[Samba] DNS Issues when joining a Domain as a DC

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 16 05:22:39 MDT 2014 

On 16/10/14 12:17, Thomas Kempf wrote:
> Am 16.10.2014 um 13:13 schrieb Rowland Penny:
>> On 16/10/14 11:59, Thomas Kempf wrote:
>>> Am 16.10.2014 um 12:12 schrieb Rowland Penny:
>>>> On 16/10/14 10:35, Thomas Kempf wrote:
>>>>> Hi,
>>>>> yesterday i tried to join a domain as a DC with bind9 as dns-backend
>>>>> on Debian Wheezy with samba 4.1.11 from backports. I followed the
>>>>> tutorial in the wiki
>>>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but didn' find
>>>>> the instruction completely clear, so perhaps i made a mistake during
>>>>> the join.
>>>>> It is written there:
>>>>> "If you choose BIND as DNS backend, instead of the internal DNS, then
>>>>> you, of course, have to finish this before you continue"
>>>>
>>>> As far as I am concerned this is incorrect, I just install the 
>>>> required
>>>> packages:
>>>>
>>>> apt-get -t wheezy-backports install samba attr krb5-config 
>>>> krb5-user ntp
>>>> bind9 bind9utils dnsutils winbind libpam-winbind libpam-krb5
>>>> libnss-winbind libsmbclient smbclient
>>>>
>>>> Then stop any samba daemons and bind9, mv smb.conf and then join the
>>>> domain as a DC:
>>>
>>> I had bind9 running during the next command without the AD-zone. BUt
>>> that should make no difference. When i joined the domain i gave the
>>> hostname in capitals (DNS1). But IMO that should make no difference
>>> either. At least it gets resolved when using the Master DC as 
>>> DNS-Server.
>>>
>>
>> Hi, I cannot confirm that whether bind was running or not makes a
>> difference, all I can say is that my DC's have been up and running since
>> August without incidents. The other question is were did you enter the
>> hostname (DNS1) on the join command, I ask this because as far as I can
>> see there is nowhere to enter it.
> Sorry, i meant when i created the A-Record in the DNS of the Master DC 
> manually i used capitals

This is what is throwing me, you shouldn't have to create the A record, 
the join should do it for you, well it always has for me.

Rowland

>
>>
>>>>
>>>> samba-tool domain join example.com DC --realm=example.com
>>>> --dns-backend=BIND9_DLZ -U administrator --password=P4ssw0rd*
>>>>
>>>> This should get the DC joined to the domain, you then start samba:
>>>>
>>>> service samba-ad-dc start
>>>>
>>>> Now configure bind9, once this is configured, you can start bind9, at
>>>> this point you should only have to make the server use itself as the
>>>> nameserver by altering /etc/resolv.conf and finally add the server to
>>>> the reverse zone (if you have created one)
>>>
>>> I did it nearly the same way, but i rechecked the DNS-Entry of the new
>>> DC before switching resolv.conf and found that it gets only resolved
>>> when using the DNS-Server on the Master DC and not on the newly
>>> created one. Do you think i can safely delete the existing records and
>>> recreate them ?
>>
>> if you hadn't changed resolv.conf before checking, then the new DC would
>> not be checked. I cannot recommend deleting the existing records, this
>> could cause more problems than it solves.
>>
>> Rowland
>>>
>>>> All the dns tests should work as expected.
>>>>
>>>> Rowland
>>>>
>>>>> I could not figure out how to finish configuring bind as a backend,
>>>>> when the keytab file and the other bind-related files get created
>>>>> after joining the domain.
>>>>> So i ran the join command first, and with the files created in this
>>>>> step, i was able to get the DC up and running...
>>>>> I had to manually create the A and CNAME records on the old DC 
>>>>> like it
>>>>> is written in the wiki in the part "Check required DNS entries of the
>>>>> new host". my guess was, that those entries should be replicated 
>>>>> later
>>>>> on to the new DC seems not to work.
>>>>> When i check the name resolving of the A record on the newly 
>>>>> joined DC
>>>>> it does not resolve whereas on the old one it works fine.
>>>>>
>>>>> AD-Domain is ad.hueper.de
>>>>> old DC is dns2.ad.hueper.de
>>>>> new DC is dns1.ad.hueper.de
>>>>>
>>>>> dns1:~# host -t A dns1.ad.hueper.de dns2.ad.hueper.de
>>>>> Using domain server:
>>>>> Name: dns2.ad.hueper.de
>>>>> Address: 192.168.0.2#53
>>>>> Aliases:
>>>>>
>>>>> dns1.ad.hueper.de has address 192.168.0.1
>>>>>
>>>>> dns1:~# host -t A dns1.ad.hueper.de dns1.ad.hueper.de
>>>>> Using domain server:
>>>>> Name: dns1.ad.hueper.de
>>>>> Address: 192.168.0.1#53
>>>>> Aliases:
>>>>>
>>>>> Host dns1.ad.hueper.de not found: 3(NXDOMAIN)
>>>>>
>>>>> When i look at the servers using RSAT DNS-Manager i can see the
>>>>> A-Record on both DNS-Servers, so i wonder why doesn't it resolve on
>>>>> the new DC ?
>>>>> Is it save to delete the A and CNAME Records and recreate them using
>>>>> RSAT ?
>>>>>
>>>>> kind regards
>>>>> Tom
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the samba mailing list