,
> yesterday i tried to join a domain as a DC with bind9 as dns-backend 
> on Debian Wheezy with samba 4.1.11 from backports. I followed the 
> tutorial in the wiki
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but didn'
> find the instruction completely clear, so perhaps i made a mistake 
> during the join.
> It is written there:
> "If you choose BIND as DNS backend, instead of the internal DNS, then 
> you, of course, have to finish this before you continue"
> I could not figure out how to finish configuring bind as a backend, 
> when the keytab file and the other bind-related files get created 
> after joining the domain.
> So i ran the join command first, and with the files created in this 
> step, i was able to get the DC up and running...
> I had to manually create the A and CNAME records on the old DC like it 
> is written in the wiki in the part "Check required DNS entries of the 
> new host". my guess was, that those entries should be replicated later 
> on to the new DC seems not to work.
> When i check the name resolving of the A record on the newly joined DC 
> it does not resolve whereas on the old one it works fine.
>
> AD-Domain is ad.hueper.de
> old DC is dns2.ad.hueper.de
> new DC is dns1.ad.hueper.de
>
> dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de Using domain server:
> Name: dns2.ad.hueper.de
> Address: 192.168.0.2#53
> Aliases:
>
> dns1.ad.hueper.de has address 192.168.0.1
>
> dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de Using domain server:
> Name: dns1.ad.hueper.de
> Address: 192.168.0.1#53
> Aliases:
>
> Host dns1.ad.hueper.de not found: 3(NXDOMAIN)
>
> When i look at the servers using RSAT DNS-Manager i can see the 
> A-Record on both DNS-Servers, so i wonder why doesn't it resolve on the
new DC ?
> Is it save to delete the A and CNAME Records and recreate them using RSAT
?
>
> kind regards
> Tom
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list