[Samba] DNS Issues when joining a Domain as a DC

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 16 05:13:40 MDT 2014


On 16/10/14 11:59, Thomas Kempf wrote:
> Am 16.10.2014 um 12:12 schrieb Rowland Penny:
>> On 16/10/14 10:35, Thomas Kempf wrote:
>>> Hi,
>>> yesterday i tried to join a domain as a DC with bind9 as dns-backend
>>> on Debian Wheezy with samba 4.1.11 from backports. I followed the
>>> tutorial in the wiki
>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but didn' find
>>> the instruction completely clear, so perhaps i made a mistake during
>>> the join.
>>> It is written there:
>>> "If you choose BIND as DNS backend, instead of the internal DNS, then
>>> you, of course, have to finish this before you continue"
>>
>> As far as I am concerned this is incorrect, I just install the required
>> packages:
>>
>> apt-get -t wheezy-backports install samba attr krb5-config krb5-user ntp
>> bind9 bind9utils dnsutils winbind libpam-winbind libpam-krb5
>> libnss-winbind libsmbclient smbclient
>>
>> Then stop any samba daemons and bind9, mv smb.conf and then join the
>> domain as a DC:
>
> I had bind9 running during the next command without the AD-zone. BUt 
> that should make no difference. When i joined the domain i gave the 
> hostname in capitals (DNS1). But IMO that should make no difference 
> either. At least it gets resolved when using the Master DC as DNS-Server.
>

Hi, I cannot confirm that whether bind was running or not makes a 
difference, all I can say is that my DC's have been up and running since 
August without incidents. The other question is were did you enter the 
hostname (DNS1) on the join command, I ask this because as far as I can 
see there is nowhere to enter it.

>>
>> samba-tool domain join example.com DC --realm=example.com
>> --dns-backend=BIND9_DLZ -U administrator --password=P4ssw0rd*
>>
>> This should get the DC joined to the domain, you then start samba:
>>
>> service samba-ad-dc start
>>
>> Now configure bind9, once this is configured, you can start bind9, at
>> this point you should only have to make the server use itself as the
>> nameserver by altering /etc/resolv.conf and finally add the server to
>> the reverse zone (if you have created one)
>
> I did it nearly the same way, but i rechecked the DNS-Entry of the new 
> DC before switching resolv.conf and found that it gets only resolved 
> when using the DNS-Server on the Master DC and not on the newly 
> created one. Do you think i can safely delete the existing records and 
> recreate them ?

if you hadn't changed resolv.conf before checking, then the new DC would 
not be checked. I cannot recommend deleting the existing records, this 
could cause more problems than it solves.

Rowland
>
>> All the dns tests should work as expected.
>>
>> Rowland
>>
>>> I could not figure out how to finish configuring bind as a backend,
>>> when the keytab file and the other bind-related files get created
>>> after joining the domain.
>>> So i ran the join command first, and with the files created in this
>>> step, i was able to get the DC up and running...
>>> I had to manually create the A and CNAME records on the old DC like it
>>> is written in the wiki in the part "Check required DNS entries of the
>>> new host". my guess was, that those entries should be replicated later
>>> on to the new DC seems not to work.
>>> When i check the name resolving of the A record on the newly joined DC
>>> it does not resolve whereas on the old one it works fine.
>>>
>>> AD-Domain is ad.hueper.de
>>> old DC is dns2.ad.hueper.de
>>> new DC is dns1.ad.hueper.de
>>>
>>> dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de
>>> Using domain server:
>>> Name: dns2.ad.hueper.de
>>> Address: 192.168.0.2#53
>>> Aliases:
>>>
>>> dns1.ad.hueper.de has address 192.168.0.1
>>>
>>> dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de
>>> Using domain server:
>>> Name: dns1.ad.hueper.de
>>> Address: 192.168.0.1#53
>>> Aliases:
>>>
>>> Host dns1.ad.hueper.de not found: 3(NXDOMAIN)
>>>
>>> When i look at the servers using RSAT DNS-Manager i can see the
>>> A-Record on both DNS-Servers, so i wonder why doesn't it resolve on
>>> the new DC ?
>>> Is it save to delete the A and CNAME Records and recreate them using
>>> RSAT ?
>>>
>>> kind regards
>>> Tom
>>>
>>>
>>>
>>
>



More information about the samba mailing list